1. Overview and scope
Yoria ("we," "us," "our") operates a cloud-based applicant tracking system (ATS) provided as a software-as-a-service platform to recruitment agencies, search firms, and in-house HR and talent acquisition teams ("Customers") across Japan, Singapore, Australia, New Zealand, Hong Kong, the United Kingdom, the European Union, the United States, Canada, the UAE, Vietnam, the Philippines, Malaysia, Indonesia, Thailand, Brazil, and other supported markets.
This Privacy Policy explains how we collect and handle personal data in connection with the operation of yoria.io. It applies to:
- Platform users — recruiters, HR professionals, and team members employed by Customers who use the Yoria platform
- Candidates and data subjects — individuals whose personal data is entered into the platform by Customers
- Visitors — individuals who visit yoria.io without registering
We are committed to compliance with all applicable data protection laws including, but not limited to: GDPR (EU/EEA), UK GDPR, Japan's APPI (個人情報保護法), Singapore's PDPA, Australia's Privacy Act 1988, Hong Kong's PDPO, South Korea's PIPA, India's DPDPA, Brazil's LGPD, Canada's PIPEDA and Quebec Law 25, and the CCPA/CPRA (California).
Note: This policy is provided for informational purposes. Customers operating in regulated industries or jurisdictions with specific legal requirements should obtain independent legal advice regarding their own compliance obligations when using the Yoria platform.
2. Our role: platform provider
Yoria provides software infrastructure. We do not own, collect for our own purposes, or independently control the candidate data stored on the platform.
Candidate data — Customers are responsible
The recruitment agencies and HR teams that subscribe to Yoria are solely responsible for all candidate and contact data they enter, import, or process through the platform. This includes names, contact details, employment history, salary data, resumes, and any other personal information about job seekers, applicants, and client contacts.
Yoria stores and processes this data solely as a service to Customers, acting on their instruction. We have no independent commercial relationship with the individuals whose data Customers manage on the platform.
Each Customer is independently responsible for:
- Providing candidates with appropriate privacy notices at the point of data collection
- Obtaining any required consents under applicable law before entering data into the platform
- Ensuring they have a lawful basis for collecting, storing, and processing candidate personal data
- Responding to candidates' data subject rights requests (access, correction, deletion, portability)
- Complying with all applicable data protection laws in their jurisdiction and the jurisdictions of the candidates they manage
- Ensuring cross-border transfer mechanisms are in place when required by local law before transmitting candidate data to Yoria's systems
Customers who require a Data Processing Agreement (DPA) for compliance with GDPR, UK GDPR, LGPD, or other applicable laws may request one by contacting [email protected]. Our DPA governs the terms under which we process candidate data on Customer instructions.
Account and billing data — Yoria handles this
Yoria processes the personal data of platform users (name, email, account credentials, and billing information) for the purpose of delivering and administering the Yoria service. This processing is covered in full by this Privacy Policy.
3. What data we collect
3.1 Account and user data
When a Customer registers and invites team members, we collect:
- Name and email address of each platform user
- Organisation name and market/region selection
- Password (bcrypt-hashed — never stored in plain text)
- Role assignment (admin, recruiter, viewer)
- Subscription and billing details — managed by Paddle.com Market Limited; we retain only the last 4 digits of the card, expiry date, and billing email
3.2 Candidate and contact data (entered by Customers)
Customers may enter personal data about candidates and client contacts, including names, contact information, work history, skills, languages, salary data, notes, assessment records, and uploaded resume documents. Yoria processes this data solely on Customer instruction. The Customer retains full ownership of and responsibility for this data.
Where AI-assisted features are used — including resume parsing and resume formatting — resume content is transmitted through the approved Claude route for the Customer's market. These routes are configured to prohibit customer data from being used for model training. Resume data sent through an approved AI route is used solely to provide the requested AI feature (extracting structured candidate data, or formatting the resume for export). Customers, as data controllers, are responsible for ensuring candidates are informed that their resume may be processed by AI tools as part of the recruitment workflow.
3.3 Usage and technical data
We collect information about how the platform is accessed, including IP addresses, browser type, operating system, session duration, and features used. This data is used solely for service reliability, security monitoring, and improving the platform. We do not use third-party analytics trackers or advertising pixels.
