Privacy Policy
1. Introduction
This Privacy Policy explains how HJ Vision FZ-LLC, trading as HeyAmara (“we,” “us,” “our,” or “HeyAmara”), collects, uses, shares, and protects personal data in connection with our website at heyamara.com (the “Website”), our technology platform (the “Platform”), and related services (collectively, the “Services”).
HeyAmara provides technology services for the recruitment industry. Recruiters who use our Platform are independent business operators — we are not a recruitment agency, employer, or joint venture partner.
This Privacy Policy applies to all individuals whose personal data we collect or process. We comply with applicable data protection and privacy laws, including the UAE Personal Data Protection Law (Federal Decree-Law No. 45/2021, “UAE PDPL”), the Privacy Act 1988 (Cth) and the Australian Privacy Principles (“APPs”), and the New Zealand Privacy Act 2020 and the Information Privacy Principles (“IPPs”).
By using our Services, you acknowledge that you have read and understood this Privacy Policy. Where your consent is required as a legal basis for processing, we will obtain it separately and explicitly.
2. Definitions
“Candidate” means any individual whose personal data is processed through the Platform in connection with recruitment activities.
“Client” means any company, organisation, or individual that engages a Recruiter’s recruitment services and whose data may be processed through the Platform.
“Data Controller” (or “Controller”) means the party that determines the purposes and means of processing personal data. Depending on the context, this may be HeyAmara or a Recruiter, as described in Section 5.
“Data Processor” (or “Processor”) means the party that processes personal data on behalf of a Data Controller.
“Personal Data” (or “personal information”) means any information that relates to an identified or identifiable natural person, as defined by the applicable privacy law of the relevant jurisdiction.
“Platform Data” means data generated, uploaded, or processed through the Platform in connection with a user’s use of the Services.
“Recruiter” means an independent business operator who registers for and uses the Platform to provide recruitment services.
3. Information We Collect
3.1 Information You Provide
- Account and profile data: Name, email address, phone number, business details, and professional credentials.
- Financial and billing data: Payment information, invoicing details, and transaction records necessary to process fees and payments.
- Application data: Information provided when applying to join the Platform, which may include professional background and location.
- Communications: Messages, emails, support requests, and feedback you send to us.
3.2 Information Generated Through Your Use of the Platform
- Usage data: Information about how you interact with the Platform, such as pages visited, actions taken, IP address, device type, and session duration.
- Content you generate: Materials, configurations, and other data created through your use of the Platform.
3.3 Information from Third-Party Sources
- Data providers: We may receive data from third-party sources at the direction of users.
- Payment processors: We receive transaction confirmations and related data from our payment processor.
- Connected accounts: If you connect third-party accounts, we may access data from those accounts to enable Platform features.
3.4 Sensitive Information
Some personal data requires heightened protection. Under the Privacy Act 1988 (Cth) APP 3, sensitive information may only be collected with consent and where reasonably necessary. Categories of sensitive information we may collect include:
- Biometric data: Audio and video recordings may capture facial images and voice characteristics. We do not extract or store biometric templates or identifiers from recordings.
- Health information: Accessibility requirements voluntarily disclosed for interview or work arrangements.
- Background check data: Results of background screenings submitted by Recruiters as part of candidate management.
We collect sensitive information only where you have consented or where we are required or authorised by law.
4. How We Use Your Information
We process personal data for the following purposes:
| Purpose | Legal Basis (UAE PDPL) |
|---|---|
| Providing and operating our Services | Consent; performance of contract |
| Account management and billing | Consent; performance of contract |
| Recruitment assistance tools and features | Consent; performance of contract |
| Security, fraud prevention, and platform integrity | Consent; legal obligation |
| Monitoring compliance with platform terms | Consent; performance of contract |
| Legal compliance | Legal obligation |
| Service improvement and analytics | Consent |
| AI model training and improvement using de-identified data | Performance of contract |
| Marketing communications (where you have opted in) | Consent (explicit) |
We may create aggregated, anonymised, or de-identified data from personal data we process. Such data cannot reasonably identify any individual and may be used for any lawful business purpose.
5. Our Role as Data Processor
HeyAmara operates in two data protection roles:
- Data Controller — for Recruiter account data, usage data, analytics, and data we independently generate or derive from Platform operations.
- Data Processor — for Candidate and Client personal data uploaded or managed by Recruiters through the Platform. In this role, we process data on behalf of the Recruiter (who is the Controller).
HeyAmara may also act as an independent Controller for service improvement and AI model development, as described in Section 6.
