Privacy Policy

This policy applies to users of VouchMe, including candidates, references, referees, recruiters, hiring teams, account holders, and visitors to the VouchMe website.

VouchMe is operated from New Zealand and aims to follow New Zealand privacy principles around purpose, transparency, security, access, correction, retention, and disclosure of personal information.

(a) VouchMe may allow users to sign in using email and password, magic link email sign-in, Google OAuth / Sign in with Google, and Microsoft OAuth / Microsoft sign-in.

Google and Microsoft sign-in are used only to authenticate users and connect them to their VouchMe account. They do not give VouchMe general access to the user's Google or Microsoft account.

When you choose to sign in with Google, VouchMe uses Google OAuth / Sign in with Google to authenticate you.

Depending on the information returned by Google during the sign-in flow, VouchMe may access your Google account identifier, primary Google account email address, name or basic profile information, Google profile image if supplied, and authentication or session information needed to complete and maintain sign-in.

VouchMe uses this information only for sign-in, account identity, security, support, and operation of the VouchMe service.

When you choose to sign in with Microsoft, VouchMe uses Microsoft OAuth / Microsoft identity services to authenticate you.

Depending on the information returned by Microsoft during the sign-in flow, VouchMe may access your Microsoft account identifier, Microsoft account email address or user principal name, display name or basic profile information, Microsoft profile image or avatar if supplied, and authentication or session information needed to complete and maintain sign-in.

VouchMe's Microsoft sign-in may request basic identity permissions such as email, profile, and User.Read so VouchMe can identify the signed-in user and connect that identity to the correct VouchMe account.

VouchMe does not access your Gmail messages, Google Drive files, Google Calendar events, Google Contacts, Google Docs, Google Sheets, Google Photos, Outlook mailbox content, OneDrive files, SharePoint files, Teams messages, Microsoft Calendar, Microsoft Contacts, or other Google Workspace or Microsoft 365 content.

VouchMe does not send emails from your Gmail, Outlook, or Microsoft account.

VouchMe does not read, edit, delete, or download files, messages, calendar entries, contacts, or documents from your Google or Microsoft account.

VouchMe uses Google and Microsoft sign-in data to let you create or access your VouchMe account, identify your account across candidate, reference, and recruiter workflows, help prevent account misuse, support account recovery and customer support, display limited identity information where needed for the workflow, and maintain security, audit, and abuse-prevention records.

VouchMe does not use Google or Microsoft user data for advertising, retargeting, personalised advertising, data brokerage, credit-worthiness assessment, lending decisions, surveillance, unrelated profiling, or AI/ML model training.

Separate from Google or Microsoft sign-in data, VouchMe collects information that users provide directly in the product.

This may include name and email address, account profile information, candidate, reference, referee, and recruiter details, Vouch requests, Vouch IDs and share links, written reference answers, audio reference answers, transcripts if generated, access requests, approvals, declines, expiry settings, access history, recruiter notes if provided, status history, workflow events, billing and subscription records if paid features are used, support requests and correspondence, and technical, security, and abuse-prevention logs.

VouchMe uses this data to provide the service requested by users: requesting, creating, controlling, approving, declining, sharing, reviewing, and auditing access to professional reference information.

VouchMe is designed so that reference source content is not automatically available to everyone with a link. Access to Vouch source content depends on the workflow, user role, relationship checks, approval status, and applicable access rules.

References or referees may control whether a Vouch is completed, shared, approved, declined, deleted, or otherwise made available according to the product features available at the time.

Recruiters and candidates may receive access only where the workflow permits it.

VouchMe workflows may involve one person providing information about another person. For example, a recruiter may submit candidate or reference details, a candidate may nominate a reference, or a reference may provide information about a candidate.

Users should only provide information that is accurate, relevant, and appropriate for the VouchMe workflow they are using. Users should not submit information they are not authorised or comfortable to provide.

VouchMe does not sell personal information. VouchMe does not share Google or Microsoft user data with advertising platforms, data brokers, information resellers, or unrelated third parties.

VouchMe uses trusted service providers to operate the platform. These may include Supabase for authentication, database, and storage; Vercel for hosting; Resend for transactional email; Stripe for billing; Google and Microsoft for OAuth sign-in; and Cloudflare Turnstile or similar services for bot and abuse prevention.

Limited identity and workflow information may be visible to candidates, references, recruiters, or hiring teams where necessary for the VouchMe workflow the user chooses to participate in.

VouchMe may disclose information if required to comply with law, enforce terms, investigate misuse, resolve disputes, prevent fraud, or protect users and the platform. VouchMe does not share Google or Microsoft OAuth tokens with candidates, references, recruiters, or other workflow participants.

VouchMe stores user information using cloud infrastructure and application services selected to support authentication, database storage, file storage, hosting, transactional email, billing, security, and platform operation.

VouchMe uses safeguards intended to protect user data, including HTTPS/TLS, authentication and session controls, server-side access controls, row-level, role, and relationship-based access rules where applicable, provider-controlled release decisions for Vouch source content, protected production secrets and service credentials, restricted administrative access, security and abuse-prevention checks, and audit and status records for trust-sensitive workflow events.

No online service can guarantee absolute security, but VouchMe is designed to reduce unnecessary exposure of reference content, account data, and identity data.

VouchMe is operated from New Zealand but uses cloud-based service providers that may store or process information outside New Zealand.

Where VouchMe uses overseas providers, it does so to operate the platform, provide authentication, host the application, send transactional emails, process payments, store records, and protect the service from misuse.

VouchMe retains personal information for as long as needed to provide the service, maintain trust records, support user-requested access decisions, comply with legal obligations, resolve disputes, prevent abuse, and maintain platform security.

Google and Microsoft sign-in data connected to your VouchMe account is retained while your VouchMe account remains active, unless you request deletion or the data is no longer needed.

Some records may need to be retained for legal, billing, fraud-prevention, dispute-resolution, audit, or security reasons.

You can request deletion of your account or personal information by contacting VouchMe at platform@vouchmeapp.com. You may also use the VouchMe contact page.

When a deletion request is verified, VouchMe will delete or de-identify personal information that is no longer required, unless retention is required for legal, security, fraud-prevention, billing, dispute-resolution, audit, or legitimate business record purposes.

Some information may remain temporarily in backups, logs, or provider systems until those systems cycle or expire.

You may request access to personal information VouchMe holds about you. You may also ask VouchMe to correct information you believe is inaccurate.

To make an access, correction, or deletion request, contact platform@vouchmeapp.com.

You may revoke VouchMe's access to your Google or Microsoft account through your Google or Microsoft account security settings.

Revoking Google or Microsoft access may stop OAuth sign-in from working, but it may not automatically delete your VouchMe account or VouchMe workflow records. To request deletion of VouchMe-held records, contact VouchMe directly.

VouchMe does not use Google or Microsoft OAuth data to train or improve general artificial intelligence or machine learning models.

VouchMe does not sell or transfer Google or Microsoft OAuth data to third parties for AI/ML model training.

If VouchMe later introduces optional AI-assisted features, those features should be disclosed separately and should not change how Google or Microsoft OAuth data is handled without appropriate notice and consent.

VouchMe may update this Privacy Policy from time to time as the product, legal requirements, or service providers change.

If VouchMe materially changes how it uses Google or Microsoft user data, VouchMe will update this policy and, where required, provide notice or request consent before using that data in a new way.

For privacy questions, data access requests, correction requests, deletion requests, or trust and safety concerns, contact platform@vouchmeapp.com.

You can also use the VouchMe contact page at https://vouchmeapp.com/contact.