Privacy Policy

1. Introduction

Profiled (“we,” “us,” or “our”) is operated by Imaginapps Pty Ltd, ABN pending, with registered offices in Melbourne, Australia. This Privacy Policy explains how we collect, use, store, share, and protect information when you visit our website at profiled.careers or use any related services (collectively, the “Service”).

We are committed to transparency about our data practices. Profiled is built on the principle that candidates should own their professional narrative — and that includes how their data is handled. By accessing the Service you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of it, please do not use the Service.

2. Information We Collect

2.1 Information you provide directly

• Account information: name, email address, and authentication credentials when you create an account.
• Profile content: professional experience, skills, education, portfolio items, FAQ responses, values, gaps and weaknesses, and AI instructions that you add to your candidate profile.
• Private context: information you mark as private (e.g., why you left a role, honest assessments of past contributions, or explicit skill gaps). This data is used to power AI conversations about your profile but is never directly exposed to visitors.
• Uploaded documents: resumes or other files you choose to upload for AI-assisted profile building.
• Communications: messages you send through the in-profile chat, fit assessment requests, and any correspondence with our support team.
• Billing information: subscription plan selection. Payment card details are processed directly by Stripe and never stored on our servers.

2.2 Information collected automatically

• Device and browser data: IP address, browser type, operating system, device identifiers, and screen resolution.
• Usage data: pages viewed, features used, timestamps, referral URLs, and session duration.
• Cookies and similar technologies: see Section 9 (“Cookies”) below.

2.3 Information from third parties

If you sign in via a social provider (e.g., Google or GitHub), we receive your name, email address, and profile photo from that provider. We do not receive or store your social account password.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Service: building and hosting your candidate profile, powering AI-driven conversations and fit assessments, and processing subscriptions.
• Improving the Service: analysing usage patterns to improve features, performance, and reliability.
• AI processing:your profile content (including private context) is sent to AI providers to generate responses to visitor questions and fit assessments. See Section 5 for details on our AI data practices.
• Communication: sending transactional emails (welcome messages, profile-published notifications, moderation updates), and, only with your consent, marketing communications.
• Security and fraud prevention: monitoring for suspicious activity, enforcing our Terms of Service, and protecting the rights and safety of our users.
• Legal obligations: complying with applicable laws, regulations, legal processes, or enforceable governmental requests.

4. Legal Basis for Processing (EEA/UK Users)

If you are located in the European Economic Area or United Kingdom, we process your personal data under the following legal bases:

• Consent: where you have given explicit, granular, and withdrawable consent (e.g., cookie preferences, marketing emails).
• Performance of a contract: processing necessary to provide the Service you signed up for.
• Legitimate interests: improving the Service, preventing fraud, and ensuring security, balanced against your rights and freedoms.
• Legal obligation: where processing is required to comply with applicable law.

5. AI Data Practices

Profiled uses artificial intelligence to power profile conversations and fit assessments. When a visitor interacts with your profile, your public and private content is sent to our AI providers as contextual input.

• Providers: we currently use Anthropic (Claude) as our primary AI provider with OpenAI as a failover. Both providers process data under data processing agreements that prohibit them from using your data to train their models.
• Private context: information you mark as private is used to inform AI responses but is never quoted verbatim in AI output. The AI is explicitly instructed to synthesise and contextualise private information rather than reproduce it directly.
• No model training: your data is not used to train, fine-tune, or improve any third-party AI model.
• AI-generated content disclaimer: all responses from the AI are generated content and may contain inaccuracies. Profiled makes no guarantee of the accuracy of AI-generated fit assessments or conversational responses.

6. Third-Party Service Providers (Sub-processors)

We share your personal information with a small set of trusted service providers (“sub-processors”) to deliver the platform — for example, payment processing through Stripe, authentication through Clerk, AI inference through Anthropic and OpenAI, and database hosting through Supabase. Each provider is bound by a Data Processing Agreement that limits their use of your data to providing services to us.

The authoritative, up-to-date list of every sub-processor, the data they process, their hosting region, and our change-notification commitments lives on a dedicated page:

View our complete sub-processor list →

We do not sell your personal information to any third party, and no sub-processor is permitted to use your data for their own marketing, advertising, or model training.

7. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the Service. Specifically:

• Account data: retained until you delete your account.
• Profile content: retained until you delete individual items or your entire account.
• Chat and assessment logs: retained for 90 days after the session, then anonymised or deleted.
• Billing records:retained for 7 years as required by tax and financial regulations.
• Audit logs:retained for 12 months for security and compliance purposes.

When you delete your account, we initiate a deletion process that removes your personal data within 30 days. Some data may persist in encrypted backups for up to 90 days before being permanently purged.

8. Your Rights

8.1 All users

Regardless of your location, you have the right to:

• Access the personal data we hold about you, via Dashboard → Settings → Data (one-click data export to ZIP, covers all profile content + audit history relevant to you).
• Correct inaccurate or incomplete data via your profile editor at Dashboard → Profile.
• Delete your account and associated data via Dashboard → Settings → Data. Deletion is self-service with a 14-day grace window before the cascade becomes irreversible.
• Export your profile data in a portable format (JSON + CSV bundle, downloadable as a ZIP) via the same dashboard surface.
• Withdraw consent for optional data processing (e.g., marketing emails, non-essential cookies) at any time without affecting your account.

