Candidate Privacy Policy

Privacy is our priority

Updated: September 15, 2022.

We are committed to protecting your security and privacy, and we take our obligations to protect your information extremely seriously. This Privacy Policy explains what personal data we collect about you, how and why we use it, who we disclose it to, and how we protect your privacy.

About us

We are Sapia&Co Pty Ltd (trading as Sapia.ai) – a software provider offering recruitment intelligence software solutions. Our organization is registered in Australia with ACN 164 492 586 and registered office at 216 Lower Heidelberg Road, Ivanhoe East VIC 3079. 

Without limitation, our group of companies (“Subsidiaries”) include Sapia&Co Pty Ltd (a company registered in England & Wales with registration number FC032929 and registered office at 1st Floor, 107 Lees Road, Oldham OL4 1JW), and Sapia.ai, Inc. (a Delaware corporation with an office at 308 Gage Rd. Riverside IL 60546).

This Privacy Policy applies to the collection, use, and management of your personal data (as defined below) by or on behalf of Sapia.ai. It also applies to our Subsidiaries and affiliates, whether located in Australia or abroad (collectively referred to as (“Sapia.ai/ we / us/ our”).  

Our Platform (“Platform”) uses artificial intelligence (“AI”) to identify patterns from the free-text answers provided by job Candidates during a chat-based interview, including via our website at https://sapia.ai/ (“website”). Rather than just matching keywords, our technology interprets, understands, and makes sense of answers. Our Platform also collects and processes video responses, which are not subject to AI.

We are committed to complying with various privacy laws. Without limitation, some of the data protection legislation (“Privacy Laws”) we may need to comply with include the following:

  • Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles;
  • EU General Data Protection Regulation (2016/679);
  • UK GDPR and the UK Data Protection Act 2018;
  • California Consumer Privacy Act of 2018 and the California Privacy Rights Act of 2020;
  • Virginia Consumer Data Protection Act;
  • Colorado Privacy Act;
  • Illinois Personal Information Protection Act.

By providing us with personal data or using our products and services, you agree that we can collect, use, and disclose your personal data following this Privacy Policy. If you disagree with the terms of this Privacy Policy, do not submit any personal data to us or use our products and services.

About you

How this policy applies to you will depend on the capacity you use and access our website, Platform, and other goods and services (“goods and services”):

  • You are a General User if you are our employee, supplier, or business partner. You may also be a person visiting our website or someone contacting us about our products or services.
  • You are a Client if you are an existing, potential, or past Client of ours. For example, you may have directly or via your representatives used, enquired about using, or participated in a demonstration of our Platform. As our Clients are typically businesses and organizations, any personal data we collect is generally about our Client’s representatives.
  • You are a Candidate if you are applying for a job with one of our Clients via our Platform. We process Candidate personal data by automated means to predict behavior and make recommendations about whether our Client should hire a Candidate. Candidates may also be invited to complete video-based interviews. We do not analyze video recordings using artificial intelligence.

Candidates may have the right not to be subject to automated decision-making (i.e., without human involvement). If you would like to exercise this right, please contact us. If you object, we will refer this to the organization where you applied for a job, as they are responsible for dealing with objections. 

What personal data do we collect?

Under Privacy Laws, but without limiting their definitions, personal data can be broadly summarized as any information related to an identified or identifiable natural person. In Australia, that also includes any opinion about an identified individual or an individual who is reasonably identifiable (“personal data”). 

Personal data we collect, and use, includes: 

  • your name (including any handles or alias you use); 
  • your contact details, including phone number(s), email address, and mailing address (these details may belong to the business you represent);
  • your professional information (such as your job title and who you work for);
  • the information which you provide to us directly or indirectly by any means at any time;
  • other personal data we expressly refer to in this Privacy Policy.

If you are a Candidate or a current or potential employee of Sapia.ai, the personal data we collect may also include:

  • interview responses, opinions, answers to questions, and any specific information requested about you by a Client (or us) for them (or us) to assess your suitability for a job. This may include video responses; and
  • “sensitive information” (AU) or “special category personal data” (EU/UK), which may include:
    • information about your age, health status, background, racial or ethnic origin, or other genetic information. Sensitive questions asked via our Platform are always optional. Your answers do not impact your job application;
    • your tax file number, superannuation information, qualifications, accreditations, test results (inc. psychometric and coding);
    • any other information necessary to conduct background checks (e.g., right-to-work documentation and references).

