Privacy Policy

Last Modified: December 20, 2025

Thank you for your interest in HeyAmara ("HeyAmara," "we", "our" or "us"). HeyAmara provides an all-in-one AI recruitment platform that helps elite recruiters and agencies scale faster through intelligent automation and candidate matching.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, including our website and mobile applications.

Data Controller vs Processor Roles

We are the data controller for:

• Individual user accounts
• Platform users (recruiters, team members)
• Billing and payment information
• Platform usage analytics

We are the data processor for:

• Customer Data: Candidate CVs, client information, communication records uploaded by customers
• Customers (recruitment agencies) are the data controllers for this data
• Customers must have their own privacy policies for candidates and clients

Important Distinction: This Privacy Policy explains how we use personal information when you use our Service as an account holder or team member. It does NOT cover how we process candidate or client data that our customers upload to the platform - that data is processed under our Data Processing Agreement (DPA) as instructed by the customer who controls it.

A. Information You Provide Directly

(i) Registration & Account Information

What: Email, username, password (hashed), full name, phone number, profile photo, role, team association
Why: Account creation, authentication, access control
Retention: Duration of account + 60 days after closure

(ii) Payment & Billing Information

What: Billing address, company details, Tax ID/ABN, credit purchase history, Stripe Customer ID
Note: Credit card details are NEVER stored by us - handled by Stripe
Retention: 7 years (tax compliance)

(iii) Communications

Support emails, chat messages with our team, feedback forms

(iv) OAuth/SSO Data

Google OAuth (name, email, profile photo), LinkedIn OAuth (name, email, profile photo, headline)

(v) AI Chat/Assistant Interactions

Messages sent to Amara AI assistant, uploaded files (images, PDFs), AI-generated responses, conversation history

Important: We do NOT use your AI conversations to train our models or share with third parties for marketing. AI providers may have their own data retention policies - see the detailed AI section for details.

B. Information from Third-Party Sources

Social networks (Google, LinkedIn), Payment processors (Stripe)

C. Information Collected Automatically

Usage & Analytics: Pages visited, features used, time spent, search queries, clicks
Technical Data: IP address, browser type, device type, operating system, session IDs
Communication Metadata: Call duration, email open rates, video conference attendance

D. Customer Data (We Process on Behalf of Customers)

Candidate Information: Names, emails, phone numbers, CVs/resumes, work experience, skills, application data, interview notes
Client/Employer Information: Company details, contacts, job descriptions, hiring requirements
Prospect Data: Potential client information, lead sources, notes

Our Role: We DO provide secure storage, enable search/filtering, facilitate communication, offer AI analysis tools. We DON'T sell candidate data, use it for marketing, share across customer tenants, or train AI models with customer data.

A. Platform Account Users (Recruiters, Team Members)

• Account creation & authentication: Email, password, name, OAuth tokens
• Access control & security: Role, team, tenant ID, IP address, session data
• Billing & invoicing: Payment data, credit usage, Stripe customer ID
• Customer support: Support emails, account details, usage history
• Platform improvements: Usage analytics, feature adoption, feedback
• Security & fraud prevention: IP logs, login patterns, suspicious activity detection
• Legal compliance: Audit trails, transaction records, retention logs

B. AI-Powered Features

• Amara AI Chat: Recruitment assistance and Q&A (requires explicit consent)
• Deep Research: Company names, URLs, LinkedIn profiles (feature opt-in)
• CV Parsing: Extract structured data from candidate CVs (covered by customer DPA)
• Candidate Matching: Skills and experience matching (covered by customer DPA)

C. What We DON'T Do

• ❌ Sell personal information to third parties
• ❌ Use customer data (candidates/clients) for our own marketing
• ❌ Share data across different customer tenants
• ❌ Train AI models with your proprietary candidate/client data
• ❌ Display ads based on customer data

A. With Service Providers (Data Processors)

We share limited personal information with trusted third-party vendors who help us operate the platform. All processors are bound by Data Processing Agreements (DPAs) with strict confidentiality and security obligations.

