Privacy Notice

Last updated: 2026-05-03

This notice explains how Talvi (Pty) Ltd ("Talvi", "we", "us") handles personal information when you use the recruiter platform at talvi.io or talvi.co.za.

If you are a candidate whose profile may appear in Talvi search results, please read our Candidate Notice instead — it explains how your public professional information came to be on this platform and what rights you have over it.

Who we are

Talvi (Pty) Ltd is a South African company operating a recruiter platform that aggregates public professional profiles into a searchable database. Our registered address is [TBD — Dan to provide].

Our Information Officer, registered with the Information Regulator of South Africa, is [TBD — Dan to provide]. You can contact them at privacy@talvi.io.

What we collect from you

When you use Talvi as a recruiter, we collect:

• Account information — your name, email address, company name, password (hashed and salted, never stored in plain text).
• Billing information — handled by Stripe under their own privacy policy. Talvi never sees or stores your full card number; we only see the last four digits and a token from Stripe.
• Usage information — which candidates you searched for, which contact details you revealed, when you logged in, your IP address at the time of each session. This data exists primarily for POPIA compliance audit purposes (we are required to log who accessed whose contact information and when) and for billing and tier-limit enforcement.
• Communications — if you email support, we keep that correspondence.

What we do with your information

• Run the platform: authenticate you, show you search results, process your payments, enforce your tier limits.
• Comply with POPIA: maintain audit logs of consent and contact reveals. South African law requires us to keep these logs.
• Improve the product: anonymous, aggregate usage statistics. We do not sell your usage data to third parties.

Who we share it with

• Stripe — payment processing. United Kingdom (Stripe Payments UK Ltd).
• Supabase — database and authentication hosting. Ireland (eu-west-1).
• Vercel — frontend and API hosting. Frankfurt region (will move to a SA region when one becomes available).
• OpenAI — candidate-to-job AI matching. United States. We send the job description text and the relevant candidate profile data for the duration of the API call. OpenAI does not retain this data for training under their commercial terms.
• Anthropic — candidate profile enrichment. United States. We send public profile data to generate structured summaries. Anthropic does not retain this data for training under their commercial terms.

We do not sell your personal information. We do not share it for advertising purposes.

Cross-border transfers

Some of our processors (Stripe, OpenAI, Anthropic, Vercel, Supabase) operate outside South Africa. Under POPIA Section 72, we transfer information to these providers because they are bound by their own data protection commitments and the transfer is necessary to provide the service you've requested. The destination jurisdictions (United States, Germany, Ireland, United Kingdom) have data protection regimes that we consider adequate for the purposes of POPIA — GDPR for the EU and UK, and standard contractual clauses for transfers to the United States.

How long we keep your information

• Account information: while your account is active, plus 12 months after closure for tax and dispute purposes.
• Billing records: 5 years (South African tax law).
• Audit logs of contact reveals: 5 years (POPIA accountability requirements).
• Anonymous usage analytics: indefinitely.

Your rights under POPIA

You have the right to:

• Access — ask us what personal information we hold about you.
• Correct — ask us to correct anything inaccurate.
• Delete — ask us to delete your account and information, subject to our legal obligation to retain audit logs and billing records.
• Object — object to specific processing on legitimate grounds.
• Withdraw consent — where we rely on your consent.
• Complain — to the Information Regulator of South Africa at inforeg@justice.gov.za or via inforegulator.org.za.

To exercise any of these rights, email privacy@talvi.io.

Cookies

Talvi uses essential cookies for authentication and session management. We do not use advertising cookies or third-party tracking pixels. We do not run analytics that profile you across other websites.

Security

We use TLS encryption in transit, encrypted storage at rest, and row-level security in our database to ensure recruiters can only see their own data. Passwords are hashed using bcrypt. We use Stripe's hosted checkout for all card details.

We are required by POPIA to notify you and the Information Regulator of any security compromise that affects your information. We will do this within 48 hours of becoming aware of the breach.

Changes to this notice

We may update this notice from time to time. The effective date at the top will reflect the most recent version. Material changes will be communicated by email.

Contact

privacy@talvi.io for any privacy questions or to exercise your POPIA rights.