Legal

Privacy Policy

Effective from May 2026. thecolab.ai is operated for the Aotearoa New Zealand market. We handle personal information under the Privacy Act 2020.

What we collect

For candidates: name, contact details, CV text and its structured extraction, working-style and AI-proficiency self-assessment, optional referee details you provide, optional Claude Code assessment transcripts and graded scores, and search embeddings derived from your profile.

For employers: company name, contact details, role briefs (including your free-text responses to the calibration questions), calibration weights, and notes attached to pipeline movements.

Both audiences also generate operational records: session cookies, rate-limit counters, password reset and email verification tokens (hashed), and our bias audit log of which proxy fields we stripped before showing your data to the other side.

How we use it

Candidate data is used to match you to roles, to render your profile to employers (with protected-characteristic proxies stripped), and to compute the explainable match score components described in our terms. Employer data is used to operate the role you posted and to contact you about platform changes you have opted into.

We do not sell personal information. We do not use your data for advertising. Aggregated and anonymised statistics may be used to improve match quality and reported publicly.

Your right to delete

Under principle 6 of the Privacy Act 2020 you can ask us to delete the personal information we hold about you. We support this with a self-service control: sign in, then use the “Delete account” section at the bottom of your dashboard.

What deletion removes

Your account row and authentication credentials.
Candidates: profile chunks (CV extraction, AI proficiency, working-style answers, overrides, terms-acceptance record), every pipeline entry for you across every role, every reference you nominated, every notification addressed to you, every assessment row and its R2 transcript / workdir / git artefacts, every bias-audit row tied to you, and the candidate search embedding from Cloudflare Vectorize.
Employers: every role you posted (which cascades to its pipeline entries, references, candidate notifications, and employer notifications), every notification addressed to you, and the role search embeddings from Cloudflare Vectorize.
Every active session, password reset token, and email verification token tied to your user id, across all devices.

The action is irreversible. Once submitted, the cascade runs against the live database and your record cannot be restored from backups on request — production backups roll over within 30 days, after which no copy remains.

A small number of records are retained for legal and audit obligations:

Anonymised LLM usage rows used for the daily cost circuit-breaker — these have no link to your identity.
The admin audit log of sensitive platform-administrator actions, which records only the actor admin id (not your data).

If you would prefer we delete your data on your behalf or want a one-off data export before deleting, email privacy@thecolab.ai.

Access and correction

You can view and edit your profile data from your dashboard at any time. To request a copy of the data we hold about you in a portable format, email privacy@thecolab.ai.

Storage and security

Structured personal data lives in Cloudflare D1 (SQLite) inside the Auckland / Sydney region. Search embeddings live in Cloudflare Vectorize. Assessment transcripts and workdir snapshots live in Cloudflare R2 and are deleted after 90 days, sooner if you delete your account. Passwords are stored as scrypt hashes only. Session and reset tokens are stored as SHA-256 hashes only.

Contact

Privacy queries: privacy@thecolab.ai. You can also complain to the Office of the Privacy Commissioner if you are not satisfied with how we have handled your request.