Legal · Australia

Privacy policy

Effective · 1 February 2026 · Version 1.0 (preview)

The short version. Zhai is a hiring assistant. We collect what we need to match candidates with roles — and nothing more. We don't sell your data. We don't share a candidate's details with employers without their explicit, per-role consent. We're based in Melbourne and we handle your information under Australian law.

Who we are

In this policy, "Zhai", "we", "us", and "our" refer to Zhai a product of WILDFLOWER CAREERS & ANALYTICS PTY LTD (47 694 788 504), a private company incorporated in Victoria, Australia. We operate from Melbourne. Contact: privacy@meetzhai.com.

We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where we handle the personal information of EU/UK residents, we apply equivalent GDPR-aligned protections.

What we collect, and why

We try hard to ask only for what we actually need at the moment we need it. Concretely:

Category	Examples	Why
Identity & contact	Name, email, phone, city, employer or candidate role	To create your account and contact you about briefs or applications
Candidate work history	CV (if uploaded), past roles, skills, availability, work rights	To match you to relevant roles and prepare a tailored summary
Conversation data	Messages exchanged with Zhai, voice transcripts (if used)	To run the recruiter assistant and improve match quality
Employer brief data	Role requirements, comp, location, hiring notes	To source and pre-screen candidates for that brief
Usage & device	Pages visited, IP, browser, device type	Security, debugging, product analytics (aggregated)
Sensitive information	Visa status, accessibility needs (only if you choose to share)	Only collected with explicit consent and only for matching purposes

We do not ask for information about race, political opinion, religious belief, sexual orientation, or health unless it is unavoidable for the role (e.g. health checks for some regulated industries) and you've actively chosen to provide it.

How candidate information flows to employers

This is the most important part of how Zhai works, and we want it to be unambiguous:

We never share a candidate's identity, contact details, or full profile with an employer without that candidate's explicit, per-role consent.
What an employer sees by default is a de-identified candidate summary — skills, experience level, fit notes, screen highlights, availability — without your name, contact, or photo.
You decide, role by role, whether to surface your full identity. You can withdraw at any time before an employer makes contact.

How we use AI

Zhai uses large language models and other ML systems to draft summaries, run pre-screen conversations, and surface matches. A few principles:

Models we use process data in transit for inference; we don't allow our model providers to train on your conversations or CV.
A human (you, or our team for ambiguous cases) is always in the loop on hiring decisions. Zhai recommends; it does not hire.
We log model outputs so we can explain decisions and audit for bias. You can request the reasoning behind any recommendation that affected you.

Where your data lives

Personal information is stored on infrastructure located in Australia (Sydney and Melbourne regions) where the cloud provider offers it. Some sub-processors (e.g. model providers, email delivery) may process data in the United States or the European Union. We maintain data-processing agreements with each one and apply the APPs to all cross-border transfers.

How long we keep it

Active candidate profiles: kept while you have an account.
Inactive candidate profiles: archived after 18 months of inactivity, deleted after 36 months unless you ask us to keep them longer.
Employer brief data: retained for the life of the engagement plus seven years for tax and compliance.
Conversation logs: retained for 24 months, then deleted unless required for a live dispute or audit.

Your rights

You can, at any time:

Access the personal information we hold about you.
Correct anything that's wrong.
Ask us to delete your account and associated data (subject to legal retention).
Withdraw consent for any active candidate-to-employer share.
Export a portable copy of your profile and conversation history.
Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you think we've mishandled your data.

Email privacy@meetzhai.com for any of the above and we'll respond within 14 days.

Cookies & analytics

We use a small set of first-party cookies for sign-in and product analytics. We do not use advertising cookies. You can clear cookies at any time; some product features will need you to sign in again.

Security

Data is encrypted in transit (TLS 1.2+) and at rest. Access to production data is restricted to a small number of staff under role-based controls and audit logging. We notify you and the OAIC under the Notifiable Data Breaches scheme if a breach is likely to result in serious harm.

Changes to this policy

We'll update the version number and effective date above when this policy changes. For material changes, we'll notify account holders by email at least 14 days before the change takes effect.