Australian Privacy ActGDPRUK GDPRACL

Privacy Policy

The Agile Foundry (trading as Yarashi) · yarashi.com.au

Effective: 1 June 2026 · We do not sell your data · AI processing disclosed · Your rights guaranteed

💡

Plain English Summary

🔒We collect only what is needed to run the service

🤖AI analyses your CV — you always review the output

🚫We never sell your data or use it for advertising

✅You can access, correct or delete your data anytime

🌍Data may go to the US — protected by standard contracts

📧Contact privacy@yarashi.com.au for any request

Who We Are What We Collect Legal Basis for Processing (GDPR)AI Processing and Automated Decision-Making Who We Share Your Data With Your Rights Security and Data Retention Cookies and Local Storage International Data Transfers Children Changes to This Policy Contact and Complaints

1. Who We Are

Identity

This Privacy Policy applies to Yarashi, operated by The Agile Foundry (trading as Yarashi) ("we", "us", "our"), accessible at yarashi.com.au. Privacy enquiries: privacy@yarashi.com.au Support: support@yarashi.com.au We are the data controller for personal information collected through Yarashi. This policy explains how we collect, use, store, share and protect your personal information, and your rights in relation to it.

This policy is designed to comply with: • Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) • Privacy and Other Legislation Amendment Act 2024 (Cth) • General Data Protection Regulation (GDPR) — EU 2016/679 (for users in the EEA or UK) • UK GDPR (for users in the United Kingdom) • Australian Consumer Law (ACL) • Notifiable Data Breaches (NDB) scheme

2. What We Collect

Data

We collect only the information necessary to deliver our service (data minimisation). We collect:

Category	Examples	Why collected
Account data	Name, email, encrypted password	To create and manage your account
Professional data	CV text, work history, skills, education, certifications, target role, salary, preferred locations, industries	To power AI matching, gap analysis and content generation
Usage data	Job searches, saved roles, cover letters generated, interview prep sessions, skills gap reports	To deliver the service and improve it (aggregated only)
Technical data	IP address, browser type, device, session timestamps	Security and platform performance
Communications	Emails you send us, feedback, support requests	To respond to you and resolve issues

We do not intentionally collect sensitive information (health, ethnicity, religion, political views, sexual orientation, criminal record) as defined under the Privacy Act. If you include such information in your CV text, it is processed solely to deliver the AI features you requested and is not used for any other purpose.

3. Legal Basis for Processing (GDPR)

GDPR

For users in the EEA or UK, we process your personal data under the following lawful bases:

Processing activity	Lawful basis
Creating and managing your account	Contract performance (Art. 6(1)(b))
Delivering AI features (CV matching, cover letters, interview prep, gap analysis)	Contract performance (Art. 6(1)(b))
Sending job alert emails you have enabled	Contract performance / Legitimate interest (Art. 6(1)(f))
Sending transactional emails (verification, account notices)	Contract performance (Art. 6(1)(b))
Improving our platform using anonymised aggregate data	Legitimate interest (Art. 6(1)(f))
Marketing communications (if applicable in future)	Consent (Art. 6(1)(a)) — separately obtained
Complying with legal obligations	Legal obligation (Art. 6(1)(c))

For Australian users, the equivalent basis is our obligations under the Australian Privacy Principles and our contract with you. Where we rely on legitimate interests, we have assessed that our interests do not override your fundamental rights and freedoms.

4. AI Processing and Automated Decision-Making

Yarashi uses Anthropic's Claude AI models to deliver its core features. This is central to the service you have signed up for.

AI feature	Data processed	Output
CV Match Score	Your CV text + job description	0–100 match percentage and gap list
Cover Letter Builder	Your CV text + job details + tone preference	Tailored cover letter draft
Interview Coach	Your CV text + job details + role level	12 STAR-method answers
Skill Radar (Skills Gap)	Your CV text + up to 8 job descriptions	Keyword gap report and action plan
Profile Boost	Your CV text + target role + location	LinkedIn section rewrites

Important: AI-generated outputs are informational tools to assist your job search. They are not binding decisions and do not have legal or similarly significant effects on you. No employment decisions are made solely by our AI. You retain full control over whether and how to use any generated content. GDPR Art. 22 — Automated individual decision-making: Our AI processing does not constitute solely automated decision-making that produces legal effects concerning you. A human (you) reviews and acts on all outputs.

Data sent to Anthropic: When you use an AI feature, relevant portions of your CV and the job description are transmitted to Anthropic's API in the United States. Anthropic acts as a data processor on our behalf. We have assessed Anthropic's data handling practices and they meet the standards required under both Australian Privacy Principles and GDPR Standard Contractual Clauses. Anthropic's Privacy Policy: anthropic.com/privacy From 10 December 2026 (Australian Privacy and Other Legislation Amendment Act 2024 — APPs 1.7–1.9): We will provide enhanced automated decision-making disclosures. We are actively preparing for this now.

