HospoCV

Privacy Policy

Last updated: 30 May 2026

HospoCV ("we", "us", or "our") operates the hospocv.com website (the "Platform"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Platform.

We are committed to protecting your privacy and complying with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and, where applicable, the European Union General Data Protection Regulation (GDPR).

1. Information We Collect

1.1 Information You Provide

We collect information you voluntarily provide when using the Platform, including:

  • Account Information: Email address used for authentication via one-time password (OTP).
  • Profile Information: First name, last name, profile URL (slug), bio, location (country and city), avatar image, and profile visibility setting. Date of birth and nationality are optional and only collected if you choose to provide them.
  • Professional Information: Roles (e.g., bartender, chef), skills, availability status, visa type, preferred venue types, start availability.
  • Work History: Venue names, job titles, venue types, locations, employment dates, and job descriptions.
  • Education: Institution name, degree, field of study, location, and dates of attendance.
  • Referrals: Written testimonials about other users that you author (including the referral text and the relationship descriptor, e.g. "Manager at The Roof Bar"), and referrals other users write about you. The recipient controls the visibility of referrals on their profile.
  • Contact Information (optional): Contact email, mobile phone, WhatsApp number, Instagram handle, LinkedIn URL, and personal website URL. These are displayed only to other registered users with their own profile, subject to your privacy settings.
  • Privacy Preferences: Profile visibility setting (public, members-only, or hidden), contact info visibility toggle, visa status visibility toggle, full last name display toggle, and references-available note toggle.
  • Venue Waitlist: If you sign up for the venue waitlist, we collect your email address, the referring page URL, and UTM source parameter (if present).
  • Payment Information: When you subscribe to paid services, payment details are collected and processed by our payment processor, Stripe. We do not store your full credit card number.

1.2 Information Collected Automatically

When you access the Platform, we automatically collect certain information, including:

  • Device Information: Browser type, operating system, device type.
  • Log Data: IP address, access times, pages viewed, referring URL.
  • Last Active Timestamp: We record the date of your last activity on the Platform, updated at most once every 24 hours. This is used for platform health metrics and inactive account identification. It is not shared with other users.
  • Cookies and Similar Technologies: Session cookies for authentication and functionality. See Section 8 for more details.

2. How We Use Your Information

We use your personal information for the following purposes:

  • Provide and Operate the Platform: Create and manage your account, display your profile, enable directory features, and facilitate connections between hospitality professionals.
  • Authentication: Send one-time passwords (OTPs) to verify your identity when logging in.
  • Communication: Send transactional emails (account verification, security notices), service updates, and important notices about your account or the Platform.
  • Payment Processing: Process payments for subscriptions and paid features through our payment processor.
  • Improve the Platform: Analyze usage patterns, troubleshoot issues, and develop new features.
  • Legal Compliance: Comply with applicable laws, regulations, and legal processes.
  • Safety and Security: Detect, prevent, and address fraud, abuse, security risks, and technical issues. This includes OTP rate limiting (per email and per IP address).

3. How We Share Your Information

3.1 Public Profile Information

If your profile is set to "public", certain information will be visible to anyone on the internet, including: your name (first name and last initial, or full name if you enable it), profile URL, bio, location, roles, skills, availability, work history, education, preferred venues, and start availability.

If your profile is set to "members only", this information is visible only to other logged-in HospoCV users who have created their own profile.

If your profile is set to "hidden", it is not visible to anyone except you.

3.2 Contact Information Visibility

Your contact information (email, mobile, WhatsApp, Instagram, LinkedIn, website) is only visible to other registered users who have created their own profile, and only if you have enabled the "Show contact info" setting. This information is never visible to anonymous visitors. Contact data is redacted server-side — it never reaches the browser of unauthorised viewers.

3.3 Saved Profiles

When you save another user's profile, this action is private. The profile owner is not notified. We store: your profile ID, the saved profile ID, and the timestamp.

3.4 Service Providers

We share your information with third-party service providers who perform services on our behalf, including:

  • Supabase: Database hosting, authentication, and file storage. Data is hosted in the Asia-Pacific region (Singapore, ap-southeast-1).
  • Stripe: Payment processing and tax calculation. Stripe's privacy policy is available at stripe.com/privacy.
  • Resend: Transactional email delivery (OTP codes, notifications). Resend's privacy policy is available at resend.com/legal/privacy-policy.
  • Netlify: Website hosting and content delivery.
  • Plausible Analytics: Privacy-friendly, cookie-free website analytics. No personal data is collected. Plausible's data policy is available at plausible.io/data-policy.
  • Sentry: Application error monitoring and performance tracing. Error reports may include user IDs and request paths to help us debug issues; they do not include form contents or other personal fields you submit. Sentry's privacy policy is available at sentry.io/privacy.
  • Cloudflare Turnstile: Bot and abuse protection on sign-up and other forms. Turnstile may collect your IP address and limited browser characteristics to distinguish humans from automated traffic; it does not use tracking cookies for advertising. Cloudflare's privacy policy is available at cloudflare.com/privacypolicy.

These service providers are contractually obligated to protect your information and may only use it for the purposes we specify.

3.5 Legal Requirements

We may disclose your information if required to do so by law or in response to:

  • Valid legal processes (subpoenas, court orders, government requests).
  • Protect our rights, property, or safety, or that of our users or the public.
  • Enforce our Terms of Service.
  • Detect, prevent, or address fraud, security, or technical issues.

3.6 Business Transfers

If HospoCV is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will update this Privacy Policy to reflect any change in ownership or uses of your personal information.

