Privacy Policy

Kababayan Connect ("we", "us", "our") is operated by Kangaroofern Media Lab Pty Ltd, an Australian-registered company. This policy explains how we collect, use, store, and protect personal information when you visit kababayanconnect.com.au or use our services. We comply with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs).

Filipino-Australian migrants are at the centre of this platform. Many users are in vulnerable circumstances — applying for visas, finding work, or settling in a new country. We treat your data with that responsibility in mind.

1. The data we collect

We collect only what is necessary to operate the directory. Specifically:

• Account data: name, email address, password (hashed), city, profile photo, language preferences.
• Service-provider listing data: business name, ABN, contact email, phone, website, address, public-register registration numbers (MARN, AHPRA, TPB, etc.), services offered, languages spoken.
• CV / talent data: work history, skills, languages, visa status, uploaded resume — only when you choose to build a CV. Your visibility setting (Private / Open / Public) controls who sees this.
• Applications and messages: job applications you submit, cover notes, messages sent through our platform.
• Identity verification: when you complete the optional Stripe Identity check, government-issued ID and a selfie are submitted to Stripe directly. We never see or store the ID document; we only receive a verified / not-verified result.
• Search and usage data: search queries, filters applied, and result counts. Linked to user identifiers only when you are signed in and have opted in to personalisation.
• Technical data: IP address, browser type, pages visited, referrer. Standard server logs.

2. Why we collect it

• Operating the directory: matching users with verified providers, jobs, and resources.
• Confirming credentials against Australian public registers (MARA, AHPRA, TPB, ABR, ASIC, ACNC, AUSTRAC). This is the platform's core trust function.
• Sending lifecycle emails (welcome, application updates, verification status). You can unsubscribe at any time using the link in every email.
• Improving the platform — what features people use, what queries fail to find results.
• Detecting fraud, abuse, and policy violations.

3. Who we share data with

We never sell your data. We share it only with the third parties strictly required to run the platform:

• Stripe Identity (USA): optional government-ID verification. Stripe is a Level 1 PCI service provider. Their privacy policy applies to the ID itself.
• Anthropic (USA): AI-assisted text drafting (e.g. AP-style article generation, listing-import extraction). Member CV data is never sent to Anthropic.
• Hosting and email: Namecheap (server hosting, Australia/global), and the SMTP relay configured for transactional email.
• Public registers (Australia): we query MARA, AHPRA, TPB, ABR, ASIC, ACNC, and AUSTRAC public-search interfaces using credentials you submit. We do not transmit anything they don't already have.
• Law enforcement: we will disclose data when compelled by a valid Australian legal request.

4. How long we keep it

• Account data: while your account is active. If you delete your account, all personally identifying data is removed within 30 days.
• Listings and reviews: retained while published. Reviews remain attributed to the original author unless that author requests removal.
• Search logs: 90 days, then aggregated.
• Server logs: 30 days.
• Email send history: 12 months for compliance and throttling, then deleted.

5. Your rights (under the APPs)

Under the Australian Privacy Principles, you have the right to:

• APP 6 / 12 — Access: request a copy of the personal information we hold about you. We will respond within 30 days, free of charge.
• APP 13 — Correction: request that inaccurate data be corrected. Most fields you can update yourself in your dashboard; for anything else, email us.
• Deletion: request deletion of your account and associated personal data. Some data must be retained for legal or regulatory reasons (e.g. financial records for ATO).
• Withdraw consent: opt out of marketing emails (one-click in any email), revoke OAuth permissions, set CV visibility back to Private.
• Complaint: if you believe we have breached the APPs, contact us first. If unresolved, you can complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

6. Security

We use TLS encryption for all browser traffic, encrypted password storage (bcrypt via WordPress), database access controls, and per-endpoint authorisation checks. Resumes and other private documents are served only via permission-gated endpoints — never as direct CDN URLs.

No system is perfectly secure. If we ever experience a data breach that affects you, we will notify you and the OAIC as required by the Notifiable Data Breaches scheme.

7. Cross-border data transfers

Some of our service providers (Stripe, Anthropic) are based in the United States. By using the platform, you consent to your personal information being processed in those jurisdictions. We choose providers with strong privacy and security commitments.

8. Cookies

We use cookies for: keeping you signed in, remembering your filter preferences, and basic analytics. We do not use third-party advertising cookies. You can disable cookies in your browser, but parts of the site may not work.

8a. Radio listening analytics

When you tune in to Kababayan Connect Radio, we record minimal session data so we can describe our audience to advertisers and improve the programming. We capture: a hashed (irreversible) form of your IP address, your approximate city derived from that IP, your device class (mobile / tablet / desktop), the tracks you played and how much of each, and any UTM parameters in the URL you arrived from. We never store your raw IP address. We do not link this data to your name, email, phone number, or any other personal identifier unless you are logged in.

Granular session and event data is kept for 90 days, then rolled up into anonymous monthly aggregates and the raw rows are deleted. We respect the Do-Not-Track (DNT) browser header and the Global Privacy Control (Sec-GPC) signal — if your browser sends either, we record nothing at all. Logged-in users can also opt out from their profile (Dashboard → Privacy settings) at any time.

Analytics data is never sold. Advertisers receive aggregate, de-identified summary reports only (total listener counts, geographic distribution, peak listening times). They never receive raw rows.

9. Children

Kababayan Connect is not intended for users under 16. We do not knowingly collect data from children. If you believe a child has signed up, please contact us and we will remove the account.

10. Changes to this policy

We will update this policy as the platform evolves. Material changes will be communicated by email to registered users at least 14 days before they take effect. The "last updated" date at the top of this page reflects the most recent revision.