3.4 Communications
If you contact us by email or through our website, we retain your message and contact details to respond to your enquiry and improve our support.
4. Sub-processors
We engage the following sub-processors to deliver the Yoria service. All sub-processors are bound by Data Processing Agreements that prohibit use of data for their own purposes and require appropriate security measures.
| Sub-processor | Purpose | Where data is processed | DPA |
|---|---|---|---|
| Supabase, Inc. | Database hosting, authentication, file storage | Your organisation's data is stored in the region you select (default: Singapore). Supabase is a US-incorporated company; data is physically stored on AWS infrastructure in the selected region. | Yes — Supabase DPA |
| Anthropic, Inc. | AI processing for resume parsing and resume formatting — full resume content transmitted; no model training under DPA | Bedrock markets: Singapore, Australia, New Zealand, and the UK via AWS Bedrock in the configured regional AWS region. EU/GDPR markets: supported EU markets are reserved for Google Vertex AI in europe-west1 once configured; Switzerland is not served. Anthropic API markets: Japan currently uses the explicit Anthropic API route while Bedrock quota is resolved. Other approved API markets also use this explicit route. It is never used as a fallback. | Yes — Anthropic Commercial DPA; no model training on customer data; not retained beyond processing request |
| Paddle.com Market Limited | Payment processing (Customer billing data only — subscription fees, invoices) | United Kingdom (London). Paddle is a UK-registered Merchant of Record. Card data is tokenised and never transmitted to Yoria. | Yes — Paddle DPA |
| Cloudflare, Inc. | CDN, edge hosting, DDoS protection, TLS termination | United States (HQ), with servers worldwide. All traffic passes through Cloudflare's network for security and performance; they do not store candidate data. | Yes — Cloudflare DPA |
We will notify Customers of any changes to our sub-processor list with at least 30 days' notice, providing an opportunity to raise objections before the change takes effect. Customers who require advance notice of sub-processor changes should register their interest at [email protected].
Sub-processors may themselves engage additional sub-processors (for example, Supabase uses Amazon Web Services infrastructure). We maintain a record of known sub-processor chains and can provide this information upon request.
5. Data residency and hosting
Yoria's infrastructure is hosted on Supabase, which in turn runs on cloud infrastructure in the following regions:
| Region | Data centre location | Available to |
|---|---|---|
| Asia-Pacific (default) | Singapore | All customers (current default) |
| Japan | Tokyo (ap-northeast-1) | Japan-market customers — available on request |
| Australia | Sydney (ap-southeast-2) | Australian customers — available on request |
| Europe | Frankfurt / EU-West | EU/UK customers — available on request |
| United States | US-East | US/Canada customers — available on request |
Customers in jurisdictions with data residency requirements (including Japan under APPI, the EU under GDPR, and Australia) are encouraged to contact us at [email protected] to request regional data storage. Where a regional instance is not yet available or where technical constraints require processing outside the primary region, we implement appropriate transfer safeguards as described in Section 6.
Billing data processed through Paddle and AI resume parsing through Anthropic are processed in the United States, regardless of the Customer's chosen data region. Transfer mechanisms for these transfers are described in Section 6.
6. International data transfers
Where personal data is transferred across borders, we implement appropriate safeguards under applicable law. The mechanisms we use depend on the originating jurisdiction:
EU and EEA (GDPR)
Transfers from EU/EEA to Singapore (Supabase) are made under Standard Contractual Clauses (SCCs) as adopted by the European Commission, supplemented by our assessment that Singapore's PDPA framework provides equivalent protections for data subjects. Transfers to the United States (Anthropic, Paddle, Cloudflare) are made under SCCs and, where applicable, reliance on the EU-US Data Privacy Framework for certified recipients. Customers requiring SCCs in their DPA with Yoria may request these by contacting [email protected].
United Kingdom (UK GDPR)
Transfers from the UK use UK International Data Transfer Agreements (IDTAs) or the UK Addendum to EU SCCs. The same sub-processor safeguards apply as for EU transfers.