B. With Other Customers (Tenant Isolation)

• Your tenant data is strictly isolated from other customers
• Customer data is NEVER shared between different recruitment agencies
• All data includes a tenantId that prevents cross-tenant access

C. For Legal Requirements

We may disclose personal information if required by law or legal process:

• Law enforcement: Valid subpoenas, court orders, or legal requests
• Rights protection: To enforce our Terms of Service, prevent fraud, protect safety
• Legal compliance: Taxation, employment law, data protection regulators

D. Business Transfers

If HeyAmara is involved in a merger, acquisition, bankruptcy, or asset sale: We will notify you by email and/or prominent notice on the platform. Your data may be transferred to the acquiring entity. The acquiring entity will be bound by this Privacy Policy.

If you are in Australia or New Zealand, you have the following rights under the Australian Privacy Act 1988 (APPs) and New Zealand Privacy Act 2020 (IPPs):

A. Right to Access (APP 12 / IPP 6)

Request a copy of personal information we hold about you
How: Email privacy@heyamara.com with subject "Access Request"
Timeline: 30 days

B. Right to Correction (APP 13 / IPP 7)

Update inaccurate or incomplete personal information
How: Update in account settings or email privacy@heyamara.com
Timeline: Immediate for self-service, 14 days for manual

C. Right to Erasure (APP 11 / IPP 9)

Request deletion of personal information (subject to legal retention requirements)
How: Account Settings > Delete Account, or email privacy@heyamara.com
Timeline: 30 days

D. Right to Data Portability

Receive your data in structured, machine-readable format (JSON, CSV)
How: Account Settings > Export Data, or email privacy@heyamara.com
Timeline: 7 days

E. Right to Withdraw Consent

Withdraw consent for AI processing, analytics cookies, marketing
How: Account Settings > Privacy Preferences

F. Right to Lodge Complaint

If you believe we've breached privacy laws:

Australia: Office of the Australian Information Commissioner (OAIC)
Phone: 1300 363 992 | Email: enquiries@oaic.gov.au

New Zealand: Office of the Privacy Commissioner
Phone: 0800 803 909 | Email: enquiries@privacy.org.nz

When you use AI features, your data may be processed by third-party AI providers. Here's how they handle your data:

A. Groq AI (Primary AI Provider)

• What they receive: User messages, uploaded files, conversation context
• Training policy: Groq states they do NOT use customer data to train models
• Data location: USA
• Your control: Can opt-out and use Google Gemini or OpenAI instead

B. Google Gemini AI (Optional Alternative)

• What they receive: User messages (if enabled)
• Training policy: Enterprise version does NOT train on customer data
• Data location: USA/Global (with regional data residency options)
• Your control: Opt-in only, can switch anytime

C. OpenAI (Optional Alternative)

• What they receive: Chat messages, text for AI enhancement (GPT-4o-mini)
• Training policy: API data is NOT used to train OpenAI models
• Data location: USA
• Your control: Opt-in only, can switch anytime

D. Resume Parsing AI

• Purpose: Extract structured data (name, email, work experience, skills, education) from CVs
• Data retention: Parsed data stored in your tenant database
• Training policy: We do NOT use customer CV data to train models

E. Deep Research Custom Agents

• What they receive: Company names, URLs, LinkedIn profiles, recent notes (last 90 days, max 500 chars)
• Data retention: Research reports stored in your account indefinitely
• Training policy: We do NOT use research data to train models
• Your control: Opt-in feature, can disable anytime

F. Data Minimization for AI

• We send only necessary context to AI providers
• Sensitive fields (SSNs, credit cards, passwords, Tax IDs) are automatically filtered
• You can review AI prompts before sending (in settings)
• All transfers use encrypted channels (TLS 1.3+)

We implement industry-standard security controls to protect your information:

A. Encryption

• In Transit: TLS 1.3 for all HTTPS connections
• At Rest: AES-256 encryption for S3 buckets, encrypted database storage
• Backups: Encrypted daily backups with 30-day retention

B. Authentication & Access Control

• Passwords: Bcrypt hashing (never stored in plaintext)
• MFA: Optional multi-factor authentication via AWS Cognito
• Sessions: Secure session tokens with automatic expiration
• OAuth: Industry-standard OAuth 2.0 flows for Google/LinkedIn

