Privacy Policy

1. Who we are

Klaw Brands Pty Ltd (ACN 611 042 267) trading as Paragon Talent Suite ("we", "us", "our") operates the Paragon Talent Suite applicant tracking system ("Platform") at paragonts.com and klawtalent.com.au.

We are committed to protecting the privacy of all individuals whose personal information we handle. This Privacy Policy explains how we collect, use, store, disclose and manage personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Our Privacy Officer can be contacted at info@paragonts.com.

2. The personal information we collect

2.1 Agency administrators & recruiters

When a recruitment agency subscribes to and uses the Platform, we collect:

• Name, email address, phone number and job title of team members
• Business name, ABN, billing address and payment information (processed by Stripe — we do not store full card details)
• Login credentials, session data and activity logs
• Platform usage data, feature interactions and preferences

2.2 Candidates

When a Candidate applies for a job, registers via a contact form, or accesses the Candidate Portal, we collect personal information on behalf of the relevant Agency, including:

• Name, email address, phone number, residential suburb and LinkedIn URL
• Work rights and visa status
• Employment history, skills, education, qualifications and certifications
• CV or resume files (PDF or Word format)
• Expected salary or rates, availability and notice period
• Screening notes, call recording transcriptions and AI-generated summaries
• Referee details (name, email, company, relationship)
• Reference submission responses provided by the Candidate's referees
• Offer letter details and digital signature records
• Candidate Portal profile information and application status interactions

Important: The Agency (not Paragon Talent Suite) is the data controller for Candidate Data. We process Candidate Data as a data processor on behalf of Agencies. Candidates should direct any privacy-related requests to the Agency that collected their information.

2.3 Referees

When a referee submits a reference via the Platform, we collect:

• Name, email address, phone number, job title and employer
• Relationship to and employment history details relating to the Candidate
• Responses to reference questionnaire questions

2.4 Website visitors

When you visit our websites (paragonts.com, klawtalent.com.au), we may collect:

• IP address, browser type, device type and operating system
• Pages visited, time on site and referral source
• Cookies and similar tracking technologies (see Section 9)

3. How we collect personal information

• Directly from you when you register, complete forms, submit applications or contact us
• From Agencies when they upload or enter Candidate Data into the Platform
• From Candidates when they access the Candidate Portal and update their profile
• From referees when they submit a reference via a unique token link
• Automatically through your use of the Platform (session data, usage analytics, logs)
• Via Google Analytics (GA4 ID: G-Q1VFTMVSRH) for website analytics

4. Why we collect & use personal information

• Providing the Platform — necessary to perform our contract with the Agency; legitimate interest in operating the Platform
• Processing job applications — Candidate consents when submitting application; Agency's legitimate interest in recruitment
• Sending transactional emails — necessary to perform our contract (confirmations, status updates, portal invites, reference requests)
• AI-powered features (JD generation, CV extraction, call transcription) — legitimate interest; Candidate data processed on Agency's instruction as data processor
• Reference checking — legitimate interest; referee provides information voluntarily on request
• Offer letter signing — contract performance; Candidate consent when signing
• Billing and payment processing — contract performance; legal obligation (tax records)
• Platform analytics and improvement — legitimate interest; anonymised or aggregated where possible
• Security, fraud prevention and compliance — legal obligation; legitimate interest in protecting the Platform and users
• Marketing to prospective customers — consent (where required) or legitimate interest in business development

5. How we store & protect personal information

5.1 Data residency — Australian sovereign infrastructure

We are committed to keeping all personal information within Australia:

• Database: Supabase PostgreSQL — ap-southeast-2 (Sydney) region
• Platform hosting: Vercel — syd1 (Sydney) region
• AI inference: SCX.ai — SambaNova SN40L hardware at Equinix SY5 data centre, Sydney. No personal data is transmitted offshore for AI processing.
• Email delivery: Email transit uses Resend, a US-based provider. Email content is transmitted to deliver to recipients but is not stored offshore beyond transit requirements.
• File storage: Supabase Storage — Sydney region. CV files and client logos stored in Sydney.

