How Talvi Uses Public Profile Information

Last updated: 2026-05-03

If you've been told that your professional profile appears on Talvi, or you're checking because you've heard about us, this page explains what we do, what legal basis we're using, and what rights you have.

What is Talvi?

Talvi is a South African recruitment platform. Recruiters in SA pay a monthly subscription to search a database of professional profiles we have aggregated from public sources, and use AI matching to find candidates that fit their open roles.

Talvi (Pty) Ltd is a company registered in South Africa. Our Information Officer, registered with the Information Regulator of South Africa, is [TBD — Dan to provide]. You can contact them at privacy@talvi.io.

What information do we have about you?

If your profile is in Talvi, we may hold:

• Your name (or username, if that's what's on your public profile)
• Your professional headline (e.g. "Backend Developer")
• Your location at city or province level
• A summary of your skills and experience as it appears publicly
• Your work history and education as you have publicly stated it
• A link back to your original public profile
• An AI-generated narrative summary of your profile, drawn only from the public information you have already published

We do not hold:

• Your private contact details unless they appear publicly
• Your age or date of birth (we explicitly exclude this)
• Any information you have made private or removed from public view
• Special personal information under POPIA Section 26 (race, religion, health, biometrics, etc.)

Where did the information come from?

Your information was collected from one or more of these public sources:

• Stack Overflow — your public profile, including biography, top tags, and any GitHub link you've published
• GitHub — your public bio, location, public repository names and languages, public contribution counts
• LinkedIn — public profile data accessed via the third-party service Apify
• PNet — public job listings only (we do not collect candidate CVs from PNet)
• Gumtree — public "seeking work" classified ads (this source is currently paused)

We do not access information that is private, behind a login wall, or that you have removed from public view.

What is our legal basis?

We rely on POPIA Section 11(1)(f) — legitimate interest. The specific reasoning:

• The information you've made public on professional networks is voluntarily made discoverable for employment purposes
• Recruiters using Talvi have a clear, lawful interest in finding qualified candidates
• The processing is limited to the recruitment purpose and does not expose information beyond what you've already made public
• We do not surface your contact details until a recruiter has made an explicit, logged request — and even then, only if your contact details were already public on the source

We have considered your reasonable expectations and the impact of this processing. We believe a person who publishes a CV on Stack Overflow or LinkedIn would expect that profile to be discoverable by recruiters. If you disagree, you can ask us to remove your profile (see "Your rights" below).

What do we do with it?

• Make your profile searchable by recruiters who pay for Talvi access
• Generate AI-summarised narrative descriptions of your skills and experience to help recruiters quickly understand fit
• Match your profile against job descriptions when recruiters run AI searches

Where is it stored?

The database that holds your information is hosted in Ireland by Supabase, an EU jurisdiction whose data protection regime (GDPR) meets POPIA Section 72's adequacy threshold for cross-border transfers. We chose Ireland as the closest geography Supabase currently offers; we will migrate to a South African region if Supabase makes one available.

• AI processing for narrative generation happens at Anthropic in the United States — only public profile data is sent, no contact details
• AI processing for job matching happens at OpenAI in the United States — only the recruiter's job text and the relevant candidate data are sent for the duration of the API call
• Payments (for recruiter accounts only — not relevant to candidates) are processed by Stripe in the United Kingdom (Stripe Payments UK Ltd)
• The web application is hosted by Vercel in Frankfurt

These cross-border transfers (United States, Germany, Ireland, United Kingdom) are made under POPIA Section 72 because the destination jurisdictions have data protection regimes we consider adequate — GDPR for the EU and UK, and standard contractual clauses for transfers to the United States — and because the transfers are necessary to provide the service.

Your rights

POPIA gives you the right to:

See what we have

Email privacy@talvi.io and ask for a copy of all the information we hold about you. We will respond within 30 days.

Correct anything wrong

If something is inaccurate, email privacy@talvi.io and we will correct it. If the inaccuracy comes from the public source we collected it from, we will update our copy and we recommend you also correct it at the source.

Have your profile removed

You have an unconditional right to ask us to remove your profile. Email privacy@talvi.io. We will:

• Remove your profile from search within 5 working days
• Delete the underlying record within 30 days
• Confirm the deletion in writing

We will retain a minimal record (your name and the fact that you requested deletion) so we can prevent your profile being re-added during a future scrape. If you don't want even this retained, tell us and we will discuss options.

Object to processing

You can object to our processing of your information on legitimate interest grounds. Email privacy@talvi.io and tell us why. We will weigh your objection and respond within 30 days.

Complain

If you're not happy with how we've handled your information, you can complain to the Information Regulator of South Africa:

• Email: inforeg@justice.gov.za
• Website: inforegulator.org.za
• Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

Security

Your information is protected by TLS encryption in transit, encrypted storage at rest, and access controls that limit recruiter access to your contact details until they have made an explicit, logged request. We are required by POPIA to notify you and the Information Regulator of any security compromise within 48 hours of discovery.

Contact

privacy@talvi.io for any questions or to exercise any of the rights above.