8.2 EEA/UK users (GDPR)

If you are located in the European Economic Area or United Kingdom, you have the following rights under the General Data Protection Regulation (and the UK GDPR):

• Article 15 — Right of access: obtain a copy of the personal data we hold about you. Fulfilled via the self-service data export at Dashboard → Settings → Data. Requests outside the dashboard scope can be submitted to privacy@profiled.careers and will be answered within 30 days.
• Article 16 — Right to rectification: correct inaccurate or incomplete data. Most profile fields are self-edit via the dashboard; for fields that aren’t, email privacy@profiled.careers.
• Article 17 — Right to erasure (“right to be forgotten”): delete your account and all associated personal data. Self- service via the dashboard with a 14-day grace window before the cascade becomes irreversible. After cascade, the only preserved data is a forensic tombstone with an HMAC-hashed actor identifier required for audit-trail integrity.
• Article 18 — Right to restriction of processing: request that we limit how we use your data in specific circumstances (e.g., while you contest its accuracy). Submit requests to privacy@profiled.careers.
• Article 20 — Right to data portability: receive your data in a structured, commonly-used, machine-readable format. Fulfilled via the data export (JSON + CSV bundle) at the same dashboard surface.
• Article 21 — Right to object: object to processing based on our legitimate interests (Section 4 above) and to direct marketing. Marketing opt-out is available from any marketing email or via your account settings; legitimate-interest objections can be submitted to privacy@profiled.careers and we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
• Article 22 — Automated decision-making: you have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects. AI-generated fit assessments on Profiled are informational only and are not used for automated employment, credit, or eligibility decisions.
• Lodge a complaintwith your local data protection authority — for EU residents this is your national Data Protection Authority; for UK residents it is the Information Commissioner’s Office (ICO).

8.3 California residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) grants you the right to: know what personal information we collect and how it is used, request deletion of your personal information, opt out of the sale or sharing of your personal information, and not be discriminated against for exercising your privacy rights. Profiled does not sell or share your personal information as defined under the CCPA.

8.4 Australian residents (Privacy Act 1988)

If you are an Australian resident, you have rights under the Australian Privacy Principles (APPs) including the right to access and correct your personal information, and to make a complaint to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs.

9. Cookies

We use cookies and similar technologies to operate the Service:

• Essential cookies: required for authentication and session management (provided by Clerk). These cannot be disabled.
• Analytics cookies: help us understand how users interact with the Service. Only loaded with your consent.
• Marketing cookies: may be used in the future for advertising attribution. Only loaded with your consent.

You can manage your cookie preferences at any time through the cookie consent banner. No non-essential cookies are loaded before you grant consent. Your consent preferences are stored locally and recorded on our servers with a timestamp, IP address, user agent, and consent version for compliance auditing.

10. Do Not Sell My Personal Information

Profiled does notsell your personal information to third parties. We do not share your data for cross-context behavioural advertising. This commitment applies regardless of whether you have submitted a “Do Not Sell” request. If our practices change in the future, we will update this section and provide a mechanism to opt out before any such sharing begins.

11. Data Security

We implement industry-standard security measures to protect your personal information, including: encryption in transit (TLS 1.2+) and at rest, row-level security policies in our database ensuring users can only access their own data, rate limiting on all API endpoints, regular dependency auditing and vulnerability scanning, and access controls limiting which team members can access production systems. While we strive to protect your data, no method of transmission or storage is 100% secure. If we become aware of a security breach affecting your personal data, we will notify you in accordance with applicable law.

12. International Data Transfers

Profiled is operated from Australia and our primary infrastructure is hosted in the United States (Vercel, Supabase). If you access the Service from outside the United States, your personal information may be transferred to and processed in the United States or other countries where our service providers operate. We ensure that such transfers comply with applicable data protection laws through appropriate safeguards including standard contractual clauses and data processing agreements with our providers.

13. Children’s Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you believe a child under 16 has provided us with personal information, please contact us and we will promptly delete it.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the “Effective” date at the top of this page. Your continued use of the Service after the effective date constitutes acceptance of the updated policy. We encourage you to review this page periodically.

15. Contact Us

If you have questions about this Privacy Policy, wish to exercise any of your rights, or need to report a data protection concern, please contact us:

• Email: privacy@profiled.careers
• Data Protection Officer: Martin Aranovitch, Imaginapps Pty Ltd
• Address: Melbourne, VIC, Australia

We aim to respond to all privacy-related requests within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction.

16. Changelog

• v1.1 — 20 May 2026: Sub-processor list extracted to a dedicated page at /sub-processors (now the authoritative reference); LiveKit + Fly.io added to the list (previously implicit via voice infrastructure description). §8.2 EEA/UK rights expanded with explicit GDPR Article 15-22 citations and direct links to the dashboard self-service surfaces. §8.1 updated with direct links to the deletion + export flow. No changes to data collection, retention, or sharing practices.
• v1.0 — 16 April 2026: Initial publication.