Privacy Notice

1. Introduction

NestHire, a trading name of Archline Technologies ("NestHire," "we," "us," or "our"), a company registered in the Republic of South Africa, is the responsible party (data controller) for the personal information processed through the NestHire platform at nesthire.io ("Service").

This Privacy Notice explains what personal information we collect, how we use it, who we share it with, and what rights you have. It applies to all users of the Service, including account holders (recruiters and hiring teams), job applicants who apply through our public career pages, and visitors to our website.

We are committed to complying with the Protection of Personal Information Act 4 of 2013 ("POPIA"), the General Data Protection Regulation ("GDPR") where applicable, and other relevant data protection legislation.

2. Information We Collect

2.1 Account Data (Recruiters & Hiring Teams)

When you register for an account, we collect:

• Email address
• Full name (optional)
• Organisation name
• Password (stored as a bcrypt hash — we never store your password in plain text)
• Two-factor authentication secret (if 2FA is enabled, stored encrypted)

2.2 Candidate Data

When candidates are added to the platform — either uploaded by recruiters or submitted through public career pages — we process:

• Candidate name
• Email address and phone number (encrypted at rest using AES-128 symmetric encryption for public applications)
• CV/resume files (PDF, DOC, or DOCX format, up to 10 MB)
• Extracted text from CV documents
• Redacted text (with personal information removed — see section 4)
• Responses to custom application questions
• Recruiter notes, tags, and pipeline status

2.3 Usage & Technical Data

• Feature usage events (candidates processed, jobs created, AI feature usage) for billing purposes
• AI token consumption (input/output tokens, model used) for usage tracking
• Email communication logs (recipient, subject, status) for audit and delivery tracking
• IP address for rate limiting and security purposes

3. How We Use Your Information

We use personal information for the following purposes:

• Service delivery: To operate the recruitment platform, process CVs, generate AI scores, and enable candidate management
• Account management: To authenticate users, manage organisation memberships, and enforce access controls
• AI-assisted recruitment: To parse CVs, redact PII, generate embeddings, and produce match scores (see section 4)
• Communication: To send email verifications, password resets, and recruiter-to-candidate emails through the platform
• Billing: To track subscription status, usage against plan limits, and process payments via our payment provider
• Security: To detect and prevent unauthorised access, enforce rate limits, and maintain platform integrity
• Support: To respond to your enquiries and resolve issues
• Legal compliance: To comply with applicable laws, regulations, and legal processes

4. AI Processing & PII Redaction

NestHire uses artificial intelligence to help recruiters evaluate candidates. Here is how we handle candidate data during AI processing:

• PII redaction: Before any CV text is sent to an AI provider, we automatically redact personal information including email addresses, phone numbers, physical addresses, URLs, South African ID numbers, and reference blocks. The redacted text replaces these with placeholders (e.g., [EMAIL], [PHONE], [ADDRESS]).
• AI scoring: Only the redacted CV text and the job description are sent to our AI provider (OpenAI) for scoring. The AI evaluates the candidate's qualifications against the job requirements and returns a structured assessment.
• Embeddings: We generate text embeddings (numerical representations) of CV content using OpenAI's embedding models to identify the most relevant sections of a CV for scoring. These embeddings are generated from redacted text.
• No model training: We do not use your data to train AI models. Our AI providers process data under data processing agreements that prohibit use of customer data for model training.

5. Legal Basis for Processing

Under POPIA, we process personal information on the following grounds:

• Consent: Job applicants consent to processing when they submit applications through public career pages
• Contractual necessity: Processing account holder data is necessary to perform our service agreement with you
• Legitimate interest: We process data for security, fraud prevention, service improvement, and analytics where our interests do not override your rights
• Legal obligation: We may process data to comply with legal requirements, tax obligations, or lawful requests from authorities

6. Data Sharing

We do not sell, rent, or trade your personal information. We share data only with the following categories of recipients, and only to the extent necessary:

• OpenAI: Redacted CV text and job descriptions for AI scoring and embeddings. OpenAI processes this data under a data processing agreement and does not use it for model training.
• Microsoft Azure: Infrastructure hosting, file storage (Azure Blob Storage for CV files), and email delivery (Azure Communication Services).
• Paddle: Our payment processor receives billing information necessary to process subscription payments. Paddle acts as the Merchant of Record.
• Legal authorities: We may disclose data if required by law, regulation, court order, or governmental request.