If you are a Candidate or Client whose data has been entered into the Platform by a Recruiter, the Recruiter is primarily responsible for having a lawful basis to collect and use your personal data, providing you with appropriate privacy notices, and responding to your data rights requests.
Where HeyAmara acts as a Data Processor, we enter into a Data Processing Agreement (DPA) with each Recruiter governing how we process personal data on their behalf.
6. AI and Automated Processing
6.1 How We Use AI
We use artificial intelligence to assist with recruitment-related services. AI features may process personal data of Candidates, Clients, and other individuals provided through the Platform.
6.2 Third-Party AI Providers
We use third-party service providers to power AI features. These providers process data under contractual restrictions and do not use data submitted through our Platform to train their own models. AI providers may retain data for a limited period for safety and abuse monitoring purposes.
6.3 Automated Decision-Making
We do not make fully automated decisions that produce legal effects or similarly significant effects on individuals without human involvement. AI tools are designed to support human decision-making, not replace it. The final decision to engage, interview, or hire a Candidate is always made by the Recruiter or their Client.
If you believe an automated decision has significantly affected you, you may request human review by contacting privacy@heyamara.com. We will respond within fifteen (15) business days.
6.4 AI Model Training
We use de-identified and aggregated data to train and improve our AI models and develop our services. Where identifiable data is used for service improvement, this is carried out in accordance with the terms agreed with the relevant user. Candidate and client personal data is de-identified before use for AI model training. Anonymised data may be shared with third parties for research, analytics, and technology development. You may opt out of having your identifiable data used for AI model training by contacting privacy@heyamara.com.
7. Sharing and Disclosure
We do not sell personal data. We share personal data only in the following circumstances:
7.1 Service Providers
We use service providers for hosting, payments, and other operational services. These providers process data on our behalf under contractual obligations to protect personal data. The current list of service providers is available on request at privacy@heyamara.com. We will notify Recruiters of material changes to our service providers by written notice at least 30 days before the change takes effect.
7.2 Recruiter-Directed Sharing
When a Recruiter uses the Platform to share data with Candidates, Clients, or other third parties, we facilitate this sharing as a Data Processor acting on the Recruiter’s instructions.
7.3 Legal Requirements
We may disclose personal data to comply with applicable law, enforce our terms, protect rights and safety, or detect and prevent fraud.
7.4 Business Transfers
If HeyAmara is involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction with appropriate notice.
7.5 Aggregated and De-identified Data
We may share aggregated, anonymised, or de-identified data with third parties for research, analytics, and technology development. We do not sell identifiable personal data.
8. International Data Transfers
Personal data may be transferred to and processed in countries other than where it was collected, including Australia, the United States, and Canada.
We protect personal data transferred internationally through:
- Contractual safeguards with service providers requiring them to protect data in accordance with applicable laws;
- Compliance with UAE PDPL cross-border transfer requirements (Articles 22 and 23);
- Compliance with Australian APP 8, ensuring overseas recipients handle information in accordance with the APPs; and
- Compliance with New Zealand IPP 12, ensuring comparable privacy protections through contractual mechanisms.
9. Data Retention
We retain personal data only for as long as reasonably necessary for the purposes for which it was collected, or as required by law.
| Category | Retention Period |
|---|---|
| Account and billing data | Duration of account plus up to 7 years |
| Candidate and client data (where we are Processor) | As directed by the Recruiter, or upon account termination per the DPA |
| Usage and platform data | Up to 7 years from collection |
Data no longer required is de-identified or securely deleted. Anonymised data may be retained indefinitely for analytics and service improvement.
10. Data Security
We implement appropriate technical and organisational measures to protect personal data from misuse, interference, loss, and unauthorised access, modification, or disclosure, including encryption, access controls, and monitoring.
No method of transmission or storage is completely secure. If you become aware of any security incident, please notify us immediately at privacy@heyamara.com.
11. Your Rights
You have rights regarding your personal data under applicable privacy laws.
11.1 Rights Under UAE PDPL
If the UAE PDPL applies, you have the right to: access your personal data (Art. 13); correct inaccurate data (Art. 15); request deletion (Art. 15); restrict processing (Art. 16); data portability (Art. 14); withdraw consent (Art. 7); object to processing (Art. 17); and not be subject to solely automated decision-making with legal effects (Art. 18). You may also lodge a complaint with the Emirates Data Office.
We will respond within thirty (30) days, extendable to forty-five (45) days for complex requests.