Japan (APPI)
Under Japan's 2022 APPI amendments, overseas transfers of personal information require either individual opt-in consent from each data subject or establishment of a contractual "personal information protection system" with the overseas recipient providing APPI-equivalent protections. Customers operating under Japanese law are responsible for ensuring they have obtained appropriate consent from candidates before entering their data into the platform, and for maintaining a contractual framework with Yoria that satisfies APPI cross-border transfer requirements. Our DPA is designed to support this requirement. Customers should consult their own legal counsel on APPI compliance.
Australia
Overseas disclosures are made with contractual safeguards requiring sub-processors to handle data in accordance with the Australian Privacy Principles. Where data is held on an Australian regional instance, cross-border transfers are limited to payment processing (Paddle, US) and AI parsing (Anthropic, US) only.
Brazil (LGPD)
Transfers from Brazil are made under Standard Contractual Clauses as approved by Brazil's ANPD (Resolution CD/ANPD No. 19/2024), incorporated into our DPA for Brazilian Customers.
Other jurisdictions
For customers in Singapore, Hong Kong, South Korea, Canada, India, the UAE, and other jurisdictions, transfers to sub-processors are governed by contractual safeguards requiring equivalent data protection standards. Customers requiring jurisdiction-specific transfer documentation should contact [email protected].
7. Legal basis for processing
Account and user data
We process platform user data (name, email, account credentials, billing) on the following legal bases:
- Contract performance — processing necessary to provide the Yoria service under our Terms of Service
- Legitimate interests — security monitoring, fraud prevention, abuse detection, and service improvement
- Legal obligation — compliance with applicable tax, billing, and regulatory requirements
Candidate data processed on Customer instruction
Yoria processes candidate data as a service provider acting on Customer instruction. The legal basis for this processing is the contractual obligation between Yoria and the Customer (our Terms of Service and DPA). The legal basis for the Customer's original collection and use of candidate data is the Customer's own responsibility and falls outside the scope of this policy.
Japan (APPI)
Under APPI, we handle personal information for the specified purpose of providing the Yoria recruitment platform service. Cross-border transfers require consent or a contractual protection system as described in Section 6.
8. Data retention
We retain Customer account data for as long as the subscription is active. Upon cancellation or expiry, we retain all data for 30 days to allow for account recovery, after which all Customer account data and all candidate data associated with that account is permanently and irreversibly deleted from our systems and backups.
Billing records (invoices, transaction history) may be retained for up to 7 years as required by applicable tax and accounting law.
Customers can delete individual candidate records at any time via the Yoria interface. Deletion is immediate from the live database; backup purge follows within 30 days.
Customers who need to demonstrate compliance with data minimisation obligations (e.g. GDPR Article 5(1)(e)) can configure their workspace retention settings and request a data export before deletion. Contact [email protected] for assistance.
9. Security
We implement technical and organisational security measures appropriate to the risk, including:
- Encryption in transit — TLS 1.3 on all connections
- Encryption at rest — AES-256 encryption on all database storage
- Tenant isolation — row-level security (RLS) enforced at the database layer; no organisation can access another's data
- Authentication — bcrypt password hashing; multi-factor authentication (MFA/TOTP) available to all users
- Access control — role-based permissions (admin, recruiter, viewer); principle of least privilege applied internally
- Resume PII handling — personally identifiable information is stripped from resume text before any AI processing
- Audit logging — all data access and modification events are logged with user and timestamp
- Security reviews — periodic security audits and dependency vulnerability scans
No method of transmission or storage is 100% secure. In the event of a security incident affecting personal data, we will notify affected Customers and, where required by law, the relevant supervisory authority, in accordance with the timelines described in Section 13.
If you discover a security vulnerability, please disclose it responsibly to [email protected].
10. Rights of platform users (Customers and team members)
If you are a recruiter, HR professional, or team member using the Yoria platform, you have the following rights regarding your personal account data:
- Access — request a copy of the personal data we hold about you
- Rectification — request correction of inaccurate account data
- Erasure — request deletion of your user account and associated personal data
- Restriction — request that we limit processing of your data in certain circumstances
- Portability — receive your account data in a structured, machine-readable format
- Objection — object to processing based on legitimate interests
Under APPI (Japan), you have the right to request disclosure, correction, addition, deletion, or suspension of use of your personal information.
