TO
TalentOS

Legal

Privacy Notice

Effective: 2026-05-19 · Version 1.0

Who we are

TalentOS (“we”, “us”) is a multi-tenant recruitment platform operated for African enterprises. Each customer organisation (“tenant”) controls its own data; we act as a processor on the tenant's behalf.

What we collect

  • Account data — name, work email, role, hashed password
  • Tenant data — job posts, candidate applications, interview notes, offers
  • Uploads — CVs, portfolios, candidate-supplied documents
  • Audit trail — every login, AI call, and data mutation (SOC 2 / IT-security)
  • Operational telemetry — IP, user agent, rate limit counters, error stack traces (when Sentry is active)

Where it lives

  • Records (KV) — Vercel KV / Upstash Redis, Frankfurt (fra1) + Iowa (iad1) edge regions, encrypted at rest
  • Uploaded files — Vercel Blob (CDN-fronted) when active; ephemeral memory otherwise
  • AI inference — Anthropic Claude API; per Anthropic's policy, prompts are NOT used for model training

Retention

  • Candidate records: kept while the tenant remains active; deleted when the tenant or admin deletes them
  • Audit events: append-only, retained indefinitely as a compliance record
  • Sessions: 14 days from issuance, auto-expire on the server
  • Invite + reset tokens: 7 days / 1 hour respectively, one-time use, cleared on consumption

Your rights — global data-protection regimes

TalentOS is built to honour data-subject rights across major data-protection regimes worldwide. The specific right that applies depends on where your data subjects are located, not where you (the tenant) operate:

  • GDPR (EU/EEA) + UK GDPR — access, rectification, erasure, restriction, portability, objection
  • NDPR + NDPA (Nigeria) — access, rectification, erasure, restriction, portability
  • CCPA / CPRA (California) — know, delete, correct, opt-out of sale, limit sensitive personal info
  • POPIA (South Africa) — access, correction, deletion, objection
  • LGPD (Brazil) — confirmation, access, correction, anonymisation, portability, deletion
  • PIPEDA (Canada) — access, correction, challenge accuracy
  • PDPA (Singapore) — access, correction, withdraw consent
  • Privacy Act (Australia) — access, correction, complaint to OAIC
  • DPA 2019 (Kenya) — access, rectification, erasure, objection

Tenants can exercise rights through the platform self-serve:

  • Access + portability — full JSON export of all tenant data at /account (admin/CHRO only)
  • Erasure / right to be forgotten — irreversible tenant delete at /account (admin only, typed confirmation)
  • Rectification / correction — direct edit via the platform UI or API
  • Restriction / objection — contact privacy@talentosglobal.co

We respond to verified data-subject requests within the shortest applicable statutory window (typically 30 days under NDPR/GDPR; CCPA gives 45). Customer (the data controller) retains primary responsibility for fielding and authenticating requests from their data subjects; we provide the tooling.

Sub-processors

  • Anthropic — generative AI (Claude); processes prompt text + tenant context for inference
  • Vercel — hosting, KV, Blob, edge middleware
  • Upstash — Redis-compatible KV backing Vercel KV
  • Resend (when active) — transactional email for invites + password resets
  • Sentry (when active) — error tracking + perf monitoring; scrubs PII on capture

Contact

We respond to data-subject requests within 30 days as required by NDPR + GDPR.

← Back to homeTerms of service →