5. Who We Share Your Data With

Sharing

We do not sell your personal information. We do not share it with advertisers. We share it only with the following service providers who process it on our behalf:

Provider	Purpose	Location	Transfer mechanism
Supabase	Database, authentication, storage	United States	Standard Contractual Clauses (SCCs)
Vercel	Platform hosting and deployment	United States / Global CDN	SCCs / Adequacy
Anthropic	AI model processing	United States	SCCs / DPA
Adzuna	Job listing data (we do not share your data with Adzuna)	United Kingdom / Australia	N/A — query only
Resend	Transactional email delivery	United States	SCCs

All providers are bound by data processing agreements requiring them to process your information only for the purposes we specify, in accordance with applicable law. We may also disclose your information where required by law, court order, or to protect the rights, property or safety of Yarashi, our users, or others.

6. Your Rights

Rights

You have the following rights in relation to your personal information. EEA/UK users have these rights under GDPR. Australian users have equivalent rights under the Privacy Act 1988.

Right	What it means	How to exercise
Access	Obtain a copy of the personal data we hold about you	Email privacy@yarashi.com.au
Rectification	Correct inaccurate or incomplete data	Update in Profile settings or email us
Erasure ("right to be forgotten")	Request deletion of your account and personal data	Account settings → Delete Account, or email us
Portability	Receive your data in a structured, machine-readable format	Email privacy@yarashi.com.au
Restriction	Restrict processing in certain circumstances	Email privacy@yarashi.com.au
Object	Object to processing based on legitimate interests	Email privacy@yarashi.com.au
Withdraw consent	Withdraw consent where processing is consent-based	Unsubscribe link in emails or Profile → Preferences
Opt out of job alerts	Stop receiving job alert emails	Profile → Preferences → Alerts
Lodge a complaint	Complain to a supervisory authority	Australia: OAIC (oaic.gov.au) · EU: Your national DPA · UK: ICO (ico.org.uk)

We will respond to all rights requests within 30 days. We may need to verify your identity before acting on a request. We will not charge for routine requests.

7. Security and Data Retention

Security

Security measures we implement: • All data transmitted over HTTPS/TLS encryption • Passwords hashed using bcrypt — never stored in plain text • Row-level security (RLS) in our database — each user accesses only their own data • Session tokens expire automatically • CV text stored in your browser locally unless you explicitly save it to your profile • Regular security reviews Data retention: We retain your personal data for as long as your account is active. Upon account deletion, personal data is deleted within 30 days, except where longer retention is required by law (e.g. financial records for taxation purposes — up to 7 years). Data breaches: We will notify you and the relevant authority (OAIC in Australia, relevant national DPA in the EU/UK) within 72 hours of becoming aware of a breach likely to result in a high risk to your rights and freedoms, as required by the NDB scheme and GDPR Art. 33–34.

8. Cookies and Local Storage

Yarashi uses browser localStorage (not tracking cookies) to store your session, CV text and search preferences locally on your device. This data does not leave your device unless you explicitly save it to your account. We do not use: • Advertising or marketing cookies • Cross-site tracking pixels • Third-party behavioural analytics • Google Analytics or similar tracking tools The only cookie we set is a secure, HttpOnly session authentication cookie required for you to stay logged in. This cookie is strictly necessary for the service to function and does not require separate consent under GDPR or the Australian Privacy Act.

9. International Data Transfers

Transfers

Our service providers are primarily located in the United States. By using Yarashi, you acknowledge that your personal data may be transferred to and processed in the United States and other countries outside your country of residence. For EEA/UK users: We ensure such transfers comply with GDPR Chapter V through Standard Contractual Clauses (SCCs) approved by the European Commission, supplementary technical measures, and assessment of the legal frameworks in destination countries. For Australian users: We take reasonable steps under APP 8 to ensure overseas recipients handle your information consistently with the Australian Privacy Principles.

10. Children

Children

Yarashi is not directed to persons under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact privacy@yarashi.com.au and we will delete it promptly.

11. Changes to This Policy

Updates

We may update this Privacy Policy to reflect changes in our practices, technology or applicable law. We will notify you of material changes by email and by displaying a notice on the platform at least 14 days before the change takes effect. Continued use of Yarashi after that date constitutes acceptance of the updated policy. The version history of this policy is available upon request.

12. Contact and Complaints

Contact

Privacy Officer The Agile Foundry (trading as Yarashi) Email: privacy@yarashi.com.au Website: yarashi.com.au If you are not satisfied with our response to a privacy complaint, you may contact: Australia — Office of the Australian Information Commissioner (OAIC) oaic.gov.au · 1300 363 992 · GPO Box 5218, Sydney NSW 2001 European Union — Your national Data Protection Authority edpb.europa.eu/about-edpb/board/members_en United Kingdom — Information Commissioner's Office (ICO) ico.org.uk · 0303 123 1113

This Privacy Policy complies with the Privacy Act 1988 (Cth), Australian Privacy Principles, Privacy and Other Legislation Amendment Act 2024 (Cth), GDPR (EU 2016/679), UK GDPR, and Australian Consumer Law. It does not constitute legal advice. Obtain independent legal advice as your platform and user base grows. Last reviewed by Yarashi: 1 June 2026.