Privacy Policy

Role Ascent is an AI-assisted career coaching platform operated by Role Ascent (ABN: [INSERT ABN]), an Australian business. Our registered address and contact details are provided in Section 14.

For the purposes of the Australian Privacy Act 1988 (Cth), Role Ascent is the APP entity responsible for the personal information we hold. For the purposes of the GDPR, Role Ascent is the data controller in respect of personal information processed through the Service.

We collect personal information only where it is reasonably necessary to provide the Service. The categories we collect are:

Information we do NOT collect

We do not collect government-issued identifiers (Tax File Numbers, Medicare numbers, driver's licence numbers), financial account details, precise geolocation data, biometric information, or health information. We do not collect personal information about children under 18.

Coach accounts — client data

If you hold a coach plan and submit personal information belonging to your clients (client resumes, contact details, etc.), you are the data controller for that information and bear responsibility for obtaining your clients' consent. Role Ascent acts as a data processor in that context. See our Terms of Service (Section 8) for your obligations.

We process your personal information for the following purposes and on the following legal bases:

We will not use your personal information for direct marketing without your explicit opt-in consent. We will not sell, rent, or share your personal information with third parties for their own marketing purposes.

When you submit a resume analysis, STAR story, interview simulation, or other AI-powered request, we transmit the text content of your submission to Anthropic PBC(USA) via their Claude API for processing. The AI model returns a response that we display to you and store in our database for your access history.

Sensitive content warning: Do not include in any submission: Tax File Numbers, Medicare numbers, financial account details, health conditions, or any information about third parties who have not consented to AI processing of their data. You are responsible for the content you choose to submit.

Service providers (sub-processors)

We engage the following third-party service providers who may access personal information to provide services on our behalf:

Each provider is engaged under contractual terms that require them to protect your personal information consistent with their privacy policies and, where applicable, standard contractual clauses for international transfers.

Legal requirements

We may disclose personal information where required by Australian law, a court order, a warrant, or a direction from a government authority (including the Australian Federal Police, Australian Taxation Office, or Office of the Australian Information Commissioner). Where legally permitted, we will notify you before complying with such a request.

Business transfers

If Role Ascent undergoes a merger, acquisition, sale of assets, or restructure, personal information may be transferred to a successor entity as part of that transaction. We will notify you at least 30 days before any such transfer and provide you with the option to delete your account if you do not consent.

No sale of data

We do not sell, rent, or otherwise provide your personal information to third parties for their own commercial purposes. This includes for the purposes of the California CCPA definition of "sale."

We retain personal information for as long as your account is active or as otherwise required:

After the applicable retention period, personal information is securely deleted or de-identified so it can no longer be attributed to you.

Role Ascent operates in Australia, but our service providers are located in the United States and, in the case of PostHog, may also process data in the European Union. This means your personal information is transferred to and processed in countries outside Australia.

APP 8 — Cross-border disclosure

Before disclosing personal information to overseas recipients, we take reasonable steps to ensure the recipient is subject to privacy obligations that are at least substantially similar to the Australian Privacy Principles, or we ensure the transfer is otherwise permitted under the Privacy Act 1988 (Cth). Each of our service providers (listed in Section 5) is subject to the EU–US Data Privacy Framework, Standard Contractual Clauses, or equivalent mechanisms that provide comparable protections.

GDPR — transfers outside the EEA

Where EU/UK personal data is transferred to countries not recognised by the European Commission as providing adequate protection, we rely on the Standard Contractual Clauses adopted by the European Commission (or equivalent UK International Data Transfer Agreements for UK transfers), or the EU–US Data Privacy Framework where applicable.

You may request a copy of the safeguards we rely on for international transfers by contacting us at support@roleascent.com.

We implement industry-standard technical and organisational measures to protect your personal information against unauthorised access, disclosure, alteration, and destruction:

• Encryption in transit — all data is transmitted over TLS 1.2 or higher (HTTPS).
• Encryption at rest — database storage is encrypted at the infrastructure level by Supabase (AWS).
• Row-Level Security (RLS) — database policies ensure each user can only access their own data. No cross-user data leakage is possible at the query level.
• Authentication — passwords are hashed using bcrypt (managed by Supabase Auth). We never store or see your plaintext password.
• Access controls — production database access is restricted to service accounts. No staff member has routine access to user resume content.
• Sentry scrubbing — our error monitoring configuration explicitly removes resume content from error reports before transmission.
• No payment card storage — card details are processed entirely by Stripe and are never transmitted to or stored by Role Ascent.

Data breach notification

If we become aware of a data breach that is likely to result in serious harm to you (Notifiable Data Breach under Part IIIC of the Privacy Act 1988), we will:

• Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable;
• Notify affected individuals directly, where required; and
• Take immediate steps to contain and remediate the breach.

Despite these measures, no system is 100% secure. If you suspect unauthorised access to your account, contact us immediately at support@roleascent.com.