To exercise any of these rights, contact [email protected]. We will respond within 30 days (or within applicable statutory deadlines where shorter periods apply under local law).
11. Rights of candidates and data subjects
If you are a job seeker, applicant, or professional contact whose personal data has been entered into the Yoria platform by a recruitment agency or employer, please read this section carefully.
Yoria is not responsible for your data — the agency or employer is. The recruitment agency or employer that entered your data into the platform is solely responsible for how your personal information is collected, stored, used, and deleted. They are the party with whom you have (or had) a direct relationship, and they are obligated under applicable data protection law to respond to your requests.
To exercise your rights — including:
- Requesting access to your personal data
- Requesting correction of inaccurate data
- Requesting deletion of your data
- Requesting a copy of your data (portability)
- Withdrawing consent
— you should contact the recruitment agency or employer that holds your data directly. They are required by law to respond.
If you do not know which agency holds your data, or if you have contacted them and received no satisfactory response within a reasonable period, you may contact us at [email protected] with the subject line "Candidate Data Request". We will use reasonable efforts to identify the responsible Customer and facilitate a response, but we cannot delete or modify candidate data without authorisation from the Customer who controls it.
You also have the right to lodge a complaint with your local data protection authority:
- EU/EEA: Your national supervisory authority (e.g. CNIL in France, BfDI in Germany, AP in Netherlands)
- UK: Information Commissioner's Office (ICO) — ico.org.uk
- Japan: Personal Information Protection Commission (PPC) — ppc.go.jp
- Singapore: Personal Data Protection Commission (PDPC)
- Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
- South Korea: Personal Information Protection Commission (PIPC)
- India: Data Protection Board of India (once established under DPDPA)
- Brazil: Autoridade Nacional de Proteção de Dados (ANPD)
- Canada: Office of the Privacy Commissioner of Canada (OPC)
- California (US): California Privacy Protection Agency (CPPA)
12. Jurisdiction-specific provisions
European Union and EEA (GDPR)
Yoria complies with GDPR Article 28 obligations as a data processor. We maintain records of processing activities, implement Article 32 security measures, and support Customer compliance with data subject rights. EU Customers may request a full GDPR-compliant DPA incorporating Standard Contractual Clauses (2021 EU Commission SCCs) at [email protected]. Automated resume parsing is used as a decision-support tool only; no automated decisions with legal or similarly significant effects are made solely by the AI without human review.
United Kingdom (UK GDPR)
Yoria complies with UK GDPR and the Data Protection Act 2018. UK Customers may request a DPA incorporating UK IDTAs or the UK Addendum to EU SCCs. The UK ICO is the relevant supervisory authority for Yoria's UK operations.
Japan (APPI — 個人情報保護法)
Japan's APPI applies to personal information about Japan-resident individuals. Under the 2022 APPI amendments, cross-border transfers require either individual opt-in consent from the data subject or a contractual protection system ensuring APPI-equivalent protections at the overseas destination. Customers recruiting in Japan are responsible for obtaining appropriate consent from candidates before entering their data into the platform. Our DPA can serve as the contractual protection system required under APPI. Where candidate data includes "special care-required personal information" (specially sensitive categories such as health information or background check results), explicit prior consent from the candidate is required before collection and any overseas transfer. Customers handling such data should consult qualified Japanese legal counsel.
Under APPI, individuals have the right to request disclosure, correction, deletion, or suspension of use of their personal information held by the Customer.
Singapore (PDPA)
Yoria operates as a "data intermediary" under Singapore's PDPA. We implement the protection obligation and comply with data subject access and correction requests within our scope. Singapore-based Customers remain the "organisations" responsible for candidate data under PDPA and must ensure their own compliance obligations are met, including notification requirements and accuracy obligations.
Australia (Privacy Act 1988 / APPs)
Yoria complies with the Australian Privacy Principles (APPs). We make overseas disclosures to sub-processors only with contractual safeguards requiring APP-equivalent protections. Australian Customers have the right to access and correct their account data. For complaints not resolved by us, the Office of the Australian Information Commissioner (OAIC) is the relevant authority.