C. Multi-Tenant Data Isolation

• Database Level: All tables include tenantId column with row-level security
• Application Level: Middleware enforces tenant context on all queries
• API Level: Token validation ensures users can only access their tenant's data
• Storage Level: S3 bucket prefixes separate files by tenant

D. Regular Security Practices

• Security patch management (weekly updates)
• Dependency vulnerability scanning (automated)
• Penetration testing (annual)
• Employee security training (quarterly)
• Incident response plan (documented and tested)

E. Data Breach Notification

In the event of a data breach: We will investigate within 72 hours, notify affected users by email within 72 hours, notify OAIC (Australia) / Privacy Commissioner (NZ) if required, and provide details about remediation steps.

A. Retention Periods

B. Account Deletion Process

When you delete your account:

1. Immediate: Profile hidden, login disabled, sessions terminated
2. Within 24 hours: Personal data soft-deleted (marked as deleted but recoverable)
3. After 60 days: Hard deletion of account details, AI logs, uploaded files
4. Retained: Billing records (7 years), anonymized usage statistics

A. Primary Data Location

• AWS Region: ap-southeast-2 (Sydney, Australia)
• Database: Hosted in Sydney
• File Storage (S3): Sydney buckets
• Backups: Sydney region

B. Cross-Border Transfers

Some third-party processors are located outside Australia/NZ. We use Standard Contractual Clauses (SCCs) and encryption to ensure appropriate safeguards.

Key Services with International Transfers: Stripe (USA), Groq AI (USA), Google Gemini (USA/Global), Deepgram (USA), Twilio (USA), OpenAI (USA)

C. Your Rights Regarding Transfers

• You can object to specific international transfers
• We will attempt to provide alternative processing within AU/NZ where feasible
• All transfers use encrypted channels (TLS 1.3+)
• Data Minimization: Only necessary data is transferred

A. What Are Cookies?

Cookies are small text files stored on your device when you visit our website. We use cookies to remember your login status, analyze platform usage, deliver personalized experiences, and measure marketing effectiveness.

B. Types of Cookies We Use

(i) Strictly Necessary Cookies (Cannot be disabled)

• session_token: Authentication and security (Session duration)
• csrf_token: CSRF protection (Session duration)
• tenant_id: Multi-tenant routing (Session duration)

(ii) Functional Cookies (Enhance experience)

• user_preferences: Save your settings (1 year)
• timezone: Display times in your timezone (1 year)

(iii) Analytics Cookies (Require consent)

• _ga, _ga_*: Google Analytics - Track page views, user flows (2 years)

(iv) Marketing Cookies (Require consent)

• _fbp: Facebook Pixel - Measure ad campaign performance (90 days)
• _gcl_*: Google Ads - Track conversions from Google Ads (90 days)

C. Cookie Consent Management

• Cookie consent banner appears on first visit
• You can accept all, customize preferences, or reject non-essential cookies
• Change preferences anytime: Footer link "Cookie Preferences" or Account Settings > Privacy
• We honor browser DNT signals for analytics and marketing cookies

D. Third-Party Cookies

We do not control third-party cookies from social media widgets, YouTube embeds, or OAuth login buttons. These follow the third party's privacy policies.

A. AI-Assisted (Not Fully Automated) Decisions

We use AI to assist (not replace) human recruiters:

• Candidate Matching: AI scores candidates, recruiters make final decisions
• CV Parsing: AI extracts data, recruiters validate and correct
• Deep Research: AI generates reports, users review and decide what to use
• Amara AI Chat: AI suggests responses, you write final message

B. No Fully Automated Decisions

We do NOT make fully automated decisions that significantly affect you without human intervention:

• ❌ Automatically reject candidates without recruiter review
• ❌ Auto-approve/deny credit increases without manual check
• ❌ Terminate accounts solely based on AI flagging

C. Right to Explanation & Challenge

If you disagree with an AI-assisted decision:

• Request explanation of the AI scoring/logic
• Challenge the decision
• Request human review
• Email privacy@heyamara.com with "AI Decision Challenge" in subject

D. Automated Decision-Making Disclosure (OAIC December 2026 Requirement)

Per the Privacy Act 1988 amendments, we proactively disclose: We use AI to generate candidate matching scores and CV parsing. These are used to assist recruiters in prioritizing candidates for review. No automated rejection occurs without human recruiter approval. All final hiring decisions require human intervention. This requirement becomes mandatory December 2026, and we are implementing proactively.

