Last updated: 07 Jun 2026

About this policy

This policy explains how we collect, use, and protect personal information when you use anzscofinder.com (the "service"). The service is operated by Tonalium Pty Ltd (ACN 698 487 473, ABN 63 698 487 473) ("we", "us", "our"), which is the entity responsible for the personal information it handles. We handle your information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) and, for users in New Zealand, the Privacy Act 2020 (NZ) and the Information Privacy Principles (IPPs).

What we collect

• Account info: your name and email, collected when you create an account at app.anzscofinder.com/register.
• CV content: when you upload a CV, the file is stored privately on your account, and the extracted text is processed to identify occupation codes.
• Usage info: server logs (IP address, user-agent, timestamps) and session cookies for login state. Your IP address may be used and retained for security and abuse prevention (for example, to enforce fair use of free credits).
• Feedback: ratings and comments you provide on match results.
• Communication: any emails you send us.

How we use it

• To run the ANZSCO matching service for you
• To send transactional emails (account confirmation, email verification, match notifications)
• To improve the tool (aggregated, de-identified analysis only, never your personal data)
• For security, abuse prevention, and audit
• To respond to support and partnership enquiries

AI processing of your CV

Your CV is processed by our matching engine, which sends extracted CV text (not necessarily the original file) to AI providers in the United States (currently Anthropic and OpenAI) for occupation extraction and semantic matching. These providers act as data processors under their data-processing terms and do not train their models on your data — see Anthropic's Commercial Terms and OpenAI's Data Processing Addendum, which is your recourse path if those terms change. Your original CV file is archived on AWS S3 in Sydney, Australia. Our application and matching pipeline run on hosting located in Singapore, where the processed result (top matches plus your feedback) is stored.

Sharing with third parties

We use the following processors:

• Amazon Web Services (AWS), file storage (S3, Sydney region) and transactional email (SES). Region: ap-southeast-2.
• Anthropic, CV-to-code semantic matching. Region: United States.
• OpenAI, embeddings for occupation-code retrieval. Region: United States.
• Hetzner, application and matching-pipeline hosting. Region: Singapore.
• Cloudflare, content delivery, security/WAF, and edge-delivered analytics (Zaraz). Global edge.
• Sentry, application error monitoring (may include IP address and request metadata). Region: United States.
• Stripe, payment processing for credit purchases. Regions: United States and Australia.

We do not sell, rent, or trade your personal information.

Cross-border data transfers

Some processors are located outside Australia and New Zealand — primarily the United States (AI processing) and Singapore (application hosting). By using the service you consent to the transfer of your CV content and account information to those processors for the limited purpose of operating the service. We take reasonable steps — including contractual data-processing terms — to ensure these processors protect your information consistently with Australian Privacy Principle 8 and New Zealand Information Privacy Principle 12.

How long we keep it

• Account info: retained while your account is open and for a reasonable period afterward; you can request deletion at any time
• CV files & extracted text: kept no longer than 30 days, then permanently deleted. You can delete a CV yourself any time before that (see Your rights below)
• Match results: the occupation codes, scores and explanations we return are kept while your account is open so you can revisit them; delete any result from your dashboard at any time
• Server logs: rotated within 90 days
• Email records: retained for 12 months for audit purposes

Security

Data is encrypted in transit (HTTPS) and at rest (AWS SSE-AES-256). Production systems are isolated from staging and development. Access is limited to authorised team members. No system is impenetrable, but we take reasonable steps to protect your information.

Cookies

We use first-party session cookies to keep you logged in and to remember your selections. We use Google Analytics 4, delivered through Cloudflare Zaraz at the edge, to understand aggregate, de-identified usage of the site. We do not use advertising networks or marketing trackers, and we do not sell your data. Where required by law (e.g. for EU/UK visitors), analytics is gated behind a consent banner.

Your rights, access, correction, complaints

Under Australian Privacy Principles 12 and 13 (and, for New Zealand users, Information Privacy Principles 6 and 7), you can:

• Ask us what personal information we hold about you
• Ask us to correct it if it's wrong
• Ask us to delete your account and associated data

Email hello@anzscofinder.com with your request. We will respond within 30 days.

If you're not satisfied with our response, you can contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au, or — if you are in New Zealand — the Office of the New Zealand Privacy Commissioner at privacy.org.nz.

Children

The service is not directed at children under 18. We do not knowingly collect personal information from anyone under 18.

Changes

The current version of this policy is always at /privacy. Significant changes will be communicated by email at least 14 days before they take effect.

Contact

Privacy questions or requests: hello@anzscofinder.com. The entity responsible for your personal information is: