Data Protection Policy

Last updated: 22 May 2026

Introduction and scope

This policy explains in depth how CareerMap handles personal data and meets its legal obligations. For a plain-English overview, see our Privacy Policy.

This Data Protection Policy sets out how CareerMap fulfils its obligations as a data controller. It is intended for users who want to understand our data handling practices in technical and regulatory depth.

This policy covers compliance with:

UK GDPR and the Data Protection Act 2018
EU General Data Protection Regulation (GDPR) 2016/679
California Consumer Privacy Act (CCPA)

This policy applies to all users of CareerMap regardless of their location. The data controller is CareerMap — contact details are at the end of this document.

Data protection principles

We follow all seven GDPR data protection principles in our day-to-day operations.

Principle	What it means	How we apply it
1. Lawfulness, fairness, transparency	We have a legal basis for all processing and are open about it	This policy and our Privacy Policy explain everything we do with your data
2. Purpose limitation	Data is collected for specific purposes and not reused for other purposes	CV data is only used to build your CV — not for marketing or profiling
3. Data minimisation	We collect only what is strictly necessary	We ask for name and email only at signup — nothing more is required
4. Accuracy	We keep data accurate and up to date	You can update all your information at any time from your account settings
5. Storage limitation	We don't keep data longer than necessary	Account data is deleted within 30 days of an account deletion request
6. Integrity and confidentiality	We protect data with appropriate technical and organisational measures	Encryption in transit, hashed passwords, and secure cloud hosting
7. Accountability	We can demonstrate compliance with all principles	This policy, our security practices, and our internal data register

Legal basis for processing

Processing activity	Legal basis	Details
Creating and managing your account	Contract performance	Necessary to provide the CareerMap service
Personalising career recommendations	Legitimate interests	To make the platform useful and relevant for you
AI CV enhancement	Consent	Only triggered when you click “Enhance with AI” — you control when data is sent
Job listing search	Contract performance	Core feature of the CareerMap service
Sending newsletters	Consent	Only if you subscribe — you can unsubscribe at any time
Security monitoring	Legitimate interests	To protect the platform and all users from fraud and abuse
Analytics	Legitimate interests	Privacy-first, anonymised analytics only — no personal profiling

Data retention schedule

Data type	Retention period	Reason	How to delete
Account information	Until account deleted + 30 days	Account recovery period	Settings → Delete account
CV drafts	Stored in your browser only	Not on our servers	Clear browser data / localStorage
Assessment results	Until account deleted	Part of your profile	Settings → Clear data
Roadmap entries	Until account deleted	Part of your profile	Dashboard → Remove entry
Activity logs	90 days rolling	Security and fraud prevention	Cannot be individually deleted
Support emails	2 years	Legal and dispute resolution	Contact us to request deletion
Anonymised analytics	Indefinite	Product improvement (not personal data)	Cannot be deleted — not personally identifiable

Data subject rights (GDPR Articles 12–23)

Right of access (Article 15)

You can request a copy of all personal data we hold about you.

How: Email privacy@careermap.africa with the subject “Data Access Request”
Response time: Within 1 month (we aim for 5 business days)

Right to rectification (Article 16)

Update any inaccurate data we hold about you.

How: Directly in Settings, or contact us by email
Response time: Immediate via Settings; 5 business days via email

Right to erasure / Right to be forgotten (Article 17)

Delete your account and all associated personal data.

How: Settings → Danger zone → Clear all my data
Response time: Browser data deleted immediately; server data within 30 days
Exceptions: We may retain anonymised analytics and legally required records

Right to restriction (Article 18)

Limit how we use your data without deleting your account.

How: Email privacy@careermap.africa
Response time: Within 5 business days

Right to data portability (Article 20)

Export your personal data in a machine-readable format (JSON).

How: Settings → Export my data
Response time: Immediate

Right to object (Article 21)

Object to processing based on legitimate interests.

How: Email privacy@careermap.africa
Response time: Within 5 business days

Rights related to automated decision-making (Article 22)

CareerMap uses AI for CV enhancement. This is always user-initiated — you click the button, you review the output, and you decide whether to apply any changes. We make no automated decisions that produce legal effects or significantly affect you.

International data transfers

CareerMap may transfer personal data outside the UK/EU when using the following services. All transfers are protected by appropriate safeguards.

Transfer	Destination	Safeguard	More info
Anthropic API (CV enhancement)	USA	Standard Contractual Clauses (SCCs)	anthropic.com/privacy
Adzuna API (job listings)	UK / EU	UK GDPR compliant	adzuna.com/privacy
Vercel (hosting)	Global CDN	Standard Contractual Clauses (SCCs)	vercel.com/legal

We transfer data only to countries with an adequacy decision, or where appropriate safeguards (such as Standard Contractual Clauses) are in place.

Security measures

Technical measures

TLS 1.3 encryption for all data in transit
SHA-256 password hashing — passwords are never stored in plain text
Browser localStorage for sensitive draft data — CV drafts stay on your device
Regular dependency security updates and vulnerability scanning
Input validation and sanitisation throughout the application

Organisational measures

Data minimisation principle applied to every new feature
Third-party services reviewed for GDPR compliance before integration
Incident response plan in place for data breaches
This policy reviewed and updated at least annually

Data breach procedures

In the event of a personal data breach, we will:

Notify the relevant supervisory authority within 72 hours if the breach is likely to result in a risk to individuals' rights and freedoms
Notify affected users without undue delay if the breach is likely to result in a high risk to their rights
Log all breaches internally regardless of severity
Take immediate steps to contain and mitigate the breach

To report a suspected breach or security vulnerability, email privacy@careermap.africa immediately.

Third-party processors

We use a small number of carefully selected data processors. All are subject to Data Processing Agreements (DPAs) where required.

Service	Purpose	Data processed	DPA in place
Supabase	Database and authentication	Account data, roadmap, assessments	Yes
Anthropic Claude API	AI CV enhancement	CV bullet points only (no name/email)	Yes
Adzuna API	Live job listings	Target role and location	Yes
Vercel	Hosting and deployment	Anonymised access logs	Yes

Supervisory authority

You have the right to lodge a complaint with your national data protection supervisory authority at any time.

UK users

Information Commissioner's Office (ICO)
Website: ico.org.uk
Phone: 0303 123 1113

EU users

Contact your local data protection authority. Find your authority at: edpb.europa.eu/about-edpb/about-edpb/members

Contact and DPO

Data Protection enquiries

For all data protection requests, questions, and complaints. We aim to respond within 48 hours for general queries and within 5 business days for formal data subject rights requests.

privacy@careermap.africa

[Postal address — to be added]