🇦🇺 Australian residents — Privacy Act 1988 (APPs)

Under the Australian Privacy Principles, you have the right to:

• Access (APP 12) — Request a copy of the personal information we hold about you. We will provide this within 30 days of a written request, free of charge for reasonable requests.
• Correction (APP 13) — Request correction of inaccurate, incomplete, or outdated personal information. You can update most information directly in your account settings.
• Deletion — Request deletion of your account and associated personal data. We will delete or de-identify your data within 30 days, subject to legal retention obligations (see Section 6).
• Complaint (APP 1) — Lodge a complaint with us in the first instance (Section 14). If unsatisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
• Anonymity (APP 2) — Where it is lawful and practicable, you may use the Service without identifying yourself. However, the nature of the Service (AI analysis of your resume) requires an account. We cannot provide the full Service anonymously.

🇪🇺 EU and UK residents — GDPR / UK GDPR

If you are resident in the European Economic Area or the United Kingdom, you have the following additional rights under the GDPR (or UK GDPR):

• Right of access — obtain a copy of your personal data and information about how it is processed.
• Right to rectification — have inaccurate personal data corrected.
• Right to erasure ("right to be forgotten") — request deletion of your personal data where it is no longer necessary, you withdraw consent (where applicable), or you object to processing. This right is subject to our legal retention obligations.
• Right to restriction of processing — request that we restrict processing of your personal data in certain circumstances (e.g. while a correction request is assessed).
• Right to data portability — receive your personal data in a structured, machine-readable format (JSON export of your account data). Contact us to request a data export.
• Right to object — object to processing based on legitimate interests where your particular situation outweighs our interests. We will cease processing unless we have compelling legitimate grounds or the processing is for legal claims.
• Right to withdraw consent — where processing is based on consent, withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
• Right to lodge a complaint — with your national data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.

We do not have a designated Data Protection Officer (DPO) as Role Ascent does not meet the GDPR thresholds requiring one. Privacy enquiries for EU/UK users should be directed to support@roleascent.com.

🇺🇸 California residents — CCPA / CPRA

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the following rights:

• Right to know — request disclosure of the categories and specific pieces of personal information we collect, the sources of that information, our purposes for collecting it, and the categories of third parties with whom we share it.
• Right to delete — request deletion of personal information we have collected, subject to exceptions (e.g. completing transactions, legal obligations).
• Right to correct — request correction of inaccurate personal information.
• Right to opt out of sale or sharing — we do not sell or share personal information as defined under the CCPA/CPRA, so this right is not triggered. We do not use personal information for cross-context behavioural advertising.
• Right to limit use of sensitive personal information — we do not collect sensitive personal information as defined under the CPRA (including SSN, financial account numbers, precise geolocation, health data, or biometrics).
• Right to non-discrimination — you will not receive a different level of service or higher price for exercising any of these rights.

To exercise any of the above rights, submit a verifiable consumer request to support@roleascent.com. We will respond within 45 days (extendable by a further 45 days with notice where reasonably necessary).

How to exercise your rights

Send a written request to support@roleascent.com including your account email address and a description of the right you wish to exercise. We will verify your identity before processing your request. We aim to respond within 30 days (or within the applicable statutory timeframe for your jurisdiction). Responding to access requests is free of charge for reasonable requests.

Role Ascent uses cookies and similar technologies. We do not use advertising cookies or third-party tracking for retargeting purposes.

You can manage or disable non-essential cookies through your browser settings. Note that disabling Supabase session cookies will prevent you from logging in.

We do not send promotional or marketing emails without your explicit opt-in consent. If you consent to marketing communications, you can withdraw that consent at any time by clicking the "unsubscribe" link in any marketing email, or by emailing us at support@roleascent.com.

We will not use your personal information for direct marketing unless:

• You have provided express consent (opt-in); or
• We have collected your contact information in the course of a transaction with you (existing customer), the marketing relates to our own similar services, and we have provided you with a clear and easy opt-out mechanism in every communication.

Our transactional emails (analysis completions, billing receipts, service announcements) are not marketing and may be sent without opt-in as they are necessary to the provision of the Service.

The Service is not directed at or intended for use by persons under 18 years of age. We do not knowingly collect personal information from children under 18. If you believe we have inadvertently collected information from a person under 18, please contact us immediately at support@roleascent.com and we will delete it promptly.

We may update this Privacy Policy from time to time to reflect changes in the law, our data practices, or the Service. We will notify you of material changes by email and by posting a notice in the app at least 14 days before the change takes effect. The effective date at the top of this page will be updated accordingly.

For material changes that require re-consent (for example, a new purpose for processing or a new category of data collected), we will present you with an updated acceptance form before you can continue to use the Service.

Continued use of the Service after the effective date of a policy update constitutes acceptance of the updated policy for changes that do not require re-consent.

For all privacy enquiries, access requests, correction requests, or complaints:

We will acknowledge your enquiry within 2 business days and provide a substantive response within 30 days (or within the statutory timeframe applicable to your jurisdiction, whichever is shorter).

External complaints

If you are not satisfied with our response to a privacy complaint, you may contact:

• Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au — 1300 363 992
• EU/EEA: Your national data protection supervisory authority — edpb.europa.eu/about-edpb/board/members_en
• UK: Information Commissioner's Office (ICO) — ico.org.uk
• California: California Privacy Protection Agency (CPPA) — cppa.ca.gov