Refchecks

GDPR Compliance

Refchecks is committed to protecting personal data in accordance with the General Data Protection Regulation (EU) 2016/679 and the Australian Privacy Act 1988.

Last updated: March 2026

Our Commitment

Refchecks processes personal data of candidates, referees, and employers across multiple jurisdictions. We recognise that many of our clients operate internationally and that candidate data may originate from or relate to individuals in the European Economic Area (EEA). We are committed to meeting the requirements of the GDPR alongside Australian privacy law.

Lawful Basis for Processing

We process personal data under the following lawful bases:

  • Consent (Article 6(1)(a)): Candidates provide explicit consent before any background check is initiated. Consent is specific, informed, and freely given through our candidate portal.
  • Legitimate Interest (Article 6(1)(f)): Employers have a legitimate interest in verifying the suitability of candidates for employment. We balance this against the rights of candidates through proportionality assessments.
  • Contractual Necessity (Article 6(1)(b)): Processing is necessary for the performance of our service agreement with employer clients.

Data Subject Rights

Under the GDPR, individuals have the following rights which Refchecks fully supports:

  • Right of Access (Article 15): Request a copy of all personal data we hold about you.
  • Right to Rectification (Article 16): Request correction of inaccurate or incomplete data.
  • Right to Erasure (Article 17): Request deletion of your personal data where there is no compelling reason for continued processing.
  • Right to Restriction (Article 18): Request restriction of processing in certain circumstances.
  • Right to Data Portability (Article 20): Receive your data in a structured, commonly used format.
  • Right to Object (Article 21): Object to processing based on legitimate interests.

To exercise any of these rights, contact our Data Protection team at privacy@refchecks.com.au.

Data Transfers

Refchecks stores all primary data in Australian data centres (Sydney region). Where data is transferred outside Australia or the EEA, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) with all sub-processors
  • Data Processing Agreements (DPAs) with all third-party providers
  • Encryption in transit (TLS 1.3) and at rest (AES-256)

Data Retention

We retain verification data for the minimum period necessary to fulfil our contractual obligations and comply with legal requirements:

  • Active verification data: Retained for the duration of the employer's subscription plus 90 days.
  • Completed reports: Retained for 2 years unless the employer or candidate requests earlier deletion.
  • Candidate career profiles: Retained until the candidate requests deletion.
  • Raw criminal check text: Never stored — only the determination (clear/consider/adverse) is retained.

Sub-Processors

We use the following categories of sub-processors:

  • Infrastructure: Vercel (hosting), Supabase (database and authentication)
  • Communications: Resend (email), Twilio (SMS)
  • Verification providers: Veriff (identity), Certn (police checks), vSure (right-to-work)
  • AI processing: Anthropic (document analysis, screening — no data retained)
  • Payments: Stripe (billing — PCI DSS Level 1 compliant)

A complete list of sub-processors with their processing purposes and locations is available on request.

Data Protection Officer

For GDPR-related queries, data subject requests, or to report a concern, contact:

Data Protection Team
Email: privacy@refchecks.com.au
Response time: Within 30 days of receipt

Breach Notification

In the event of a personal data breach, Refchecks will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (Article 33). Affected data subjects will be notified without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34).