7. Data Storage & Security

We implement appropriate technical and organisational measures to protect your data:

• Encryption at rest: Candidate email addresses and phone numbers from public applications are encrypted using AES-128-CBC symmetric encryption (Fernet)
• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS/HTTPS
• Password security: Passwords are hashed using bcrypt with automatic salting
• Access controls: Multi-tenant isolation ensures organisations can only access their own data. Role-based access controls limit actions within organisations
• Authentication: JWT-based authentication with optional TOTP two-factor authentication
• Rate limiting: Login attempts and public application submissions are rate-limited to prevent abuse
• File validation: Uploaded files are validated by type, size, and magic bytes to prevent malicious uploads
• Infrastructure: The Service is hosted on Microsoft Azure with data stored in secure, managed database and storage services

8. Data Retention

• Account data: Retained for the duration of your account and for 30 days after account closure, unless a longer period is required by law
• Candidate data: Retained as long as the employing organisation maintains an active account. Organisations may delete individual candidate records at any time
• Email logs: Retained for 12 months for audit and delivery tracking purposes
• Usage data: Retained for billing and analytics purposes for the duration of the subscription and 12 months thereafter
• Backups: Encrypted backups are retained for up to 30 days and then permanently deleted

9. Your Rights Under POPIA

As a data subject under POPIA, you have the following rights regarding your personal information:

• Right to access: Request confirmation of whether we hold your personal information and obtain a copy
• Right to correction: Request correction or updating of inaccurate or incomplete personal information
• Right to deletion: Request deletion of your personal information where it is no longer necessary or where you withdraw consent
• Right to object: Object to the processing of your personal information on grounds of legitimate interest
• Right to data portability: Request a copy of your data in a structured, machine-readable format
• Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing
• Right to complain: Lodge a complaint with the Information Regulator of South Africa

To exercise any of these rights, please contact us at support@nesthire.io. We will respond within 30 days.

10. Additional Rights for EU/EEA Users (GDPR)

If you are located in the European Union or European Economic Area, the following additional rights and provisions apply under the General Data Protection Regulation:

• Right to restriction: You may request that we restrict the processing of your personal data in certain circumstances
• Right to erasure ("right to be forgotten"): You may request deletion of your personal data, subject to legal retention obligations
• Automated decision-making: AI-generated candidate scores are advisory tools to assist human recruiters. Final hiring decisions are made by humans, not by automated means alone. You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects
• Data Protection Officer: For GDPR-related enquiries, please contact our Information Officer at support@nesthire.io
• Supervisory authority: You have the right to lodge a complaint with your local data protection supervisory authority
• Data Processing Agreement: If your organisation requires a DPA, please contact us at support@nesthire.io

11. International Data Transfers

Your data may be transferred to and processed in countries outside South Africa and the EU/EEA, including the United States, in connection with our use of cloud infrastructure and AI services (Microsoft Azure, OpenAI).

Where such transfers occur, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data processing agreements with all sub-processors
• Technical measures such as encryption and PII redaction to minimise data exposure

12. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us and we will take steps to delete it.

13. Changes to This Notice

We may update this Privacy Notice from time to time. We will notify you of material changes by email or through a notice on the Service at least 30 days before they take effect. The "Last updated" date at the top of this page indicates when this notice was last revised.

14. Contact Us

If you have questions about this Privacy Notice or wish to exercise your data protection rights, please contact:

You may also contact the Information Regulator of South Africa at inforegulator.org.za if you believe your rights have not been adequately addressed.