When you contact us, access, or use our products and services, we may collect technical information that may or may not be seen as personal data, depending on applicable Privacy Laws. This may include your IP address, location, and browser information. In addition, we may record how you use and interact with our website and Platform (e.g., where you click, scroll your mouse, and move in between pages). We will only collect information on how you use our website with your consent. Our cookie policy sets out more detail on the information we collect and how we do this.

If you are a Candidate based in the EU or UK, we collect your data on behalf of our Clients. We therefore act as a data processor on their behalf. Our Client will remain the data controller of your personal data – they are responsible for how it is collected and used. Please contact them directly to see their privacy policy. That said, we act as a data controller of personal data if you contact us directly for support or visit our website. 

In respect of our Clients in the EU or UK, we act as a data controller to manage our relationship with you and provide our goods and services.

How we collect personal data 

Generally, we collect personal data directly from you. However, we may also collect information about you from other sources, as described below. 

We collect personal data from you directly:

  • when you access or use our goods and services (including when you access or use our website or Platform);  
  • when you or we create an account; 
  • when you contact us by any means for any reason (including by phone, email, social media, instant messaging, or via our website); 
  • when we respond to any contact you make; and
  • if you subscribe to news updates, or we contact you (with your consent) for marketing purposes. 

If you are a Candidate, we also collect your personal data from external sources, including:

  • our Clients – we obtain personal data from the Client with whom you seek employment; and
  • recruitment agencies and your referees (if you are a current or prospective employee of ours, we might also collect your personal data from these sources). The personal data we collect from recruitment agencies and referees includes information about your work history, experience, and qualifications. 

If you are a Client, we may also collect your representative’s personal data directly when: 

  • you book or attend a product demonstration; or 
  • when you attend an event (which is either hosted by a third party or us). 

Other places we may collect your personal data from include:

  • publicly available sources, for example, LinkedIn or ZoomInfo; and
  • with your consent from other sources, such as our affiliated and related companies, third-party suppliers, research partners, suppliers, and contractors who assist us in operating our business. 

Sapia.ai will treat personal data under this Privacy Policy, where personal data is collected from anyone other than yourself. Sapia.ai cannot guarantee the accuracy of personal data provided by a third party. 

Suppose we disclose your personal data to any person under this Privacy Policy or otherwise as directed by you. In that case, your personal data will be dealt with under the privacy policies of those third persons. In the case of Candidates, this includes information you submit via our Platform. Once it is disclosed to the Client you are applying for work with, personal data will be governed by the relevant Client’s privacy policy.  

When using our products and services, you might end up providing us with personal information related to another person. For example, if you are offered employment with us, we may collect your emergency contact’s name and contact details. If you provide information about another person, you must obtain that person’s permission to give us their personal data and inform them of our Privacy Policy.

Why do we collect personal data?

Why we collect personal data depends on the capacity in which you engage with us. However, in general, we collect personal data (which may include special category personal data/sensitive information) because it’s in our legitimate interest to do so:

  • to enable you to access and use our products and services, including so you can complete interviews to make a job application via our Platform; 
  • to respond to your inquiries, complaints, or requests for help or information;
  • to manage our relationship with you, including without limitation:
    • to send you information regarding our Terms of Service, Privacy Policy, Cookie Policy, or other legal agreements; 
    • to administer any account that you hold with us for billing purposes and to send you communications and notices in connection with your account; 
    • to provide product demonstrations;
  • for our legitimate business purposes (“Permitted Purposes”), which include without limitation:
    • to enter or perform a contract with you; 
    • to analyze your interactions and use of our website and Platform to understand and improve the effectiveness of our marketing initiatives and for researching, developing, expanding, and improving our products and services; 
    • to keep and update records and databases to ensure the smooth operation of our business, products, and services;
    • to know who is attending one of our events and to help us promote future events;
    • to meet our own contractual obligations, which include providing Candidate interview and questionnaire responses, answers, opinions, and our analysis to the relevant Client in response to a job application to determine a Candidate’s suitability for a position;
    • for promotional purposes, which may include (with your consent) posting customer testimonials and comments on our website; and
    • for our legitimate internal employment-related purposes, including assisting with our recruitment and retention process.

If you do not provide us with personal data, we may be unable to carry out some or all of the Permitted Purposes (as applicable to you). For example, suppose you are a Candidate or are applying for a job with Sapia.ai and do not provide us with personal data. In that case, it may mean you cannot complete the interview process.  

How do we use or disclose personal data?

By accessing or using our products and services, or by submitting personal data to us, you agree we may use or disclose your personal data for: 

  • the Permitted Purposes; 
  • any purpose related to the Permitted Purpose that could be reasonably anticipated at the time your personal data was collected (Secondary Purpose); 
  • any purpose to which you otherwise agree (including as disclosed to you in an information collection statement at the point where we collect personal data); 
  • any other purpose required or authorized under Privacy Laws.