11.2 Rights Under Australian Privacy Act
If the Australian Privacy Act applies, you have the right to: access your personal information (APP 12); correct inaccurate information (APP 13); and complain about a breach of the APPs.
To make a complaint, contact privacy@heyamara.com. We will acknowledge receipt within 5 business days and respond within 30 calendar days. If unsatisfied, you may complain to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.
11.3 Rights Under New Zealand Privacy Act 2020
If the New Zealand Privacy Act 2020 applies, you have the right to: access your personal information (IPP 6); correct inaccurate information (IPP 7); and complain to the Office of the Privacy Commissioner at www.privacy.org.nz.
We will respond to access and correction requests within twenty (20) working days.
11.4 Candidates and Clients
If you are a Candidate or Client whose data was entered by a Recruiter, the Recruiter is the Data Controller. Contact the Recruiter directly to exercise your rights. If you cannot reach the Recruiter, contact us at privacy@heyamara.com and we will assist you.
12. Cookies
We use cookies and similar technologies on our Website:
- Essential cookies: Required for core functionality (authentication, security, sessions). Set automatically.
- Functional cookies: Enable preferences and personalisation.
- Analytics cookies: Help us understand how visitors use the Website.
Non-essential cookies are only set after you provide consent via our cookie consent banner. We do not use advertising or cross-site tracking cookies.
You can manage cookies through your browser settings or our cookie consent banner.
13. Children’s Privacy
Our Services are not intended for individuals under 18. We do not knowingly collect personal data from children. If we become aware of such collection, we will promptly delete the data. Contact us at privacy@heyamara.com if you believe we have inadvertently collected data from a child.
14. Communications
14.1 Service Communications
We send communications necessary for operating our Services, including account notifications, security alerts, and billing notices. These are transactional and cannot be opted out of while you maintain an active account.
14.2 Marketing Communications
Marketing communications are sent only with your explicit prior consent. You may opt out at any time by clicking “unsubscribe” in any marketing email or contacting privacy@heyamara.com.
14.3 Compliance
Users are solely responsible for compliance with all applicable laws, including communications and recording consent laws, when using Platform features.
15. Data Breach Notification
If we become aware of a data breach involving personal data, we will promptly investigate, take steps to contain it, and notify relevant regulatory authorities and affected individuals in accordance with applicable law.
16. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will provide at least thirty (30) days’ advance notice by posting a notice on the Website and, for registered users, by email. Non-material changes are effective when posted. Your continued use of our Services after changes take effect constitutes acceptance.
17. Contact Us
If you have questions about this Privacy Policy or wish to exercise your rights, contact us at:
- Privacy enquiries: privacy@heyamara.com
- Legal enquiries: legal@heyamara.com
- Data Protection Officer: privacy@heyamara.com (Attn: DPO)
- Entity: HJ Vision FZ-LLC, United Arab Emirates
Complaints: - Australia: Office of the Australian Information Commissioner — www.oaic.gov.au - New Zealand: Office of the Privacy Commissioner — www.privacy.org.nz - UAE: Emirates Data Office
18. Jurisdiction-Specific Provisions
18.1 Australia
The Privacy Act 1988 (Cth) applies to our handling of personal information of individuals in Australia. We comply with the Australian Privacy Principles (APPs).
The countries to which we may disclose personal information include Australia, the United States, and Canada.
Automated decision-making (effective 10 December 2026): From that date, the Privacy and Other Legislation Amendment Act 2024 (Cth) will require additional transparency about automated decision-making that could significantly affect individuals’ rights or interests. We will update this policy accordingly.
18.2 New Zealand
The New Zealand Privacy Act 2020 applies to our handling of personal information of individuals in New Zealand. We comply with the Information Privacy Principles (IPPs).
Indirect collection (IPP 3A, effective 1 May 2026): Where personal information is collected about an individual from a source other than the individual, we will take reasonable steps to ensure the individual is notified, as required by the new IPP 3A obligation.
18.3 UAE
The UAE PDPL applies to our processing of personal data. We have appointed a Data Protection Officer, contactable at privacy@heyamara.com.
Our primary lawful basis for processing is consent, obtained at the point of collection or through agreement to our terms. For AI model improvement, the lawful basis is performance of contract under Article 4 of the UAE PDPL.
We comply with cross-border transfer requirements under Articles 22 and 23 of the UAE PDPL through contractual safeguards with all overseas recipients.
18.4 United States
If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). We do not sell personal information. To exercise your rights, contact privacy@heyamara.com.
Last updated: 3 April 2026