5.2 Security measures

• Row-level security (RLS) enforced at the database level — each Agency can only access its own data
• Encrypted data transmission using TLS/HTTPS across all connections
• AES-256-GCM encryption of sensitive API keys and credentials at rest
• Secure, time-limited signed URLs for CV and file access (1-hour expiry)
• Rate limiting on all public API endpoints
• Access control — admin, recruiter and viewer role separation
• Automated dependency security scanning (Dependabot)
• Idle session timeout of 8 hours

Despite these measures, no system is completely secure. We cannot guarantee the absolute security of personal information transmitted over the internet.

6. Disclosure of personal information

6.1 Service providers (sub-processors)

We share personal information with third-party service providers only to the extent necessary to operate the Platform:

• Supabase — Database, auth, file storage — Sydney, AU
• Vercel — Platform hosting — Sydney, AU (syd1)
• Resend — Transactional email — US-based
• SCX.ai — AI inference — Sydney, AU
• Stripe — Payment processing — US-based
• Google Analytics — Website analytics — US-based

6.2 Overseas transfers

Some of our service providers (Resend, Stripe, Google Analytics) are based outside Australia. We take reasonable steps to ensure overseas recipients handle personal information consistently with the Australian Privacy Principles.

6.3 Other disclosures

We may also disclose personal information: (a) where required by law, court order or regulatory authority; (b) to protect the rights, property or safety of Paragon Talent Suite, its users or the public; or (c) in connection with a merger, acquisition or sale of assets, subject to the acquirer maintaining equivalent privacy protections.

We do not sell personal information.

7. Your privacy rights (Australian Privacy Principles)

7.1 Access

You have the right to request access to the personal information we hold about you. To make a request, contact our Privacy Officer at info@paragonts.com. We will respond within 30 days. We may charge a reasonable fee for providing access.

7.2 Correction

If you believe personal information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, you may request that we correct it. We will respond within 30 days.

7.3 Candidate-specific rights

Candidates may update their personal information via the Candidate Portal at any time. Candidates wishing to withdraw from a recruitment process may do so via the Portal or by contacting the relevant Agency directly. Requests to delete Candidate Data should be directed to the Agency as the data controller.

7.4 Complaints

If you believe we have mishandled your personal information, you may lodge a complaint with our Privacy Officer at info@paragonts.com. We will respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

8. Data retention

• Agency account & team data: Duration of subscription + 30 days post-cancellation
• Candidate applications & profiles: Duration of Agency subscription
• CV files (stored documents): Duration of Agency subscription
• Call recordings & transcriptions: Duration of Agency subscription
• Reference submissions: Duration of Agency subscription
• Offer letter records: Duration of Agency subscription + 7 years
• Billing records: 7 years from transaction
• System logs & security data: 90 days
• Website analytics (Google Analytics): 26 months (GA4 default)

9. Cookies & tracking

Our websites and Platform use cookies and similar technologies. Types of cookies we use:

• Strictly necessary: session authentication, CSRF protection — cannot be disabled
• Functional: user preferences, language settings
• Analytics: Google Analytics GA4 — tracks usage to help us improve the Platform. IP addresses are anonymised.

You can control cookies through your browser settings. Disabling strictly necessary cookies will affect Platform functionality. For more information on Google Analytics data collection and opt-out options, visit tools.google.com/dlpage/gaoptout.

10. Children's privacy

The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If you become aware that a minor has provided us with personal information without parental consent, please contact our Privacy Officer.

11. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify users of material changes by email and by posting the updated policy at paragonts.com/privacy with an updated "Last Updated" date. Continued use of the Platform after changes take effect constitutes acceptance of the updated policy.

12. Contact us

For any privacy-related questions, requests or complaints:

• Privacy Officer: Raf Mubarak
• Email: info@paragonts.com
• Response time: within 30 days of receipt