Legal
Data Security & Retention
Last updated 13 June 2026
Purpose and scope
This policy explains how we keep your information secure and how long we keep it. For what personal information we collect, why we collect it, who we share it with, and your rights to access or correct it, please see our Privacy Policy.
How we secure your information
We take a layered approach to protecting the information in our care:
- Encryption. Information is encrypted in transit (TLS) and at rest within the cloud platforms we use.
- Access on a need-to-know basis. Only the people who need your information to do their work can reach it, and access is removed when it is no longer needed.
- Multi-factor authentication on the key systems that hold candidate and client data.
- Vetted providers. We only use established platforms (such as our CRM, email and booking tools) that maintain industry-standard security and publish their own safeguards.
- Device and account hygiene. Strong, unique credentials, up-to-date devices, and regular review of who can access what.
How long we keep your information
We keep personal information only while we have a genuine reason to, then we delete or de-identify it. As a guide:
- Active candidates: while we have an active or potentially active relationship, and for up to 24 months after our last meaningful contact, after which we review and either re-confirm with you or delete your details.
- Applicants for a specific role who are not placed: kept for the duration of that search and a short period afterwards, unless you ask us to keep you in mind for future roles.
- Placed candidates and client records: kept for the life of the engagement, the replacement guarantee period, and any period we are required to keep them for legal or tax reasons.
- Financial and tax records: kept for at least seven years, as required by Australian tax and corporations law.
- Website analytics: aggregate and cookie-less, retained only as long as it is useful for measuring site performance.
These are typical periods. We may keep information longer where the law requires it, or delete it sooner at your request.
Secure disposal
When information reaches the end of its retention period, or when you ask us to delete it, we remove it from our active systems and instruct our providers to do the same, so it can no longer be accessed or reconstructed in the ordinary course of business.
If something goes wrong
No system is perfect. If a data breach occurs that is likely to cause serious harm, we act under the Notifiable Data Breaches scheme in the Privacy Act 1988 (Cth): we move quickly to contain it, assess what happened, and notify the affected individuals and the Office of the Australian Information Commissioner where the scheme requires it.
Your choices
You can ask us to delete the information we hold about you at any time. How to make that request, and the rest of your privacy rights, are set out in our Privacy Policy.