Secondary Purposes may include: 

  • sending you direct marketing about our products or services, deals, and promotions; conducting customer surveys; monitoring how you interact with us on our website or other contact points; business development and expansion purposes, including mergers, acquisitions, and capital raising; and
  • business development, administrative, management, and operational purposes, including statistical analysis, creating de-identified data, and reporting, training staff, contractors, and other workers, risk management, and management of legal liabilities and claims (for example, responding to legal orders and obligations, liaising with insurers, and obtaining advice from our legal representatives). We may use your special category personal data/sensitive information for these purposes. Where possible, we will anonymize this type of personal data before using it. 

You agree that if we collect special category personal data/sensitive information from you, it is reasonably necessary for us to do so for the relevant Primary and Secondary Purposes set out above. 

How we share personal data

For the above purposes, we may share your personal data with various persons, including:

  • in respect of Candidates – with Clients when you apply for a job with them;
  • in respect of Clients – with event organizers, including co-presenters. You will be given a chance to opt out before we do this; 
  • for Sapia.ai job applicants – amongst our employees who need to know, as well as recruitment agents and other recruitment advisers; 
  • our group companies, business partners, suppliers, and subcontractors (including our sub-processors) who help us provide our goods and services, for example, providers of payment gateways, data processing, data analysis, customer assistance, IT services (including storage, support, and open source software providers); 
  • regulators/authorities/enforcement agencies, where required by law, including by exchanging information with other companies and organizations for the purposes of fraud protection;
  • our legal representatives to enforce, apply or comply with our legal agreements and obligations or otherwise to protect the rights, property, or safety of any person, including our Clients; 
  • prospective buyers of, or investors in, our business. For the EU/UK, it is in our legitimate interest to ensure that the prospective buyer can continue our Company or that an investor has sufficient knowledge to determine whether to invest in our business.

By disclosing your personal data (including sensitive information) to us, you agree we may provide your personal data to third parties as set out above. We will never sell personal data to any third party.

Is my personal data transferred internationally? 

Sapia.ai is a global organization with Clients and employees worldwide (including, without limitation, in Australia, Europe, and the USA). To provide you with our products and services, we need to transfer personal data between our teams and company group members for the purposes set out above. 

Some of our service providers are based outside Australia (including Europe and the USA). For example, we process and store the data we collect using third-party sub-processors, such as HubSpot, Intercom, and Amazon Web Services (AWS). HubSpot keeps your information in the USA, and Intercom stores information in the EU. Data in AWS may be processed or stored anywhere in the world – contact us for details. 

As we transfer personal data between countries, we take steps to ensure it receives the protections required by law. So, for example, where the GDPR applies, if we transfer your personal data outside the UK or EEA, we’ll ensure the transfer complies with applicable data protection law. 

By providing us with personal data, you agree to us using, storing, and disclosing your personal data overseas, as stated above. This Privacy Policy continues to apply even when we transfer information outside your country of residence.

De-identified information 

In some circumstances, we carefully de-identify and anonymize your personal data (including special category personal data/sensitive information). This means it can no longer be associated with you (“de-identified information”). We may use this de-identified information indefinitely without notifying you. For example, we use de-identified information to improve the Platform, create new software products, and for academic research purposes (which may be published). In addition, we may share de-identified information with third parties, including our suppliers, research partners, and service providers, without limitation. Please contact us for more information on how we use data for academic research.

Can you remain anonymous or use a pseudonym?

Unless it is impractical or against Privacy Laws, we will allow you to use a pseudonym or to otherwise not identify yourself. 

However, if you decide not to provide us with some types of personal data, we may not be able to provide you with a product or service. This may impact whether we can begin or continue a relationship with you. If you are a Candidate, it may mean you cannot complete the recruitment process via our Platform.

Keeping personal data confidential and secure

We take all reasonable steps to secure personal data (whether in hard copy or electronic form) and protect it against misuse, loss, unauthorized access, modification, or inappropriate disclosure. Personal data is kept in secure server environments protected by industry best practices. Only authorized personnel can access our systems.

Third-party websites and services

Our website and Platform may contain links to other websites, platforms, or applications (3P Sites). Unless the 3P Site is one of our products, we are not responsible for the privacy practices of the owners of 3P Sites. Please read the privacy policy of any 3P Site that asks you to provide your personal data.

Changes to our privacy policy

We may change this Privacy Policy from time to time. All changes to this policy are effective immediately upon publication on our website. It is your responsibility to regularly review our Privacy Policy. If you disagree with our changes, you must stop using our products and services. 

