Privacy Policy

1. Who We Are

CareerTrack.io is operated by Obsidian Ventures Limited, a company incorporated in New Zealand (the “Company”, “we”, “us”, or “our”). We are subject to the Privacy Act 2020 (New Zealand) and committed to handling your personal information in accordance with its thirteen Information Privacy Principles (IPPs).

This Privacy Policy explains what personal information we collect, why we collect it, how we use it, and your rights in relation to it. By using CareerTrack.io (the “Service”), you acknowledge that you have read and understood this policy.

2. Information We Collect

We collect personal information in the following categories:

• Account information: your name, email address, and password (stored as a secure hash) when you create an account.
• Profile information: any optional details you add to your profile such as location, job title, or professional summary.
• Job application data: information you enter about employers, roles, interview dates, status updates, notes, and contacts — this data belongs to you.
• Payment information: billing name, address, and card details processed securely by our payment provider Stripe. We do not store full card numbers.
• Usage data: pages visited, features used, session duration, and similar analytics collected via Google Analytics and our server logs.
• Communications: any messages or emails you send us for support purposes.

We collect information directly from you when you register, use the Service, or contact us, and automatically through cookies and similar technologies described in section 6.

3. How We Use Your Information

We use personal information only for purposes that are directly related to the reason it was collected, or for a purpose you would reasonably expect. Specifically, we use it to:

• Create and manage your account and authenticate your identity.
• Provide, maintain, and improve the features of the Service.
• Process subscription payments and send receipts or billing notices.
• Send transactional emails such as password resets and reminders you have configured.
• Respond to your support enquiries.
• Detect, prevent, and address security incidents or fraudulent activity.
• Compile aggregated, anonymised analytics to understand how the Service is used.
• Send you product updates or promotional communications — but only where you have opted in or where permitted by law. You may opt out at any time via the unsubscribe link in any such email or through your account settings.
• Comply with our legal obligations under New Zealand law.

We will not use your personal information for any secondary purpose without first obtaining your consent, unless an exception under the Privacy Act 2020 applies.

4. Disclosure to Third Parties

We may share your personal information with the following categories of third parties:

• Supabase: our database and authentication infrastructure provider. Data is stored on servers in a region you can review in our account settings.
• Stripe: our payment processor. Stripe’s own privacy policy governs the information they collect in processing your payment.
• Google Analytics: we use Google Analytics to collect aggregated usage data. You can opt out via the Google Analytics opt-out browser add-on.
• Email service providers: we use transactional email infrastructure to deliver account-related emails.
• Law enforcement or regulators: where we are legally required to do so, or where necessary to protect our rights or the safety of others.

We do not sell, rent, or trade your personal information to third parties for their own marketing purposes.

Some of our service providers are located outside New Zealand. Where personal information is transferred overseas, we take reasonable steps to ensure it receives comparable protection to that required under the Privacy Act 2020 (IPP 12).

5. Storage, Security, and Accuracy

We take reasonable steps to protect personal information from loss, unauthorised access, use, modification, or disclosure, in accordance with IPP 5. These measures include encrypted connections (TLS), hashed passwords, role-based access controls, and regular security reviews.

No method of transmission over the internet or electronic storage is completely secure. While we endeavour to protect your information, we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential.

Before using or disclosing personal information, we take reasonable steps to ensure it is accurate, up to date, complete, and not misleading, having regard to the purpose for which it is being used or disclosed (IPP 8). If you believe any information we hold about you is inaccurate, please contact us to have it corrected.

We retain your personal information for as long as your account is active and for a reasonable period thereafter (generally no longer than 7 years from account closure), or as required by law (IPP 9). When data is no longer needed, we delete or anonymise it securely.

6. Cookies and Tracking Technologies

We use cookies and similar technologies to operate the Service, remember your preferences, and collect analytics. Cookies used include:

• Essential cookies: required for authentication sessions and core Service functionality. These cannot be disabled without impacting usability.
• Analytics cookies: placed by Google Analytics to collect anonymised usage information. You can opt out via your browser settings or the Google Analytics opt-out extension.

You can configure your browser to refuse cookies, but doing so may affect how the Service functions.

7. Your Rights

Under the Privacy Act 2020, you have the right to:

• Access the personal information we hold about you (IPP 6).
• Correct any personal information that is inaccurate, out of date, incomplete, or misleading (IPP 7).
• Request deletion of your account and associated personal information, subject to any legal retention obligations.
• Object to or restrict certain uses of your information, including for direct marketing.

To exercise any of these rights, contact us at privacy@careertrack.io. We will respond within 20 working days as required by the Privacy Act 2020.

If you are not satisfied with our response, you may make a complaint to the Office of the Privacy Commissioner at www.privacy.org.nz.

8. Notifiable Privacy Breaches

Under Part 6 of the Privacy Act 2020, if Obsidian Ventures Limited becomes aware of a privacy breach that is reasonably likely to cause serious harm to any affected individual, we are required by law to:

• Notify the Privacy Commissioner as soon as practicable after becoming aware of the breach (section 114).
• Notify each affected individual whose information was involved in the breach, as soon as practicable (section 115), unless the Privacy Commissioner directs otherwise or an exception applies.

A “privacy breach” includes any unauthorised or accidental access to, disclosure, alteration, loss, or destruction of personal information, or any action that prevents us from accessing that information on either a temporary or permanent basis.

We maintain an internal privacy breach register and follow a documented incident response process to identify, contain, assess, and notify breaches in accordance with the Act. If you suspect a privacy breach involving your personal information, please contact us immediately at privacy@careertrack.io.

9. Children

The Service is not directed to children under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected such information, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top of this page. If the changes are material, we will notify you by email or by displaying a prominent notice within the Service. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

11. Contact Us

For any privacy-related questions, access requests, or complaints, please contact our Privacy Officer: