Privacy Policy
Last updated: 1 July 2026
1. About this policy
Refchecks is operated by RP & SE Technology Pty Ltd trading as RefChecks (ABN 62 663 458 106) ("Refchecks", "we", "our" or "us"). We operate a pre-employment background-verification platform used by Australian employers and recruiters to verify the identity, history, credentials and suitability of the people they engage. Because that work involves handling sensitive personal information, we treat privacy as a core obligation, not a formality.
This policy explains what personal information we collect, how and why we use and disclose it, how we keep it secure, and the choices and rights available to you. We handle personal information in accordance with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs), the Privacy (Credit Reporting) Code 2014 where credit information is involved, and the EU General Data Protection Regulation (GDPR) where it applies (see our GDPR Compliance page).
2. Who this policy applies to
- Candidates — individuals whose background is being verified through the platform.
- Referees — people asked to provide a reference about a candidate.
- Client users — employees of the organisations that use Refchecks to request and manage checks.
- Website visitors.
For most checks, Refchecks acts as a service provider to the requesting organisation (the employer), which is the entity deciding to obtain the check. Both we and that organisation have privacy obligations to the candidate.
3. Personal information we collect
3.1 Identity and contact information
Name (including previous names), date of birth, contact details, residential address and address history, and account credentials for client users.
3.2 Verification information (varies by the checks requested)
- Identity documents and biometrics — government-issued identity documents, and, where an identity verification is performed, a verification selfie and facial-match result (biometric information).
- Right-to-work / visa — passport and visa details used to confirm work entitlements.
- Employment and education history — roles, dates, employers, qualifications and the responses of referees and verifiers.
- Health information — results of medical, drug and alcohol, and in-house health assessments (e.g. psychological wellbeing, functional and fitness screening) where a role requires them.
- Clearances and screening — Working With Children Check / NDIS clearance status, industry certifications, sanctions and politically-exposed-person screening, adverse-media and social-media screening (publicly available content only), driving record, and directorship information.
- Financial information — where a credit-related check is requested, this is governed by Part IIIA and we retain only outcome indicators, not scores or amounts.
3.3 Information collected automatically
Usage data (pages and features used), device and log information (IP address, browser, device type), and cookies used for authentication and preferences.
4. Sensitive information and consent
Much of the above is sensitive information under the Privacy Act — including health, biometric and criminal-history-related information. We collect it only:
- with the individual's express, informed, purpose-specific consent, obtained through our candidate portal before a check begins;
- for the specific check(s) the candidate has consented to — a new purpose requires fresh consent; and
- where reasonably necessary for the requesting organisation's lawful purpose.
Consent is recorded with a timestamp and IP address. A candidate may decline any individual check or withdraw consent (which may mean the requesting organisation cannot complete its assessment).
5. How we collect information
We collect information directly from you (candidate, referee or client user), and — with the candidate's consent — from the relevant official and third-party verification sources needed to complete each requested check. Where practical we collect sensitive information directly from the candidate.
6. How we use information
We use personal information to:
- perform the verification checks requested and produce the resulting report;
- verify identity and detect and prevent fraud (including cross-organisation checks using one-way hashes — no personal data is shared between organisations);
- operate, secure, support and improve the platform;
- communicate with you about a check or your account; and
- comply with our legal obligations.
We do not sell personal information, and we do not use it for unrelated direct marketing without consent.
7. Who we disclose information to
- The requesting organisation — the completed report is made available to the employer that requested it, for its stated engagement purpose.
- Verification sources — with consent, the relevant details are provided to the official or third-party source needed to complete each requested check.
- Service providers (sub-processors) — see section 8.
- Where required or authorised by law, or to protect our or others' rights and safety.
8. Service providers and overseas disclosure
Primary data is stored in Australian data centres (Sydney). We use trusted sub-processors under data-processing agreements, including:
- Infrastructure: Supabase (database, storage, authentication — Sydney) and Vercel (application hosting), together with Australian-based compute for verification processing.
- Identity verification: Veriff.
- AI processing: Anthropic (Claude), used for document and result analysis and screening, via its API under terms that do not permit training on, or retention of, the data we submit.
- Communications: Resend (email), Twilio (SMS).
- Payments: Stripe (PCI DSS Level 1; we never store card numbers).
- Operations: Sentry (error monitoring).
Some providers may process data outside Australia. Where personal information is disclosed overseas we take reasonable steps to ensure the recipient handles it consistently with the APPs (APP 8), including through contractual safeguards. A current sub-processor list is available on request.
9. Data retention
We keep personal information only as long as necessary for the purpose collected or as required by law:
- Identity documents: up to 7 years, aligned to Australian AML/CTF record-keeping expectations.
- Verification selfies / biometric match evidence: up to 2 years.
- Completed reports and verification records: retained for the requesting organisation's compliance needs, then de-identified or deleted.
- Sensitive raw content is minimised: for screening checks we retain the determination and the necessary evidence, not the full underlying raw text; credit-related checks retain outcome indicators only.
- Fraud-prevention hashes: retained in one-way hashed form that cannot be reversed to identify an individual.
You may request earlier deletion where no active legal or compliance obligation requires retention — email privacy@refchecks.co.
10. How we protect information
We apply layered technical and organisational controls — encryption in transit (TLS 1.3) and at rest (AES-256), database row-level security scoping every query to the authorised organisation, role-based access, single-use tokens for candidate/referee portals, input validation, and screening-input safeguards. Full detail is on our Data Security page.
11. Your rights and choices
Under the Privacy Act (and the GDPR where it applies) you may:
- Access the personal information we hold about you (APP 12);
- Correct information that is inaccurate or out of date (APP 13);
- Request deletion or restriction, subject to legal retention obligations;
- Withdraw consent to a check; and
- Complain if you believe we have mishandled your information.
To exercise a right, contact privacy@refchecks.co. We will respond within a reasonable time (generally 30 days). If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
12. Data breaches
We maintain a data-breach response plan and will assess and respond to any eligible data breach in accordance with the Notifiable Data Breaches scheme under the Privacy Act, notifying the OAIC and affected individuals where required.
13. Cookies
We use strictly necessary cookies for authentication and session management, and functional cookies to remember preferences. You can control cookies through your browser settings, though some features may not work without them.
14. Children
The platform is intended for use in relation to individuals aged 16 and over. We do not knowingly collect information from children under 16 except where a check is lawfully required and appropriate consent (including parental/guardian consent) has been obtained.
15. Changes to this policy
We may update this policy from time to time. Material changes will be posted here with an updated "Last updated" date and, where appropriate, notified to affected users.
16. Contact us
- Privacy enquiries and requests: privacy@refchecks.co
- Data Protection Officer: dpo@refchecks.co
- Security matters: security@refchecks.co