Effective date: 12 June 2026 · Last updated: 12 June 2026
anzscofinder (the "Service") is an API platform at platform.anzscofinder.com, operated by Tonalium Pty Ltd (ABN 63 698 487 473) of 24 Kooringa Avenue, Cleveland QLD 4163, Australia ("Tonalium", "we", "us", "our").
This Privacy Policy explains how we handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs"). By using the Service you acknowledge this Policy. Questions or requests: hello@anzscofinder.com.
See also our Terms of Service, Acceptable Use Policy, Data Processing Addendum and Collection Notice.
Important — who the data is about. The Service classifies and extracts information from CVs and résumés submitted by our customers through the API. Those documents usually contain the personal information of a third party (a job candidate), not of our customer. Our customer is responsible for having a lawful basis and any consent required to submit that information to us (see Your responsibilities below, the Terms of Service and the Data Processing Addendum).
(a) Account information (about our customer / the account holder): name, business name, email address, and billing details. Card details are handled by our payment processor (Stripe); we do not store full card numbers.
(b) Submitted content (about candidates / data subjects): the CV/résumé text, files or structured profile a customer sends to the API, and the structured data and ANZSCO classification we derive from it. This may include a person's name, contact details, work history, education, qualifications and skills, and may contain sensitive information (as defined in the Privacy Act). Our customer warrants it has any heightened consent required under APP 3.3 for sensitive information.
(c) Technical/usage information: API request metadata, credit-usage records, and security logs (e.g. timestamps and the IP address of the calling system, which is personal information). We do not use tracking cookies on the API; this Policy page may use only strictly necessary cookies.
Where we collect personal information indirectly (e.g. candidate information within a submitted CV), this Policy and our Collection Notice serve as our APP 5 notification to the extent reasonable; primary responsibility for notifying the individual rests with the submitting customer.
We use personal information only to provide the Service: to authenticate accounts, run the requested CV extraction and ANZSCO classification, meter credit usage, bill customers, maintain security, and comply with law. We do not sell personal information.
We do not use submitted content to build or train our datasets or AI models, and we engage our AI sub-processor under terms intended to prohibit it from using submitted content to train its models and to minimise its retention. Within the retention window we may access submitted content only to operate, monitor, troubleshoot and improve the reliability of the Service — for example, to verify a classification and fix a defect — never to train models.
The Service produces an occupational classification (ANZSCO codes) and extracted facts. It is not immigration, migration or visa advice and must not be relied on or represented as such (see our Terms of Service).
To perform extraction and classification, the submitted CV text is processed by a large language model operated by OpenAI, L.L.C. in the United States. This is an overseas disclosure of personal information under APP 8.
Data stored by the Service (the original file and the data derived from it) is held in
Australia (Amazon S3, Sydney ap-southeast-2). We do not claim that all processing occurs
in Australia — the LLM inference step described above occurs in the United States. Our deletion
timeframes (section 5) apply to data held in our systems; sub-processors delete or de-identify in
accordance with their own terms, which we require to be consistent with this Policy.
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (S3, compute) | File/object storage | Australia (Sydney) |
| Vultr | Application hosting | Australia (Sydney) |
| OpenAI, L.L.C. | LLM extraction & classification | United States |
| Stripe (Stripe Payments Australia Pty Ltd) | Payments & billing | Australia / global |
| Cloudflare | DNS / network | Global |
We are likely to disclose personal information to recipients in the United States (see section 3).
We take reasonable steps to protect personal information, including encryption in transit (TLS) and at rest, access controls, and blocking public access to our storage.
We delete all submitted content (CVs) and the data derived from it within 30 days. This is enforced automatically (storage lifecycle expiry plus result expiry within 30 days). Security and usage logs are retained for no more than 30 days and are scrubbed of personal information. A customer may request earlier deletion of a specific submission.
Transaction and billing records are kept and are not deleted on this 30-day cycle. Those records (account, credit-usage and payment history) are needed to operate the account and to meet our legal, tax and accounting obligations; they record that a transaction occurred but do not contain the CV content or the candidate's personal information, which is deleted as above.
You may request access to, or correction of, personal information we hold about you by emailing hello@anzscofinder.com. We may need to verify your identity, and will respond within a reasonable time (and within any period the Privacy Act requires). Because submitted candidate content is deleted within 30 days and is handled on our customer's behalf, requests about a candidate's information should usually be directed to the customer who submitted it; we will assist that customer in our role of handling that information on their behalf.
Complaints. If you have a privacy complaint, contact us at hello@anzscofinder.com. We will acknowledge it within 5 business days and aim to resolve it within 30 days. If you are not satisfied, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
If we suspect a data breach that may involve a risk of serious harm, we will assess it promptly (and within the timeframe required by the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act), take steps to contain it, and notify affected individuals and the OAIC where the scheme requires. Because submitted content concerns our customers' candidates, we will also notify the relevant customer without undue delay so they can meet their own notification obligations (see our Data Processing Addendum).
We may update this Policy. Material changes will be posted on this page with a revised effective and "last updated" date.
Tonalium Pty Ltd (anzscofinder) — Privacy — hello@anzscofinder.com