4. Photos and Avatars

When you upload a profile photo, the image is processed entirely within your browser before being stored:

  • Images are cropped and compressed to WebP format (640 x 640 pixels).
  • EXIF metadata (including GPS location data) is stripped for your privacy.
  • The processed image is stored in Supabase Storage (Singapore region).
  • Avatar images are accessible via a public URL when your profile is visible.
  • Images are permanently deleted from storage when you replace your avatar or delete your account.

5. Downloadable Assets

The Platform allows you to generate and download assets from your profile (CV, QR code, business card) via the Share Kit feature. These assets are generated entirely within your browser using client-side technologies (browser print, HTML Canvas). No generated files are uploaded to or stored on HospoCV servers.

QR codes encode your public profile URL only and do not contain any other personal data.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with our services.

6.1 Account Deletion

You may delete your account at any time from your Settings page (Settings → Delete account). If you no longer have access to your account, you may also email us at privacy@hospocv.com and we will action the request within 30 days. Upon deletion, the following occurs:

  • Your profile, work experience, education, skills, preferences, and saved profiles will be permanently deleted.
  • Referrals you wrote for other users will be removed from their profiles.
  • Referrals others wrote about you will be removed alongside your profile.
  • Your avatar image will be deleted from storage.
  • Your email will be removed from the authentication system.
  • Previous profile URLs will be retained for redirect integrity only (pointing to a 404 page). No personal data is associated with these redirects.
  • Anonymized, aggregated analytics data may be retained.

Some information may be retained where required by law for legal, accounting, or reporting purposes.

6.2 Inactive Accounts

Inactive accounts (no login for 12 months or more) may have their profile URLs reclaimed as described in our Terms of Service. We will attempt to notify you before reclaiming your URL.

6.3 Venue Waitlist

Venue waitlist email addresses are retained until the venue feature launches or until you request removal. They are not shared with third parties.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (HTTPS/TLS).
  • Encryption of data at rest in our databases.
  • Row-level security (RLS) policies ensuring users can only access data they are authorised to see.
  • OTP rate limiting to prevent brute-force authentication attacks.
  • Security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy).
  • Honeypot fields on forms to prevent automated bot submissions.
  • Regular security assessments and updates.
  • Access controls limiting employee access to personal information.

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

8. Cookies and Tracking Technologies

We use cookies and similar technologies for the following purposes:

  • Essential Cookies: Required for authentication (session management) and core Platform functionality. These cannot be disabled.
  • Bot Protection: Cloudflare Turnstile may set cookies or browser storage entries during anti-bot challenges on forms (e.g. sign-up). These are strictly used to verify human traffic and are not used for advertising or tracking.
  • Analytics: We use Plausible Analytics, which is cookie-free and does not collect personal data. No analytics cookies are set.

We do not use advertising cookies or third-party tracking pixels.

9. Previous Profile URLs

When you change your profile URL, the previous URL is stored in order to maintain 301 redirects to your new URL. This data includes: the old URL slug, your profile ID, and the timestamp of the change. This data is retained indefinitely to ensure shared links continue to work.

10. Your Rights and Choices

10.1 Access and Correction

You can access and update most of your personal information directly through your profile editing page on the Platform. If you need assistance, contact us at privacy@hospocv.com.

10.2 Account Deletion

You may delete your account at any time from Settings → Delete account, or contact us at privacy@hospocv.com if you no longer have access. See Section 6.1 for details on what is deleted and what is retained.

10.3 Marketing Communications

We do not currently send marketing communications. If we begin sending them in the future, you will be able to opt out by clicking the "unsubscribe" link in any marketing email. You cannot opt out of transactional emails (e.g., OTP codes, security notices) while your account is active.

10.4 Rights for European Users (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the GDPR, including:

  • Right of Access: Request a copy of your personal data.
  • Right to Rectification: Request correction of inaccurate data.
  • Right to Erasure: Request deletion of your data ("right to be forgotten").
  • Right to Restriction: Request restriction of processing.
  • Right to Data Portability: Receive your data in a structured, machine-readable format.
  • Right to Object: Object to processing based on legitimate interests.
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.

To exercise these rights, contact us at privacy@hospocv.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

10.5 Legal Basis for Processing (GDPR)

For users in the EEA, we process your data based on the following legal grounds:

  • Contract: Processing necessary to perform our contract with you (providing the Platform).
  • Legitimate Interests: Processing necessary for our legitimate interests (improving the Platform, security, fraud prevention).
  • Legal Obligation: Processing necessary to comply with legal requirements.
  • Consent: Processing based on your consent (e.g. the venue waitlist signup, or future marketing communications if you opt in).

11. International Data Transfers

Your information may be transferred to and processed in countries other than Australia, including Singapore (database hosting) and the United States (some service providers). These countries may have different data protection laws than Australia or your country of residence.

When we transfer data internationally, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, or transferring to countries with adequate data protection laws.

12. Data Breach Notification

In the event of a data breach that is likely to result in serious harm, we will notify affected users and the Office of the Australian Information Commissioner (OAIC) as soon as practicable, and in any event within 72 hours of becoming aware of the breach, in compliance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Cth).

Notification will include: the nature of the breach, the types of personal information affected, and recommended steps you can take to protect yourself.

13. Children's Privacy

The Platform is not intended for users under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a user below the minimum age, we will take steps to delete such information promptly.

Age eligibility is confirmed via self-attestation when you accept our Terms of Service and this Privacy Policy at sign-up. We do not currently verify identity documents, but we reserve the right to remove any account found to be operated by someone below the minimum age.

14. Changes to This Privacy Policy

Material changes will be posted on this page with the "Last updated" date at the top refreshed.

Your continued use of the Platform after any changes indicates your acceptance of the updated Privacy Policy.

15. Contact Us

For any questions about this Privacy Policy, to exercise your privacy rights, or for GDPR-related enquiries, contact us at privacy@hospocv.com.