Privacy Policy

1. Introduction and Responsible Party

Career Step ("we", "our", or "us") is the responsible party for the processing of your personal information as defined in POPIA. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our CV creation and job readiness platform.

By using Career Step, you acknowledge that you have read and understood this Privacy Policy and consent to the collection and processing of your personal information as described herein.

2. Information Officer

In accordance with POPIA, we have appointed an Information Officer responsible for ensuring compliance with data protection requirements:

3. Personal Information We Collect

3.1 Information You Provide Directly

When you register and use our Service, we collect:

• Identity Information: Full name, ID number (if provided for verification);
• Contact Information: Email address, phone number;
• Location Information: City, province;
• Professional Information: Work experience, job titles, employers, dates of employment, job descriptions;
• Educational Information: Qualifications, institutions, fields of study, graduation dates;
• Skills and Certifications: Professional skills, certificates, licences;
• References: Names and contact details of professional references you choose to include;
• Account Credentials: Email address and encrypted password.

3.2 Information Collected Automatically

When you use our Service, we automatically collect:

• Device Information: Device type, operating system, browser type and version;
• Usage Data: Pages visited, features used, time spent on the platform;
• Log Data: IP address, access times, referring URLs;
• Cookies and Similar Technologies: As described in our Cookie Policy.

3.3 Payment Information

Payment information (credit card numbers, bank account details) is processed directly by our payment provider, PayFast. We do not store your full payment card details on our servers. We only receive confirmation of successful payments and basic transaction records.

4. Purpose of Processing

We process your personal information for the following purposes:

5. AI Processing and Your Data

6. Data Sharing and Third Parties

We do not sell your personal information. We may share your information only in the following circumstances:

6.1 Service Providers

• PayFast: Payment processing (South African payment gateway, POPIA compliant);
• AI Service Providers: Content enhancement processing (data is transmitted securely and not retained);
• Cloud Infrastructure: Secure data storage and hosting;
• Analytics Providers: Anonymous usage analytics to improve our Service.

6.2 Legal Requirements

We may disclose your information when required by South African law, court order, or government request, or to protect our legal rights.

6.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal information may be transferred. We will notify you of any such change.

7. Data Security

We implement appropriate technical and organisational measures to protect your personal information:

• Encryption: All data transmitted to and from our Service is encrypted using TLS/HTTPS;
• Password Security: Passwords are hashed using industry-standard algorithms and never stored in plain text;
• Access Controls: Access to personal information is restricted to authorised personnel only;
• Secure Infrastructure: Our systems are hosted on secure cloud infrastructure with regular security updates;
• Monitoring: We monitor for security threats and unauthorised access attempts.

While we take reasonable precautions, no method of transmission over the Internet is 100% secure. You are responsible for keeping your account credentials confidential.

8. Data Retention

We retain your personal information for as long as necessary to:

• Provide you with the Service while your account is active;
• Comply with legal, accounting, or reporting requirements;
• Resolve disputes and enforce our agreements.

Retention Periods:

• Active Accounts: Data retained for the duration of your subscription;
• Deleted Accounts: Personal data permanently deleted within 30 days of account deletion request;
• Financial Records: Payment records retained for 5 years as required by South African tax law;
• Anonymised Analytics: May be retained indefinitely for service improvement.

9. Your Rights Under POPIA

Under the Protection of Personal Information Act, you have the following rights:

To exercise any of these rights, please contact us at support@careerstep.co.za. We will respond to your request within 30 days.

10. Cross-Border Data Transfers

Your personal information may be processed by service providers located outside South Africa (e.g., cloud infrastructure, AI services). When we transfer data internationally, we ensure that:

• The recipient country has adequate data protection laws; or
• The recipient is bound by a binding agreement ensuring POPIA-equivalent protection; or
• You have provided consent for the specific transfer.

11. Data Breach Notification

In accordance with POPIA, if we become aware of a data breach that may compromise the security of your personal information:

• We will notify the Information Regulator as soon as reasonably possible;
• We will notify affected individuals if the breach poses a risk of harm;
• We will provide details of the nature of the breach and steps you can take to protect yourself;
• We will take immediate steps to mitigate any potential harm;
• We maintain incident response procedures to handle security incidents effectively.

12. Children's Privacy

Our Service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at support@careerstep.co.za. If we become aware that we have collected personal information from a child under 16 without parental consent, we will take steps to delete that information.

13. Direct Marketing

We may send you information about our services, updates, and promotional content. In accordance with POPIA:

• We will only send marketing communications if you have opted in or if we have a legitimate interest;
• You may opt out of marketing communications at any time by clicking "unsubscribe" in our emails or updating your account preferences;
• Opting out of marketing does not affect service-related communications (e.g., subscription confirmations, security notices).

14. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience. These include:

• Essential Cookies: Required for the Service to function (authentication, security);
• Analytics Cookies: Help us understand how users interact with our Service;
• Preference Cookies: Remember your settings and preferences.

You can manage cookie preferences through your browser settings. Note that disabling certain cookies may affect functionality.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make changes:

• We will update the "Effective Date" at the top of this page;
• For material changes, we will notify you via email or prominent notice on our platform;
• We encourage you to review this policy periodically;
• Your continued use of the Service after changes constitutes acceptance of the updated policy.

16. Information Regulator

If you are not satisfied with how we handle your personal information or our response to your requests, you have the right to lodge a complaint with the Information Regulator of South Africa: