Privacy Policy
Last updated: 6 May 2026
Gradland ("Gradland", "we", "us") is operated by Henry Tsai as a sole-trader business in Australia. This Privacy Policy explains how we handle your personal information in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and — where applicable — the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.
1. What we collect
We collect only what we need to deliver the service:
- Account data — email address, display name, avatar, and OAuth identifier (provided by GitHub or Google when you sign in).
- Profile inputs — career stage, target role, visa type, location preferences, skills, and study notes you choose to enter.
- Generated content — resumes you upload (PDF), cover letters, gap-analysis results, interview answers, and quiz responses.
- Usage telemetry — page views, anonymised device/country derived from your IP address (truncated, never stored in raw form), and AI-call counts for fair-use enforcement.
- Payment records — Stripe customer ID and subscription status. Card details are handled exclusively by Stripe and never reach our servers.
- Communications — content of any email, contact-form, or in-app message you send us.
We do not collect government identifiers (TFN, passport number, visa-grant number) or health information.
2. How we use it (APP 6 — purposes)
- To provide, maintain, and improve the career-tools we publish at this site.
- To authenticate you and prevent abuse, fraud, and rate-limit evasion.
- To process subscription payments via Stripe and to issue tax-compliant receipts.
- To send transactional email (account, billing, content moderation outcomes).
- To produce de-identified aggregate analytics (e.g., "~12% of users target Sydney").
- To comply with our legal obligations under Australian or foreign law.
We do not sell or rent your personal information, and we do not use your generated content (resumes, cover letters, etc.) to train AI models. Calls to our AI sub-processors are made under zero-data-retention terms where the provider supports them.
3. Sub-processors
We use the following third parties to deliver the service. Each is bound by a Data Processing Agreement (DPA) requiring them to handle your data only on our documented instructions and to notify us of any breach without undue delay.
| Processor | Purpose | Region |
|---|---|---|
| Vercel Inc. | Hosting, edge delivery, serverless compute | Global (default region: Sydney, AU) |
| Supabase Inc. | Authentication, database, file storage | Sydney, AU |
| Stripe Payments Australia Pty Ltd | Subscription billing + payment processing | AU + US |
| Anthropic PBC | Generative-AI inference (Claude models) | United States |
| OpenAI L.L.C. | Generative-AI inference (GPT models) | United States |
| Resend Inc. | Transactional email delivery | United States |
| Logo.dev | Company-logo image proxy | United States |
4. Cross-border disclosure (APP 8)
Some sub-processors above operate from the United States. By using Gradland, you consent to this transfer. Where a DPA is in place, we rely on Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms.
5. Cookies and similar technologies
We use a small number of cookies and browser-storage entries. See our Cookies Policy for the categorised list and to manage your preferences. Analytics cookies are off by default until you grant consent via the banner shown on first visit.
6. Retention
- Account data — kept while your account is active; deleted within 30 days of account closure.
- Generated content — kept until you delete it from your dashboard or close your account.
- Payment records — kept for 7 years to comply with Australian tax law (Income Tax Assessment Act 1997).
- Audit logs — kept for 90 days for security investigation.
7. Your rights (APPs 12 + 13, GDPR Arts. 15-22)
You may at any time:
- Access — request a copy of the personal information we hold about you.
- Correct — ask us to fix inaccurate information; most fields are user-editable in your dashboard.
- Delete — request deletion of your account and associated data.
- Object — object to processing for direct marketing (we do not currently send marketing email).
- Port — receive a machine-readable export of your data.
- Withdraw consent — revoke previously-granted analytics consent via the banner.
Email admin@henrysdigitallife.com with the subject line "Privacy request — <type>". We will respond within 30 days.
8. Security
We use TLS 1.3 for all traffic, Row-Level Security on every database table containing user data, signed-cookie sessions, and a content-security-policy header on every response. Passwords are not stored: authentication is delegated entirely to GitHub / Google OAuth and Supabase's managed identity service. We retain audit logs of administrative actions for 90 days.
9. Children
Gradland is intended for adult users (18 +). We do not knowingly collect information from children under 16. If you believe a minor has created an account, contact us and we will delete it.
10. Complaints
If you believe we have breached the Australian Privacy Principles, please first contact us at admin@henrysdigitallife.com. If unresolved, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).
11. Changes to this policy
We may update this policy as the service evolves. Material changes will be announced via in-app notice or transactional email at least 14 days before they take effect.
12. Contact
Questions or requests: admin@henrysdigitallife.com — or use the form at /contact.