HiveRef

Privacy Policy

Version 1.1 · Effective date: 2nd April 2026 · Last updated: 15th April 2026

1. About This Policy

This Privacy Policy explains how HiveRef Pty Ltd (ACN 697 040 136)("HiveRef", "we", "us", "our") collects, uses, stores, and discloses personal information in connection with the HiveRef platform at hiveref.com.

HiveRef is an automated reference checking platform. We process personal information on behalf of our clients (hiring organisations) who use the platform to conduct employment reference checks. We are committed to handling personal information responsibly and in accordance with applicable law.

This policy applies to all individuals whose personal information is collected or processed through the HiveRef platform, including candidates, referees, and client organisation users.

2. Applicable Law

HiveRef operates in accordance with the following legal frameworks:

  • Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), which govern the collection, use, and disclosure of personal information in Australia
  • General Data Protection Regulation (EU) 2016/679 (GDPR), which applies to the personal information of individuals located in the European Union and European Economic Area
  • UK General Data Protection Regulation (UK GDPR), which applies to the personal information of individuals located in the United Kingdom
  • Equivalent data protection laws in other jurisdictions as applicable

Where GDPR or UK GDPR applies, HiveRef operates as a data processor on behalf of our clients, who are the data controllers. Our clients are responsible for ensuring their use of HiveRef complies with applicable law in their jurisdiction.

3. Who We Are

Data processor (for GDPR purposes):

HiveRef Pty Ltd
ACN: 697 040 136
New South Wales, Australia
privacy@hiveref.com
hiveref.com

Data controller (for GDPR purposes):

The hiring organisation that has engaged HiveRef to conduct a reference check on their behalf. The identity of the data controller will be stated in the reference check invitation you receive.

4. What Personal Information We Collect

Candidates

  • Full name and contact details
  • Employment history relevant to the role being assessed
  • Details of nominated referees
  • Consent records including timestamp, method, and privacy notice version acknowledged

Referees

  • Full name and contact details
  • Optional phone number and free-text context about the referee's role when they knew the candidate, if supplied by the candidate or hiring team when nominating the referee
  • Professional assessment responses submitted through the platform
  • Record of privacy notice delivery and any declination
  • Where a referee separately opts in, a record of that preference (including time and consent version) so the hiring organisation can manage future contact and withdrawal

Client organisation users

  • Full name, work email address, and job title
  • Organisation name and jurisdiction
  • Account credentials and authentication records
  • Compliance onboarding records including Terms of Service acceptance, DPA execution, and jurisdiction flags

Automatically collected

  • IP addresses
  • Browser and device information
  • Platform usage logs and audit events
  • Cookie and session data in accordance with our Cookie Policy

5. How We Collect Personal Information

We collect personal information:

  • Directly from candidates when they complete the consent and referee nomination process
  • Directly from referees when they submit reference responses
  • Directly from client organisation users when they create an account and use the platform
  • From client organisations when they submit candidate details to initiate a reference check
  • Automatically through the platform via cookies, logs, and session data

6. Why We Collect Personal Information and Our Lawful Basis

For candidates (GDPR lawful basis: consent, Article 6(1)(a))

We collect and process candidate personal information for the purpose of conducting an employment reference check for a specific role with a named hiring organisation. We rely on the candidate's explicit consent as our lawful basis. Consent is obtained before any processing begins and may be withdrawn at any time.

For referees (GDPR lawful basis: legitimate interests, Article 6(1)(f))

We collect referee personal information for the purpose of facilitating the reference check process initiated by the candidate. Referees are notified of this purpose at the point of contact. Referees may decline to participate at any time.

Optional future contact by the hiring organisation (referee consent, Article 6(1)(a) GDPR where applicable)

After submitting a reference, a referee may choose to hear from the client organisation about separate employment opportunities. That choice is recorded by HiveRef on the referee's profile row for the relevant check. If the referee opts in, the client organisation (as independent controller for that recruiting activity) may use contact details and contextual information already held for the reference workflow (for example relationship to the candidate and optional role context) to assess relevance. Referees can withdraw using the unsubscribe link in the confirmation email; withdrawal updates the platform record and is separate from the substantive reference already supplied.

For client organisation users (GDPR lawful basis: contract, Article 6(1)(b))

We collect and process client user personal information for the purpose of providing the HiveRef platform services under our Terms of Service.

For compliance purposes (GDPR lawful basis: legal obligation, Article 6(1)(c))

We maintain certain records, including consent records, DPA execution records, and compliance audit logs, to satisfy our legal obligations under applicable data protection law.

7. Fraud Prevention and Trial Integrity

To protect the integrity of our free trial and prevent abuse of our service, we process the following pseudonymised signals when you create a workspace:

  • A mathematically transformed version of your email address, not stored in a directly readable form and protected by industry-standard cryptographic measures (HMAC-SHA256 with a secret key)
  • A truncated and mathematically transformed version of your IP address (only the network portion is retained, not the portion identifying your specific device). This signal is processed only for users in Australia and New Zealand.
  • A mathematically transformed identifier derived from your browser and device characteristics, processed only for users in Australia and New Zealand
  • Your business registration number where provided, stored in normalised form

These signals are used in combination. A match on any single soft signal (IP address or device identifier) does not affect your access to our service. We act only when multiple signals correlate, indicating likely abuse. Email and business registration signals may independently prevent repeated trial access where a prior trial has been fully used.

Lawful basis: Article 6(1)(f) GDPR, our legitimate interest in preventing abuse of a free service. We have conducted a Legitimate Interests Assessment available on request.

Retention: Email and business registration signals are retained for 24 months. IP and device signals are retained for 90 days.

Geographic scope: IP and device signals are currently processed only for users in Australia and New Zealand.

Automated decisions: If our automated systems prevent you from starting a trial, you have the right to request human review of that decision. Contact support@hiveref.com with the reference ID shown on the block message. We will respond within 2 business days.

8. AI-Assisted Compliance Scanning

HiveRef uses automated AI processing to assist with data protection compliance. Specifically:

  • Question scanning: When a client creates custom reference check questions, our AI scans each question to identify whether it may solicit information protected under applicable data protection law. Questions that are identified as potentially non-compliant are flagged with guidance and a suggested compliant alternative. Questions that directly ask about protected categories are blocked from submission.
  • Response scanning:When a referee submits a reference response, our AI scans the response to identify whether it contains information protected under applicable data protection law, including special category data under GDPR Article 9. Where such information is identified, it is flagged in the client's report with a Data Protection Notice. The full response is preserved. No content is removed. The flag advises the client that the identified content must not be used as a factor in any hiring decision.

This processing is carried out as part of our data processor obligations and in the legitimate interests of protecting candidates, referees, and client organisations from non-compliant data use.

No automated hiring decision is made by HiveRef. All hiring decisions are the sole responsibility of the client organisation as data controller.

9. Special Category Data

HiveRef's platform is designed to minimise the collection of special category data as defined under GDPR Article 9 (and sensitive information as defined under the Australian Privacy Act), which includes health data, racial or ethnic origin, religious beliefs, trade union membership, sexual orientation, political opinions, and genetic or biometric data.

Our question templates and AI scanning are specifically designed to prevent the solicitation of special category data. Where a referee volunteers special category information in a response without being asked, our AI identifies and flags it. The flagged content is annotated in the report with a Data Protection Notice and must not be used in any hiring decision.

Special category data identified in referee responses is stored separately in a restricted compliance audit log, access to which is limited to HiveRef compliance personnel. This data is automatically deleted 30 days after the reference check is completed.

10. How We Store and Protect Your Information

Personal information collected through HiveRef is stored on servers located in Sydney, Australia (AWS ap-southeast-2). Application processing occurs through infrastructure located in the United States (Vercel).

We implement the following security measures:

  • Encryption of all personal data in transit using TLS 1.2 or higher
  • Encryption of all personal data at rest using AES-256
  • Role-based access controls with the principle of least privilege
  • Multi-factor authentication for all HiveRef administrative accounts
  • Regular security testing and vulnerability assessments
  • Audit logging of all data access events

11. How Long We Keep Your Information

We retain personal information only for as long as is necessary for the purpose for which it was collected, in accordance with the following schedule:

Data TypeRetention PeriodAction at Expiry
Reference check reports12 months from check completionDeletion or anonymisation
Referee contact details90 days from check completionDeletion
Candidate consent records7 years from check completionArchival then destruction
Special category audit log30 days from check completionAutomatic deletion
Report flag acknowledgements7 yearsArchival then destruction
Client Terms of Service acceptance recordsDuration of client relationship plus 7 yearsArchival then destruction
DPA execution recordsDuration of client relationship plus 7 yearsArchival then destruction
Security and fraud logs24 monthsArchival then destruction
Breach notification records5 years from breach eventArchival then destruction

12. International Data Transfers

HiveRef is based in Australia. Where we process personal information of individuals located in the European Union, European Economic Area, or United Kingdom, that information may be transferred to and processed in Australia, which does not currently hold an EU adequacy decision.

For such transfers, we rely on the following mechanisms:

  • EU clients: Standard Contractual Clauses (SCCs) approved by the European Commission in June 2021, incorporated into our Data Processing Agreement
  • UK clients: UK International Data Transfer Agreement (IDTA), incorporated into our Data Processing Agreement

Copies of the applicable transfer mechanisms are available in our Data Processing Agreement at hiveref.com/dpa.

13. Disclosure of Personal Information

We do not sell personal information. We do not share personal information with third parties for marketing purposes.

We may disclose personal information to:

  • Sub-processors: Third party service providers engaged by HiveRef to assist in delivering the platform. A current list of our sub-processors is available at hiveref.com/sub-processors. All sub-processors are bound by data processing agreements and are required to process personal information only as directed by HiveRef.
  • Client organisations:Reference check reports and candidate information are disclosed to the client organisation that initiated the reference check, as directed by the candidate's consent.
  • Regulatory authorities: Where required by law or in response to a valid legal request.
  • Professional advisers: Legal, accounting, and other professional advisers bound by confidentiality obligations.

14. Your Rights

Depending on your location and applicable law, you may have the following rights in relation to your personal information:

  • Right to access: Request a copy of the personal information we hold about you
  • Right to rectification: Request correction of inaccurate personal information
  • Right to erasure: Request deletion of your personal information in certain circumstances
  • Right to restrict processing: Request that we pause processing of your personal information
  • Right to data portability: Request your personal information in a structured, machine-readable format
  • Right to object: Object to processing based on legitimate interests
  • Rights related to automated decisions: The right not to be subject to solely automated decisions with significant effects. HiveRef does not make automated hiring decisions.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal

To exercise any of these rights, contact us at privacy@hiveref.com. We will respond within one calendar month. For Australian residents, additional rights and complaint processes are available under the Privacy Act 1988 through the Office of the Australian Information Commissioner at oaic.gov.au.

15. Complaints and Supervisory Authorities

If you have a complaint about how we have handled your personal information, please contact us first at privacy@hiveref.com. We will investigate and respond within 30 days.

If you are not satisfied with our response, you may contact the relevant supervisory authority:

  • Australia: Office of the Australian Information Commissioner (OAIC), oaic.gov.au
  • EU: Your national Data Protection Authority, edpb.europa.eu
  • UK:Information Commissioner's Office (ICO), ico.org.uk
  • Brazil: Autoridade Nacional de Proteção de Dados (ANPD), gov.br/anpd
  • South Korea: Personal Information Protection Commission (PIPC), pipc.go.kr

16. Cookies

We use cookies and similar technologies on our platform. For full details of the cookies we use and how to manage your preferences, please see our Cookie Policy at hiveref.com/cookies.

17. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the version number and effective date at the top of this page and notify active client users by email or platform notification. Your continued use of HiveRef after the effective date of any update constitutes acceptance of the updated policy.

18. Contact Us

For any questions about this Privacy Policy or how we handle personal information:

HiveRef Pty Ltd
ACN: 697 040 136
privacy@hiveref.com
hiveref.com

Related documents: Data Protection Guide, Sub-Processors, Cookie Policy.