A. Token-Based Pricing Model

HeyAmara uses a credit-based system: Credits are virtual tokens used to access premium features (AI research, bulk uploads, etc.). You can purchase credit packages or subscribe to monthly plans.

B. What Billing Data We Collect

• Purchase History: For invoicing and account reconciliation (7 years)
• Credit Balance: Display available credits, prevent overuse (active account)
• Credit Usage Logs: Itemized billing and usage analytics (7 years)
• Stripe Customer ID: Link to payment processor (active account + 7 years)
• Billing Address: Tax compliance and invoicing (7 years)
• Tax ID / ABN: GST/VAT compliance (7 years)

C. Payment Card Data

• We NEVER store: Full credit card numbers, CVV codes, expiration dates
• Stripe Stores: Tokenized payment methods in PCI-compliant vaults
• You Control: Add/remove payment methods in Account Settings

D. Credit Expiration Policies

• Purchased Credits: Do not expire (valid for lifetime of account)
• Promotional/Bonus Credits: May have expiration dates (clearly disclosed)
• Subscription Credits: Expire at end of billing period (do not roll over)
• Account Closure: All credits are forfeited upon account deletion
• Notification: We email you 30 days before promotional credits expire

E. Credit Refunds

• Purchased credits: Non-refundable per Terms of Service (digital goods)
• Subscription credits: Partial prorated refund if you cancel mid-period
• Billing errors: Full refund if the error was our fault (within 60 days)
• Unauthorized charges: Full refund if reported within 14 days
• How to request: Email billing@heyamara.com with subject "Refund Request - [Invoice ID]"

For Privacy Inquiries

• Email: privacy@heyamara.com
• Data Protection Officer: dpo@heyamara.com
• Response Time: We aim to respond within 5 business days

For Specific Requests

What to Include in Your Request

1. Full name and account email
2. Type of request (access, deletion, etc.)
3. Specific data or information you're requesting
4. Proof of identity (for security)
5. Preferred response format (email, PDF, JSON)

A. Australian-Specific Disclosures

HeyAmara is bound by the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

• Credit Reporting (APP 2): We do NOT participate in credit reporting and do NOT share billing data with credit bureaus
• Direct Marketing (APP 7): You can opt-out anytime. We do NOT sell your data to third-party marketers. We do NOT use sensitive information (health, race, religion) for marketing
• Cross-Border Disclosure (APP 8): We transfer data to USA-based processors, use Standard Contractual Clauses and encryption, and remain accountable for overseas processing
• Government Access: We comply with valid government requests (subpoenas, warrants) and will notify you unless legally prohibited

B. New Zealand-Specific Disclosures

HeyAmara complies with the Privacy Act 2020 (NZ).

• Principle 3 - Collection: We collect data directly from you where practicable. If collected from third parties, we notify you
• Principle 6 - Access: You can access your information free of charge (first request per year). Subsequent requests may incur reasonable fees
• Principle 10 - Use Limits: We use your information only for disclosed purposes. We do NOT use recruitment data for unrelated purposes
• Principle 11 - Disclosure Limits: We do NOT disclose information unless you consent or it's required by law

A. How We Notify You

We may update this Privacy Policy from time to time. When we make material changes:

1. Email Notification: Sent to your account email at least 30 days before changes take effect
2. Platform Banner: Prominent notice when you log in
3. Version History: Link to previous versions available
4. Last Modified Date: Updated at the top of this page

B. Material vs. Non-Material Changes

• Material: Changes to data collection, new processors, expanded uses → Requires 30-day advance notice + option to object/close account
• Non-Material: Clarifications, typo fixes, formatting → No notification required

C. Your Options

• Object: Email privacy@heyamara.com within 30 days
• Close Account: Delete your account before effective date
• Accept: Using the platform after effective date = acceptance