Privacy Policy

Effective: 1 February 2026 · Version 1.0

1. Introduction

OnPass is an AI-powered pre-employment screening product operated by Faaro (ABN 74 611 345 530) ("Faaro", "we", "us", or "our"). This Privacy Policy describes how we collect, use, disclose, and protect personal information when you use the OnPass website, platform, and services (the "Services").

We are committed to handling personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where our Services are used by individuals located in the European Union, United Kingdom, California, or New Zealand, additional rights and protections apply as described in Sections 14, 15, and 16 below.

By accessing or using our Services, you acknowledge that you have read this Privacy Policy. If you do not agree with our practices, please do not use our Services.

2. Who We Are

OnPass is a product of Faaro, an Australian company. Faaro (ABN 74 611 345 530) operates OnPass as an AI-powered pre-employment screening platform that screens and verifies candidates before they reach your recruiters.

Our registered address is:

Faaro
C/- Margetson & Associates
Unit 21, 598-602 Forest Road
Penshurst, NSW 2222
Australia

For privacy-related inquiries, contact our privacy team at privacy@faaroglobal.com.

3. Information We Collect

We collect and process the following categories of personal information depending on how you interact with our Services:

3.1 Account and Identity Data

When you create an account or engage with us, we collect:

• Full name, email address, phone number
• Job title, employer/organisation name
• Account credentials (passwords are stored using industry-standard hashing)
• Multi-factor authentication identifiers
• Profile preferences and settings

3.2 Candidate and Screening Data

When our Services are used to screen and verify candidates, we may process on behalf of our customers:

• Candidate names, contact details, and identifiers
• Employment history and experience information
• Work rights and visa status (including VEVO verification results)
• Credential and qualification records (certificates, licence numbers, expiry dates)
• Police check status and results
• Professional registration details (e.g., AHPRA, NDIS Worker Screening)
• Availability, location preferences, and job-fit information
• Candidate screening scores, rankings, and assessment outcomes
• AI interview recordings, transcripts, and interaction logs

In most cases, this data is processed by Faaro as a data processor on behalf of our customers (the data controllers). Our customers are responsible for ensuring they have appropriate legal bases and consents for the collection of this data.

3.3 Product-Specific Data

Depending on which OnPass features and modules are in use, additional data may be collected:

• AI Pre-Screening: Voice and chat interview recordings, transcripts, candidate responses, screening scores, experience assessments, availability data, and job-fit rankings generated by our AI screening engine
• Compliance Orchestration: VEVO verification results, police check status and outcomes, credential verification records, AHPRA and professional registration lookups, and check provider routing data
• ATS Integration Data: Candidate records synchronised from Bullhorn, JobAdder, FastTrack360, or other connected applicant tracking systems, including application status, pipeline stage, and placement data

3.4 Technical and Usage Data

We automatically collect certain technical information when you use our Services:

• IP address, browser type and version, operating system
• Device identifiers and device type
• Pages visited, features used, clickstream data
• Date and time of access, session duration
• Referring URL and search terms
• Error logs and performance data
• Cookie identifiers and similar tracking technologies (see our Cookie Policy)

3.5 Marketing and Prospect Data

When you interact with our marketing activities, we may collect:

• Contact information provided via forms, events, or enquiries
• Communication preferences and marketing consent status
• Event attendance and webinar participation records
• Content download and engagement history

3.6 Information from Third Parties

We may receive personal information from third parties including:

• Applicant tracking systems (Bullhorn, JobAdder, FastTrack360) when syncing candidate data
• Background check and verification providers (VEVO, police check agencies, credential registries)
• Identity verification services
• Business contact databases for sales and marketing purposes
• Publicly available sources (company websites, LinkedIn, professional registries)

4. Lawful Basis for Processing (Australian Privacy Principles)

Under the Australian Privacy Principles (APPs), we collect and process personal information on the following bases:

• Consent (APP 3): Where you have provided explicit consent, such as a candidate consenting to an AI pre-screening interview, subscribing to communications, or enabling optional features
• Contractual necessity: Where processing is necessary to perform our contractual obligations to you or your employer (e.g., providing the Services under a subscription agreement)
• Legitimate business purposes (APP 6): Where processing is reasonably necessary for our business functions and activities, and you would reasonably expect us to use your information in that way
• Legal obligation: Where processing is required to comply with Australian law, including immigration and work rights verification, anti-discrimination legislation, and record-keeping obligations

5. How We Use Your Information

We use personal information for the following purposes:

• Service delivery: To provide, maintain, and improve our AI-powered pre-employment screening platform and related services
• Candidate screening: To conduct AI voice and chat pre-screening interviews, score and rank candidates, and generate screening reports for our customers
• Compliance verification: To orchestrate work rights checks (VEVO), police checks, credential verifications, and professional registration lookups through integrated providers
• Account management: To create and manage your account, authenticate your identity, and provide customer support
• ATS integration: To connect and synchronise candidate data between your applicant tracking system and our platform as configured by your organisation
• Audit and evidence: To generate audit trails, compliance evidence, and timestamped records of screening and verification activities
• Security: To detect, prevent, and respond to security incidents, fraud, and abuse
• Analytics: To understand how our Services are used and to improve performance, reliability, and user experience
• Communications: To send transactional notifications (e.g., screening completion alerts, verification status updates) and, with your consent, marketing communications
• Legal compliance: To comply with applicable laws, regulations, and legal processes
• Business operations: To manage our business, including billing, invoicing, and internal reporting

6. Automated Decision-Making

Our Services involve automated processing in the following areas:

• AI pre-screening interviews: Our AI pre-screening interviews candidates using voice or chat to assess availability, experience, and job fit. The AI assigns scores to help rank candidates. These scores assist recruiters but do not make final hiring decisions. All hiring decisions remain with the customer's recruiting team.
• Candidate triage and routing: Automated rules determine which candidates advance to the next stage, which are flagged for manual review, and which do not meet minimum requirements. Customers configure these rules and thresholds.
• Compliance monitoring: Automated alerts when work rights verifications fail, credential checks return negative results, or police check statuses require attention
• Data validation: Automated checks for data consistency between connected applicant tracking systems and the OnPass platform

These automated processes support decision-making but do not make decisions that produce legal effects or similarly significant effects on individuals without human review. Our customers (the hiring organisations) retain control over all hiring and employment decisions. Candidates who believe they have been unfairly assessed may contact the hiring organisation or reach out to us at privacy@faaroglobal.com.

7. How We Share Your Information

We do not sell personal information. We may share personal information in the following circumstances:

7.1 Sub-processors

We engage trusted sub-processors to help deliver our Services. These include:

• Cloud infrastructure providers (Amazon Web Services)
• AI and natural language processing services
• Database hosting services
• Email delivery services
• Analytics and monitoring tools
• Customer support platforms

All sub-processors are bound by data processing agreements that require them to protect personal information to at least the same standard as this Privacy Policy.

7.2 Our Customers (The Hiring Organisation)

Where we process candidate data on behalf of a customer, that customer (typically the recruitment agency or hiring employer) has access to screening results, scores, verification outcomes, and other data generated through their use of our Services.

7.3 Verification and Check Providers

When our Services are used to orchestrate compliance checks, candidate data is transmitted to verification providers (e.g., VEVO, police check agencies, credential registries) as configured by the customer. We act as an orchestration layer and only share the minimum data required for each verification.

7.4 ATS and Integration Partners

When our Services are integrated with applicant tracking systems (Bullhorn, JobAdder, FastTrack360), candidate data and screening results are synchronised between the systems as configured by the customer.

7.5 Professional Advisors

We may share information with our legal, accounting, and insurance advisors where necessary for professional advice and business operations.

7.6 Regulatory and Legal

We may disclose personal information where required by law, regulation, court order, or governmental request, or where necessary to protect our rights, property, or safety, or the rights, property, or safety of others.

7.7 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of assets, personal information may be transferred as part of that transaction. We will notify affected individuals and provide choices where required by law.

8. Cross-Border Data Transfers

Faaro primarily stores and processes data in Australia using Amazon Web Services (AWS) Sydney region (ap-southeast-2). However, some personal information may be transferred to or accessed from other countries in the following circumstances:

• Sub-processors in the United States: Certain sub-processors (e.g., AI services, analytics, email delivery, monitoring services) may process data in the United States
• Customer-directed integrations: Where a customer uses a third-party ATS or verification provider hosted outside Australia, data will be transferred to that system's location as part of the integration
• Support and maintenance: Authorised personnel may access data from locations outside Australia for support purposes

Where personal information is transferred overseas, we take reasonable steps to ensure that the overseas recipient handles the information in accordance with the APPs (APP 8). For transfers to the EU/EEA, we rely on Standard Contractual Clauses or equivalent safeguards.

9. Data Security

We implement robust technical and organisational measures to protect personal information from unauthorised access, loss, misuse, or alteration. These include:

• Encryption in transit: All data transmitted between clients and our Services is encrypted using TLS 1.2 or higher
• Encryption at rest: All stored data is encrypted using AES-256 encryption
• Access controls: Role-based access control (RBAC) ensures that users only access data relevant to their role
• Multi-factor authentication: MFA is supported and recommended for all user accounts
• Network security: Virtual private cloud (VPC) isolation, web application firewall (WAF), and intrusion detection systems
• AI model security: Candidate interview data is processed in isolated environments and is not used to train general-purpose AI models
• Monitoring: Continuous security monitoring and logging of access to personal information
• Incident response: Documented incident response procedures for security events
• Vendor management: Security assessments of all sub-processors and third-party integrations

For more details on our security practices, see our Security page.

10. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our general retention periods are:

Data Category	Retention Period	Basis
Account data (after account closure)	90 days	Account recovery, fraud prevention
Candidate screening data	12 months from screening date	Customer access, dispute resolution
AI interview recordings and transcripts	6 months from screening date	Quality assurance, dispute resolution
Verification and compliance records	7 years	Regulatory and legal requirements
Audit and evidence data	7 years	Regulatory and legal requirements
Technical logs	90 days	Security monitoring, debugging
Analytics data	12 months	Service improvement (aggregated/anonymised where possible)
Marketing engagement data	30 days after consent withdrawal	Consent-based processing

When retention periods expire, personal information is securely deleted or anonymised. Customers may request earlier deletion of their data, subject to our legal obligations. Candidates may also request deletion of their screening data by contacting us at privacy@faaroglobal.com.

11. Your Privacy Rights (Australian Privacy Principles)

Under the Australian Privacy Act 1988, you have the following rights:

• Access (APP 12): You may request access to the personal information we hold about you. We will respond within 30 days.
• Correction (APP 13): You may request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading.
• Complaint (APP 1): You may complain about our handling of your personal information. We will investigate and respond within 30 days.
• Opt-out of marketing: You may opt out of receiving marketing communications at any time by clicking the unsubscribe link in our emails or contacting us.

If you are a candidate whose data has been processed through our platform, please direct your requests to the hiring organisation that engaged OnPass in the first instance, as they are the data controller for your screening data. You may also contact us directly at privacy@faaroglobal.com.

To exercise any of these rights, contact us at privacy@faaroglobal.com.

12. Accessing and Correcting Your Information

You may access and update your account information at any time by logging into your account. For information that cannot be updated through your account settings, or to request a copy of all personal information we hold about you, please contact us at privacy@faaroglobal.com.

We may refuse access in limited circumstances permitted by the APPs, such as where access would unreasonably impact the privacy of others, or where the request is frivolous or vexatious. If we refuse access, we will provide written reasons.

13. Complaints and the OAIC

If you believe we have breached the Australian Privacy Principles, you may lodge a complaint by contacting us at privacy@faaroglobal.com. We will acknowledge your complaint within 5 business days and provide a substantive response within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992
• Email: enquiries@oaic.gov.au

14. Additional Rights for EU/UK Individuals (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) provides you with additional rights:

• Right to erasure: You may request deletion of your personal data in certain circumstances
• Right to restriction: You may request that we restrict the processing of your personal data
• Right to data portability: You may request a copy of your personal data in a structured, commonly used, machine-readable format
• Right to object: You may object to processing based on legitimate interests, including profiling and automated candidate scoring
• Rights related to automated decision-making: You have the right not to be subject to a decision based solely on automated processing that produces legal effects. Our AI pre-screening assists recruiters but does not make final hiring decisions (see Section 6)
• Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing

For GDPR-related requests, contact our Data Protection Officer at dpo@faaroglobal.com. You also have the right to lodge a complaint with your local supervisory authority.

The legal bases for processing under GDPR include: performance of a contract, compliance with legal obligations, legitimate interests (platform security, service improvement, fraud prevention), and consent.

15. Additional Rights for California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with specific rights:

• Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, purposes, and third parties with whom we share it
• Right to delete: You may request deletion of personal information we have collected, subject to certain exceptions
• Right to correct: You may request correction of inaccurate personal information
• Right to opt-out of sale/sharing: We do not sell personal information. We do not share personal information for cross-context behavioural advertising
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights

To exercise these rights, contact us at privacy@faaroglobal.com. We will verify your identity before fulfilling your request.

In the preceding 12 months, we have collected the categories of personal information described in Section 3 above. We have not sold personal information. We may have disclosed personal information for business purposes as described in Section 7.

16. Additional Rights for New Zealand Individuals (NZ Privacy Act 2020)

If you are located in New Zealand, the Privacy Act 2020 (NZ) provides you with rights substantially similar to the Australian Privacy Principles. In addition:

• You have the right to request access to and correction of your personal information under Information Privacy Principles 6 and 7
• We will notify the NZ Privacy Commissioner and affected individuals in the event of a notifiable privacy breach
• You may lodge a complaint with the NZ Privacy Commissioner at www.privacy.org.nz

17. Notifiable Data Breaches

In accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988, if we become aware of a data breach that is likely to result in serious harm, we will:

• Notify the OAIC as soon as practicable
• Notify affected individuals as soon as practicable
• Include in our notification: a description of the breach, the kinds of information involved, and recommendations about steps individuals should take

For security incidents, contact security@faaroglobal.com.

18. Children's Privacy

Our Services are designed for business use in pre-employment screening and are not directed at individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child under 16, we will take steps to delete that information promptly.

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Services. When we make material changes, we will:

• Update the "Effective" date at the top of this page
• Notify account holders by email or through an in-product notification
• Provide a summary of changes where practicable

We encourage you to review this Privacy Policy periodically. Continued use of our Services after changes are posted constitutes acceptance of the updated policy.

20. Related Documents

• Terms of Use
• Cookie Policy
• Security

21. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: