JobMaster JobMaster
Home Product

Mobile

Google Play App StoreSoon

Browser extension

Chrome Microsoft Edge
Pricing Resources Contact Sign in Sign up
Privacy

Privacy Policy

What we collect, why we collect it, who sees it, and what you can ask us to do with it. Written to comply with the Australian Privacy Principles.

Effective 2026-05-14 · Version 1.2. The canonical source for this policy is maintained as Markdown in the JobMaster business repository; this page is the published rendering.

1. About this policy

This Privacy Policy explains how JobMaster collects, uses, stores, discloses, and protects personal information. It is written to comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

JobMaster is operated by 698 053 039 Pty Ltd (ABN 20 698 053 039), an Australian proprietary limited company trading as JobMaster Online ("JobMaster", "we", "us", "our"). Our registered office is listed on the public Australian Securities and Investments Commission (ASIC) register.

If you have a question about this policy, contact us at contact@jobmaster.com.au.

We may change this policy from time to time. The current version, with its effective date, will always be available at jobmaster.com.au/privacy. Material changes will be notified to active subscribers by email at least 14 days before they take effect.

2. Scope

This policy covers the JobMaster service ("Service"), which is delivered across four surfaces:

  • The marketing website at jobmaster.com.au
  • The web application ("SaaS app") at app.jobmaster.com.au
  • The Chrome browser extension ("Extension") published on the Chrome Web Store
  • The mobile app ("Mobile app") published on the Apple App Store and Google Play

Where a section below applies to only one surface, we say so explicitly.

3. Personal information we collect

We collect only the personal information we need to run the Service.

  • Account information: your email address, your hashed password (or a federated identifier if you sign in with Google), your subscription status, and a Firebase user ID assigned to your account.
  • Profile content: the resume, cover letter samples, writing-style preferences, profile facts, common application answers, search keywords, locations, and rules (such as title exclusions and salary floors) you provide so JobMaster can match jobs against you and produce tailored documents.
  • Job-pipeline data: the job listings JobMaster surfaces for you, the match scores generated for them, the tailored resumes and cover letters JobMaster generates, your applied/bookmarked/skipped status for each role, and the timestamps for those actions.
  • Billing information: your subscription plan, billing email, billing status, and a Stripe customer identifier. Card numbers, CVCs, and bank-account details are entered into Stripe's hosted checkout and are never seen or stored by JobMaster.
  • Device and push information (Mobile app only): the platform (iOS or Android), device model and operating-system version, and the push-notification token issued by Apple or Google for your installation.
  • Server logs: for security, abuse detection, and basic operational health, our backend logs the source IP address, user agent, request path, response status, and timestamp for requests made to app.jobmaster.com.au and the API.
  • Support communications: messages you send to us by email or through the contact form, and our replies.
  • Beta applications: if you sign up at jobmaster.com.au/beta we collect your first name, last name, email address, and a record of the two consent acknowledgements you tick. We also record the IP address the form was submitted from for abuse forensics.

4. How we collect it

  • Directly from you when you register, complete the setup wizard, change settings, upload a resume, send a support email, or submit the contact form on the marketing website.
  • Automatically through standard web request logging when you use the SaaS app or the API.
  • Through the Extension when you install it and click "Add to JobMaster" on a Seek or LinkedIn job page (or when you opt in to "auto-add" mode). The Extension reads the job posting visible in the active tab and sends it to our backend with your account credentials. It does not read any other tab, form, keystroke, password field, or page outside Seek and LinkedIn job pages.
  • Through the Mobile app when you sign in (via Firebase Auth) and grant permission to receive push notifications.
  • From Stripe when you start, renew, or cancel a subscription. Stripe sends us webhook events covering the lifecycle of your subscription. We never receive your card data.
  • From Google (Firebase Auth) when you sign in with your Google account. We receive your email address and a stable identifier.

We do not buy personal information from data brokers. We do not receive personal information about you from employers, recruiters, or job boards.

5. Why we use it

We use personal information for the purposes you would expect from a job-search tool:

  • To deliver the Service: matching jobs to your profile, generating tailored documents, displaying your pipeline, sending push notifications when you've enabled them.
  • To bill you: processing subscription payments through Stripe and recognising your paid status on subsequent requests.
  • To support you: responding to your emails, tickets, and contact-form submissions.
  • To secure the Service: detecting and blocking abuse, fraud, account takeover, and other security incidents.
  • To improve the Service: investigating bugs, monitoring performance, and prioritising features. We do not use your profile content or generated documents for product analytics; this work uses aggregated, non-identifying signals.
  • To publish aggregated statistics about how the Service is used (for example, "X% of active users received an interview within 30 days"). Any statistic we publish will be aggregated and de-identified so that no individual user can be identified from it. We will not publish any statistic that reveals information about a single, small group of users.
  • To meet legal obligations: responding to lawful requests from Australian authorities and complying with tax and record-keeping law.

If we ever want to use your personal information for a new purpose, we will ask first.

6. Sensitive information

Some personal information is treated as "sensitive" under APP 3 (for example, racial or ethnic origin, health information, religious beliefs, criminal record, or membership of a trade union).

We do not ask for sensitive information at signup or anywhere in the setup wizard. However, the resume you upload may contain incidentally sensitive information (for example, you might disclose visa status, a disability, or a professional association in the body of the document). Anything you put in your resume will be stored, processed, and sent to our AI providers as part of producing tailored documents.

If you do not want a piece of sensitive information in our system, omit it from your resume and from the answers you give in the setup wizard. You can ask us to delete a stored resume at any time.

7. Who we share it with

We share personal information only with the third-party processors strictly required to run the Service. We do not sell personal information. We do not share personal information with advertisers, ad networks, or analytics aggregators. We do not share your profile, resume, generated documents, or job-pipeline data with employers, recruiters, or any other JobMaster user. Your profile and job-pipeline are private to your account; there is no public profile feature and no other JobMaster user can see your information.

Processor Role Where data is processed Privacy policy
Google Cloud Platform Hosting (Cloud Run), database (Firestore), file storage (Cloud Storage), identity (Firebase Auth), push delivery (FCM/APNs), AI scoring (Vertex AI Gemini) Australia (australia-southeast1) for compute and storage; United States for some Firebase/Google services Link
Anthropic PBC AI document generation (Claude Sonnet 4.5) United States Link
Oxylabs UAB Fetching public job postings from Seek and LinkedIn. We send Oxylabs search keywords and locations only, never your profile, resume, or account identifiers Lithuania, with global proxy infrastructure Link
Stripe Payments Australia Pty Ltd Subscription billing and payment processing Australia and United States Link
Resend Transactional email (verification, password reset, billing notices, support replies, contact-form forwards) United States Link
Apple and Google Mobile-app distribution and push-notification delivery United States and the device's region Apple · Google

Each processor is bound by its own contractual and statutory obligations. We use them under their published terms; we do not authorise them to use your personal information for their own purposes. We will update this list when it changes.

8. Cross-border disclosure

JobMaster is hosted in Australia (Google Cloud's australia-southeast1 region in Sydney), and your account data, profile, generated documents, and job-pipeline data live in Australia. Some of the processors above operate from, or replicate to, the United States. By using the Service you accept that the following information may be disclosed to recipients located outside Australia:

  • Email address and email body to Resend (United States) when we send you a transactional email.
  • Card-payment data and billing email to Stripe (United States).
  • The text passed to AI providers as described in section 10 to Anthropic (United States) and to Google Vertex AI (Google's regional infrastructure, which may include the United States).
  • Push-notification payload (a short title and body, plus an opaque job identifier) to Apple Push Notification service or Google Firebase Cloud Messaging.

We take reasonable steps to ensure these recipients handle your information consistently with the APPs. We are not, however, an accountable agent for breaches by these recipients of obligations under privacy laws of their own jurisdictions.

9. Cookies, local storage, and tracking

The Service uses very few client-side storage mechanisms, all of them strictly necessary to keep you signed in and to remember a basic display preference. None of them is for analytics, advertising, or any form of tracking:

  • The SaaS app stores your Firebase authentication tokens in your browser (managed by the Firebase SDK) so you stay signed in.
  • The SaaS app stores your light/dark theme preference in localStorage under the key jobmaster-theme.
  • The Extension stores your auto-add settings, an auto-add counter, your Firebase tokens, and the timestamp of the last extraction error in chrome.storage.local. None of this is synced across browsers.
  • The Mobile app stores your Firebase tokens in the device's secure store (iOS Keychain or Android Keystore) and the push-notification token until you uninstall the app.

The marketing website at jobmaster.com.au sets no cookies of its own. It loads the Inter font from Google Fonts; that request is subject to Google's privacy policy.

The Service uses no Google Analytics, no Plausible, no PostHog, no Mixpanel, no Amplitude, no Meta Pixel, no LinkedIn Insight Tag, no Google Ads tag, no Intercom or other chat widget, and no Sentry or other crash-reporting SDK. If we add any of these in future, we will update this policy and tell active subscribers by email before doing so.

10. AI providers

JobMaster uses third-party AI models in two places:

  • Document generation: when JobMaster produces a tailored resume or cover letter, it sends the relevant inputs (your profile facts, writing-style notes, the job description, and your name) to Anthropic Claude Sonnet 4.5 and receives a generated draft in return.
  • Job scoring: when JobMaster ranks a job listing for you, it sends the job description and a compact summary of your profile to Google Cloud Vertex AI (Gemini 2.5 Flash) and receives a score and a short reason in return. If Vertex AI is unavailable, JobMaster falls back to Anthropic Claude Haiku for scoring.

JobMaster decides which provider to use for each task. You do not choose, and you cannot opt out of AI processing while continuing to use the Service, because AI processing is the core of the Service.

We do not authorise these providers to train their models on your inputs. The provider terms in force at the time of writing prohibit training on enterprise API content by default. If a provider changes its default, we will choose another provider or update this policy and tell active subscribers in advance.

11. Job listings

JobMaster discovers job listings on your behalf by sending your search keywords and locations to Oxylabs, a third-party web data-retrieval service. Oxylabs returns the public content of matching listings on Seek and LinkedIn (job title, company, location, description, posting URL). JobMaster stores those listings in your account so they can be displayed to you, scored against your profile, and used as input to document generation.

We do not store the personal contact details of recruiters as a separate field, but a recruiter's name or email may appear in the body of a job description we store. We do not republish stored listings publicly. They are visible only to you in your account.

We never send your profile, resume, or any of your personal information to Oxylabs or to Seek or LinkedIn. Oxylabs receives only the search query.

12. The Chrome Extension

The Extension is published on the Chrome Web Store and runs in your browser only when you install it. It is built on Chrome Manifest V3 and requests these permissions:

  • storage (to remember your auto-add settings and cached tokens)
  • activeTab, scripting, tabs (to extract a job page when you ask it to)
  • Host permissions for *.seek.com.au, *.seek.com, *.linkedin.com/jobs, app.jobmaster.com.au, and securetoken.googleapis.com

When you click "Add to JobMaster" on a Seek or LinkedIn job page, the Extension reads the job's title, company, location, salary range (if shown), posted date (Seek only), description, and canonical URL from the page DOM and sends them to our backend with your Firebase identity token. If you opt in to "auto-add" mode, this happens automatically as you browse Seek and LinkedIn job detail pages.

The Extension does not:

  • Read pages other than Seek job pages, LinkedIn job pages, and the JobMaster SaaS app
  • Read form fields, autofill applications, capture passwords, or record keystrokes
  • Submit applications or interact with employer career pages on your behalf
  • Track your browsing history
  • Run analytics, send telemetry, or include third-party scripts

You can review the Extension's permissions and remove it at any time from chrome://extensions.

13. The Mobile app

The Mobile app is a read-only companion to the SaaS app. It shows your job pipeline, your activity feed, and the recent job-list summary. You cannot upload a resume, change your profile, or submit applications from the Mobile app.

The Mobile app requests only the following device permissions:

  • Notifications, so we can deliver "search complete" and "high-match" alerts when you ask for them. You can decline this permission and still use the app.

The Mobile app does not request location, contacts, calendar, photos, camera, microphone, motion, or advertising-identifier access. It does not load any third-party analytics, advertising, or attribution SDK.

14. The marketing website

The marketing website at jobmaster.com.au is a static brochure site. The user-facing data-collection points are:

  • The contact form at jobmaster.com.au/contact, which collects your name, email, subject, and message. Submissions are stored in our database and emailed to our operations inbox via Resend. We use this information solely to reply to you and keep a record of the conversation.
  • The beta waitlist form at jobmaster.com.au/beta, which collects your first name, last name, email address, and your acknowledgement of the two consent statements presented on that page. Submissions are stored in our beta_signups Firestore collection and trigger a confirmation email to you (via Resend) plus an ops-notification email to us. We use this information solely to manage the beta cohort and to contact you about your application. If you make the cohort, we send you a Discord invite; the Discord server itself is operated by Discord Inc. and governed by their own privacy practices (see discord.com/privacy).

The marketing site sets no cookies of its own and runs no analytics.

15. Security

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure:

  • All connections to JobMaster use HTTPS (TLS 1.2 or higher).
  • The SaaS API and database enforce per-user authorisation through Firebase Auth and Firestore Security Rules; one user cannot read or write another user's data.
  • Stored data is encrypted at rest by Google Cloud Platform's default encryption keys.
  • Sensitive credentials (API keys for our processors and signing keys) are held in Google Secret Manager and accessed only by the production service account.
  • The API enforces per-IP and per-user rate limits on sensitive endpoints (login, password reset, account deletion, contact form, billing webhook).
  • We restrict administrative access to the production environment to the operator and use multi-factor authentication on the underlying Google Cloud account.

No method of transmission or storage is perfectly secure. If a security incident occurs, our response is described in section 16. A higher-level overview is on the Security page.

16. Notifiable data breaches

We comply with the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act 1988 (Cth). If we suffer an eligible data breach (a breach likely to result in serious harm to one or more individuals), we will:

  • Promptly contain and assess the breach
  • Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable
  • Notify the affected individuals as soon as practicable, with a description of the breach, the kinds of information involved, and the steps you can take to protect yourself

17. How long we keep it

Data Retention
Account, profile, job-pipeline data, generated documents For the life of your account. Deleted within 30 days of you cancelling your subscription, or sooner on request
Server logs (IP, user agent, request path, status) 90 days
Billing records (Stripe events, invoices) 7 years (required by Australian tax law)
Support communications 2 years from the last contact
Contact-form submissions 2 years from receipt
Beta-waitlist submissions Kept while the beta is live so we can manage the cohort and waitlist. Deleted within 30 days of beta closure, or sooner on request to contact@jobmaster.com.au
Backups Up to 35 days; deletion requests propagate to backups within that window

If your account is inactive for 30 days, JobMaster will email a warning and then automatically pause your subscription's scheduled job-search tasks. Pausing does not delete your data.

18. Business transfer

If JobMaster's business or assets are sold, transferred, merged with another entity, or reorganised in any way that changes who controls your personal information, we will:

  • Notify active subscribers by email at least 30 days before the change takes effect, including the name of the new controller and how to contact them.
  • Require the new controller to handle your personal information at least to the standard set by this policy and the Australian Privacy Principles.
  • Give you a meaningful opportunity to delete your account before your personal information transfers. If you delete your account during the notice period, your personal information will be erased before the transfer rather than handed across.

If the transfer happens because of an insolvency or court-ordered sale and the 30-day notice is not possible, we will still notify you as soon as we lawfully can.

19. Your rights

Under the APPs you can ask us to:

  • Access the personal information we hold about you. Most of it is visible to you in the SaaS app at any time. For anything that is not, email us at contact@jobmaster.com.au.
  • Correct anything that is wrong. You can update your profile, search terms, writing style, and rules directly in the SaaS app at any time.
  • Delete your account and the data tied to it. You can do this yourself in the SaaS app under Account Settings ("Delete account"). Deletion removes your profile, search settings, generated documents, job-pipeline data, and authentication record. Billing records are retained for the period required by law (see section 17 for retention detail).
  • Export a copy of your job-pipeline data and your generated documents. You can download generated DOCX files from the SaaS app. For a broader export, email us.
  • Stop processing your data for any non-essential purpose. The Service has very few non-essential processing activities; if there is one you object to, email us and we will discuss.

We will respond to a verified request within 30 days. We do not charge a fee for these requests.

20. Children and minimum age

The Service is not intended for anyone under the age of 16. You must be at least 16 to register and use the Service. If you become aware that someone under 16 has provided personal information through the Service, please contact us at contact@jobmaster.com.au and we will delete the information.

21. Service availability

JobMaster is offered exclusively to users physically located in Australia and is intended for Australian residents and holders of a valid Australian work right. We do not target users outside Australia, and the Service is not designed to comply with the General Data Protection Regulation, the UK GDPR, or other non-Australian privacy regimes. If you are not in Australia, please do not register or upload personal information to the Service.

22. Complaints

If you believe we have mishandled your personal information, please write to us first at contact@jobmaster.com.au with the subject line "Privacy complaint". We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days.

If you are not satisfied with our response, you can refer the matter to the Office of the Australian Information Commissioner:

23. Changes to this policy

We will publish any change to this policy at jobmaster.com.au/privacy. The effective date and version number at the top of the policy will always reflect the current version. For changes that materially reduce your rights or expand our use of your personal information, we will email active subscribers at least 14 days before the change takes effect.

We review this policy at least once every 12 months even if nothing has changed, to confirm it still accurately reflects how the Service works.

24. Contact

Questions, requests, or complaints under this policy:

The operator of JobMaster is 698 053 039 Pty Ltd (ABN 20 698 053 039), trading as JobMaster Online. Our registered office is on the public ASIC register and can be retrieved by searching the ACN 698 053 039 at connectonline.asic.gov.au if you need to serve formal notice.