Legal

Privacy Policy

We take your privacy seriously. This policy explains how CV Central collects, uses, and protects your information.

Last updated: 7 May 2026

Plain English Summary

  • We collect only what we need to run the platform.
  • We never sell your data or use it for advertising.
  • We do not use your data to train AI models.
  • Resume and candidate data is used solely to power assessments for your organisation.
  • You can export or delete all your data at any time.

CV Central ("we", "us", or "our") is committed to protecting your privacy and complying with applicable Australian and US privacy laws, including the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy explains what personal information we collect, how we use and protect it, and the rights you have.

By creating an account or using the CV Central platform, you agree to the practices described in this policy. If you do not agree, please do not use the service.

CV Central is a B2B platform used by employers, recruiters, and HR teams ("Customers") to manage hiring projects and assess job candidates. This policy applies to both Customers and their employees who use the platform.

2.Information We Collect

Account and organisation information

When you create an account we collect your full name, work email address, password (stored as a bcrypt hash — never in plain text), and your organisation's name and billing details. If you invite team members, we collect their email addresses and their role within your organisation.

Job project data

When you create a hiring project you provide a job title, job description, company information, required skills, and other role details. This information is used to configure the AI assessment engine for your specific role.

Resume files

You upload resumes on behalf of your organisation for the purpose of candidate assessment. Resumes are stored securely and processed by our AI engine to extract structured candidate data (name, contact details, skills, work history, education). Resumes are tied to your organisation's account and are not accessible to other organisations.

Assessment and scoring data

We store the outputs of AI assessments — scores across the 7-dimension framework, skill gap analysis, scoring breakdowns, and AI-generated summaries. This data is retained as part of your organisation's hiring history and audit trail.

ATS and CRM integration data

If you connect an ATS (such as Recruiterflow), we receive candidate records returned by your ATS under your authorisation. We store only the data needed to display and assess those candidates within CV Central. We do not independently access your ATS beyond the searches you initiate.

Billing information

Payments are processed by Stripe. We do not see or store your card number. We receive a Stripe customer ID, subscription plan, billing period, and billing email address.

Usage and technical data

We collect standard server logs (IP address, browser type, pages visited, timestamps) and aggregate usage metrics (feature adoption, error rates) to maintain reliability and improve the platform. We do not use third-party advertising trackers.

3.How We Use Your Information

We use your information to:

  • Authenticate your identity and maintain your session securely
  • Run AI-powered resume assessments using the 7-dimension scoring framework (resume text and job description are sent to OpenAI under our API key)
  • Generate PDF assessment reports and CSV exports for your team
  • Send transactional emails — team invitations, MFA one-time passcodes, and system notifications
  • Manage your subscription and enforce plan limits via Stripe
  • Power the candidate research feature (searches are sent to RocketReach and/or SerpAPI on your behalf)
  • Debug errors, monitor performance, and develop new features
  • Comply with applicable legal obligations in Australia and the United States

We do not sell your data, share it with third parties for their own marketing purposes, use it for advertising, or use it to train AI models.

4.Candidate Data

CV Central processes personal information about job candidates on behalf of our Customers. Customers are the data controllers for candidate data — they determine which candidates to assess and for what purpose. CV Central acts as a data processor for this information.

Candidate personal information collected includes: name, email address, phone number, LinkedIn URL, location (city, state, country), and professional information extracted from their resume (employment history, skills, education, certifications).

This data is:

  • Scoped strictly to the organisation that uploaded the resume
  • Not shared with other organisations or used to populate any public database
  • Used solely to generate assessment results for that organisation's hiring project
  • Deleted when the Customer deletes the record or closes their account

Customers are responsible for ensuring they have a lawful basis to collect and process candidate information and that candidates have been informed their resume may be assessed using AI tools. We recommend disclosing AI-assisted screening in your job advertisements or application process.

5.Data Retention

We retain your data for as long as your account is active. Specific retention periods:

  • Account and organisation data — retained while your account is active; deleted within 30 days of account closure upon request
  • Resume files — retained until you delete them from the platform or close your account
  • Assessment results and scoring data — retained until deleted by a team admin or until account closure
  • Billing records — retained for 7 years as required by Australian taxation law (Tax Administration Act 1953)
  • Server logs — retained for up to 90 days for security and debugging purposes

You may request deletion of all your personal data at any time by contacting us (see Section 14). We will comply within 30 days, except where retention is required by law.

6.Third-Party Sub-processors

We use the following third-party services to deliver the platform. All are bound by contractual data protection obligations. Because several are US-based, see Section 10 regarding international transfers.