Managing your personal data

You are responsible for ensuring your personal data is accurate, current, and complete. Please contact us if you believe any personal information we hold about you is inaccurate, out-of-date, incomplete, irrelevant, or misleading. If requested by you, we will take reasonable steps to correct your personal data.

You may request access to your personal data under relevant Privacy Laws. We may require you to confirm your identity before we grant access to personal data. Your access rights are subject to limitations set out in relevant Privacy Laws.

We may charge you reasonable costs subject to any limitations in the relevant law. In addition, at our discretion, we may agree to provide a summary of personal data for free.

We may decline your request to access or correct personal data under Privacy Laws. If we refuse, we will tell you why. If your request involves a correction, we will include a statement with your personal data about the correction.

How long will we keep your personal data for?

Where the EU/UK data protection legislation applies, and in the limited circumstances explained above where we are a data controller, we’ll only retain your personal data for as long as we need it. This doesn’t apply if we are required to keep it for longer to comply with our legal, accounting, or regulatory requirements. 

When you’re a Candidate and the EU/UK data protection legislation applies, we’re acting as a data processor, so we’ll retain your personal data for the period set by our Client, the data controller.

Suppose you ask us to delete your personal data. In that case, we’ll either anonymize or delete it unless we’re required to keep it for legal reasons or have compelling legitimate interests to keep it.

Your rights under EU/UK data protection laws

Firstly, data protection law is complicated – the rights set out below won’t always be available to you. 

In addition to your rights set out elsewhere in this policy, if the EU/UK data protection legislation applies, you may have other various rights, including the right to:

  • ask us to restrict our handling of your personal data;
  • ask us to transfer your personal data to a third party;
  • object to how we are using your personal data; and
  • withdraw your consent to us handling your personal data.

If you are a Candidate, remember that to exercise your rights under EU/UK data protection legislation, you need to contact the organization you applied for a job with. However, you can still contact us for assistance. 

Additional information for users in the United States

You are communicating with us electronically by using the Platform, visiting our website, or otherwise sending us emails, messages, and other communications. You acknowledge and agree that Sapia.ai may send you communications regarding the Platform and our services, including electronic communications. 

By providing your cell number, you agree to be contacted by or on behalf of Sapia.ai using the number you provided. This includes calls and text messages to receive information and communications about the Platform and services. Message and data rates may apply. To stop receiving text messages, follow the opt-out instructions in the text message.

Sapia.ai is committed to being compliant with the US federal Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM Act“) and Telephone Consumer Protection Act (“TCPA“). Emails, newsletters, and text messages from us are intended to fully comply with the CAM-SPAM Act and the TCPA. If you receive an email or text message from us that you believe does not comply with the CAN-SPAM Act or the TCPA, please contact us immediately.

You must be 18 or older to establish an account on and use the Platform. We are concerned about the safety and privacy of children online. Because of this, we will make all efforts to comply with the US federal Children’s Online Privacy Protection Act of 1998 (“COPPA“). COPPA and its accompanying US Federal Trade Commission regulations establish United States federal law protecting children’s privacy when using the Internet. Further, our services are neither intended for nor designed to attract users under 18. However, by fraud or deception by others, we may receive information about minors, including children under 13. If we are notified of this, we will immediately obtain parental consent or otherwise delete the information from our servers as soon as we verify the information. If you want to notify us of our receipt of information regarding minors, including children under 13, please contact us

Contact us

Contact our privacy team, preferably by email at privacy@sapia.ai. Alternatively, you can write to us at PO Box 1405, St Kilda South, Melbourne, 3182 Victoria, Australia.

We will where reasonably possible, take steps to respond to, investigate and resolve complaints within 30 days. However, we will notify you and request an extended period if we require further information and the reason for the delay. If you disagree, we may be unable to resolve your complaint.

Representation for data subjects in the EU

We value your privacy and your rights as a data subject. We have therefore appointed Prighter Group with its local partners as our privacy representative and your point of contact.

Prighter allows you to exercise your privacy-related rights (e.g., requests to access or erase personal data). If you want to contact us via our representative, Prighter, or use your data subject rights, please visit https://prighter.com/cc/sapia

Complaints

You may have the right to lodge a complaint to the relevant data protection authority about how we collect and use your personal data.

To file a complaint, you can contact the relevant data protection regulator in your country. Alternatively, you can contact the Office of the Australian Information Commissioner (OAIC) or the UK’s Information Commissioner’s Office. You may need to supply our organization details which can be found here. If you’re not sure who to contact, just ask us for help.