South Korea (PIPA — 개인정보보호법)
Yoria processes data of South Korea-resident individuals in accordance with PIPA. We implement the security and management measures required under PIPA and support breach notification obligations. Korean Customers are responsible for ensuring their own PIPA compliance, including obtaining appropriate consent for overseas transfers of candidate data. We can provide contractual safeguards demonstrating PIPA-equivalent protections upon request.
India (DPDPA 2023)
Yoria processes personal data of India-resident individuals in accordance with the Digital Personal Data Protection Act 2023. As rules under the DPDPA are still being finalised, we monitor developments and will update our practices accordingly. We implement security measures and support data subject rights as required. Indian Customers who require a Data Processing Agreement under the DPDPA framework may contact [email protected].
Brazil (LGPD)
Yoria complies with Brazil's Lei Geral de Proteção de Dados (LGPD). International transfers from Brazil to our sub-processors are governed by Standard Contractual Clauses as approved by ANPD (Resolution CD/ANPD No. 19/2024). Brazilian Customers may request a LGPD-compliant DPA incorporating ANPD-approved SCCs.
Canada (PIPEDA / Quebec Law 25)
We comply with PIPEDA at the federal level and Quebec's Law 25 for Quebec-based Customers. Quebec Law 25 requires a Privacy Impact Assessment (PIA) before any international data transfer. We can provide documentation to support Customer PIA requirements, including information about our sub-processor locations and security measures. Contact [email protected].
United States — California (CCPA / CPRA)
Yoria acts as a "service provider" under the CCPA/CPRA. We do not sell or share personal information for our own commercial purposes. We support Customer compliance with California consumer rights requests (access, deletion, correction, opt-out of sale/sharing). US Customers who require a CCPA service provider agreement may request one at [email protected].
China (PIPL — 个人信息保护法)
China's Personal Information Protection Law (PIPL) imposes strict requirements on cross-border transfers of personal information of China-resident individuals, including mandatory filings with the Cyberspace Administration of China (CAC) or individual opt-in consent for each transfer. Customers who intend to use Yoria to process personal data of China-resident candidates must obtain appropriate legal advice and implement the required CAC Standard Contract or Security Assessment before doing so. Yoria does not make representations about PIPL compliance on behalf of Customers operating in the Chinese market.
13. Data breach notification
In the event of a confirmed personal data breach affecting Customer data, we will:
- Notify affected Customers without undue delay, and in any event within 72 hours of becoming aware of the breach (aligning with GDPR, UK GDPR, and PIPA requirements)
- Provide details of: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, measures taken or proposed to address the breach
- Support Customers in meeting their own notification obligations to supervisory authorities and data subjects as required by applicable law
Breach notification timelines under specific laws:
- GDPR / UK GDPR: 72 hours to supervisory authority (Customer obligation); Yoria notifies Customers without undue delay
- PIPA (South Korea): 72 hours notification requirement
- APPI (Japan): Prompt notification to Personal Information Protection Commission (PPC) for qualifying breaches; Yoria notifies Customers promptly
- PDPA (Singapore): 3 calendar days to PDPC for mandatory breach notification
- Australia: 30 days to OAIC for eligible data breaches
- Brazil (LGPD): Reasonable time period; ANPD guidance recommends within 2 working days
14. Changes to this policy
We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify Customers by email and by a notice within the platform at least 30 days before the change takes effect. The updated policy will always be available at yoria.io/privacy with the effective date noted.
Continued use of the platform after the effective date constitutes acceptance of the updated policy. If you do not agree with material changes, you may terminate your subscription before the effective date.
15. Contact us
For privacy enquiries, to request a Data Processing Agreement, or for assistance with data subject requests:
- Privacy: [email protected]
- Security disclosures: [email protected]
- Subject line format: Privacy Request — [Your name] — [Jurisdiction]
We aim to respond to all privacy requests within 30 days. For complex requests or those requiring regulatory verification, we may extend this period by a further 30 days with notice.
If you are not satisfied with our response, you have the right to escalate to your local data protection authority. See Section 11 for authority contact details.