ServicePurposeData SharedLocation
OpenAIAI-powered resume analysis and candidate scoringResume text, job description, extracted candidate profile dataUnited States
StripeSubscription billing and payment processingName, email, billing address, subscription statusUnited States
RocketReachCandidate research and internet sourcingSearch keywords, job titles, location filtersUnited States
SerpAPIFallback web search for candidate discoverySearch queries (no personal data sent)United States
RecruiterflowATS integration for importing existing candidatesAPI key (org-scoped), candidate records returned by your ATSUnited States
SMTP Email ProviderTransactional emails (invitations, OTP, notifications)Recipient email address, email contentUnited States / Australia

AI assessment calls to OpenAI are made under our API key. Candidate resume data is transmitted over HTTPS and is not used to train any OpenAI model (we use OpenAI's API with data processing terms that prohibit training use). We will notify you of any material changes to our sub-processor list.

7.Cookies & Sessions

We use a single session cookie to maintain your authenticated session. This cookie is:

  • HTTP-only — not accessible to JavaScript on the page
  • Secure — transmitted only over HTTPS
  • SameSite=Strict — not sent with cross-site requests
  • Automatically expired when you sign out or your session expires

We do not use third-party advertising cookies, social media tracking pixels, or analytics cookies that track you across sites. You can clear cookies in your browser at any time; this will sign you out of the platform.

8.Your Rights

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have the right to:

  • Access — request a copy of the personal information we hold about you
  • Correction — update inaccurate or incomplete personal information directly in your account settings, or ask us to correct it
  • Deletion — request deletion of your account and all associated personal data; we will comply within 30 days
  • Portability — request an export of your organisation's data in machine-readable format
  • Opt-out of communications — unsubscribe from non-essential notifications at any time via account settings or the unsubscribe link in any email
  • Complaint — if you believe we have handled your personal information in a way that breaches the APPs, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au

To exercise any of these rights, email us at privacy@cvcentral.io. We will respond within 30 days. We may need to verify your identity before actioning requests.

9.California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights:

  • Right to Know — the categories and specific pieces of personal information we have collected about you
  • Right to Delete — request deletion of personal information we have collected from you, subject to certain exceptions
  • Right to Opt-Out of Sale — we do not sell personal information, so this right does not apply
  • Right to Non-Discrimination — we will not discriminate against you for exercising any of your CCPA rights

To submit a verifiable consumer request under the CCPA, email privacy@cvcentral.io with the subject line "CCPA Request". We will respond within 45 days. You may designate an authorised agent to make a request on your behalf.

10.International Data Transfers

CV Central operates from Australia. Our sub-processors (including OpenAI, Stripe, RocketReach, and SerpAPI) are primarily based in the United States. By using the platform, you acknowledge that your personal information may be transferred to and processed in the United States or other jurisdictions.

When transferring personal information overseas, we take steps to ensure recipients are bound by privacy obligations at least equivalent to the APPs, in accordance with APP 8. This includes:

  • Using sub-processors who participate in recognised cross-border data transfer frameworks or who have executed Data Processing Agreements with equivalent protections
  • Contractual obligations requiring sub-processors to protect personal information in accordance with Australian and applicable US privacy law

If you are in the European Economic Area or UK, please contact us for information about the transfer mechanisms we rely on for your data.

11.Data Security

We implement technical and organisational measures to protect your personal information against unauthorised access, disclosure, alteration, or destruction:

  • All data is transmitted over HTTPS/TLS
  • Passwords are hashed with bcrypt — never stored in plain text
  • Multi-factor authentication (email OTP and TOTP authenticator app) is available to all users and enforced at admin discretion
  • JWT tokens with short expiry windows and refresh token rotation
  • Rate limiting on authentication endpoints to prevent brute-force attacks
  • Role-based access control — users can only access data within their own organisation
  • Resume files are stored in private cloud storage accessible only via signed URLs with expiry
  • Comprehensive audit logging of administrative actions
  • Regular security reviews and dependency audits

In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and report to the Office of the Australian Information Commissioner as required by the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). We will do so as soon as practicable, and no later than 30 days after becoming aware of the breach.

12.Children's Privacy

CV Central is a professional platform intended for use by adults. We do not knowingly collect personal information from anyone under the age of 18. If you believe a person under 18 has created an account or provided us with personal data, please contact us immediately and we will delete that information promptly.

13.Changes to This Policy

We may update this policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will notify you of material changes by:

  • Posting a notice in the CV Central dashboard at least 14 days before changes take effect, and
  • Sending an email to your registered address for significant changes

The "Last updated" date at the top of this page always reflects the most recent revision. Your continued use of the platform after changes take effect constitutes acceptance of the updated policy.

14.Contact

If you have questions about this policy, wish to exercise your rights, or have a privacy concern, please contact our Privacy Officer:

Emailprivacy@cvcentral.io
SubjectPrivacy Request — [your name and request type]
ResponseWithin 30 days of receipt

If you are not satisfied with our response to a privacy complaint, you may contact the Office of the Australian Information Commissioner (OAIC):

Office of the Australian Information Commissioner
GPO Box 5288, Sydney NSW 2001
Phone: 1300 363 992