Privacy Policy

1. Data Controller and Contact Information

The data controller for Tellus is Tellus Job Platform. For any data protection inquiries, request to exercise your rights, or questions regarding this policy, you can contact our designated Data Protection Officer at:

Email: privacy@tellusjobs.site

2. Categories of Data We Collect

We only collect and process personal data that is strictly necessary to run the platform and fulfill our service commitments. This includes:

• Account Credentials: Full name, email address, password hashes, and referral connection metrics used to secure your account and manage plan upgrade tiers.
• Resume and Qualification Materials (CV): Text extracted from uploaded resumes, including employment history, educational qualifications, list of skills, professional certifications, and contact phone numbers.
• Integrations and Access Tokens: Encrypted Google OAuth refresh and access tokens, Google email addresses, and temporary session keys (such as browser session cookies) that you explicitly supply to link your external job board profiles.
• Activity Logs and System Audits: Timestamps of email applications sent, job monitor match history, scraper tracking metrics, API execution counts, login security logs, and error telemetry.

3. Processing Purposes and Legal Bases

Under the Data Protection Act, 2019 and GDPR, we process your personal data under the following legal grounds:

• Performance of a Contract: We process your credentials, CV text, and job match queries to perform text matching, compile application emails, structure draft templates, and automatically send job application emails as requested.
• Consent: We store your resume files in cloud storage buckets and maintain linked Google API connections based on your explicit consent. You can withdraw your consent at any time by deleting files or removing integration links.
• Legitimate Interests: We log login failures and account lockout events to defend the platform against security threats, manage API request rate limits, and audit the system for referral scheme fraud.
• Legal Compliance: Keeping records of transactions, audits, and email activity to satisfy local regulatory reporting and anti-spam laws.

4. Google API Integration & Scope Usage

When you enable Gmail and Google Drive integration, the platform requests specific authorization scopes. We handle this data with strict isolation:

• Data Minimization: We request only the permissions necessary to compile and send emails (Gmail send scope) and save application folders (Drive and Docs access).
• No Retention of Email Contents: We do not store or download copy logs of your incoming personal emails or private Drive folders. The integration is used solely as a one-way pipeline to output application materials created within Tellus.
• Token Protection: Your access tokens and refresh tokens are encrypted at rest in our database using standard cryptographic keys and are never exposed in browser scripts or URL parameters.

5. Sub-Processors and Data Transfers

We do not sell, rent, or trade your personal data with third-party advertising companies or recruitment agencies. To operate the service, we share specific data with the following infrastructure sub-processors:

• Supabase: For cloud hosting, database management, user authentication services, and row-level secured storage of resume files.
• Cloudflare: For edge network routing, request filter checking, web application firewalls (WAF), and Turnstile security challenge validation.
• Google APIs: Acting as the external mail transmission channel to broadcast application cover letters under your control.

6. Data Security and Safeguards

Tellus uses layers of physical, administrative, and technical controls to secure your data:

• Encryption: All data is encrypted in transit using Transport Layer Security (TLS 1.3) and encrypted at rest within our database.
• Row-Level Security (RLS): Our database forces strict Postgres RLS policies, ensuring that a user can only read, write, update, or delete records matching their authenticated Supabase User ID.
• Injection Protection: All system outputs and form values are parsed and sanitized to strip control characters, preventing email header injections, SQL injections, and cross-site scripting (XSS).

7. Data Retention and Deletion Timelines

We retain your data only for as long as your account remains active.

• User-Initiated Deletion: If you trigger account deletion in the settings dashboard, our systems immediately cascade the request to wipe all database rows (resumes, matches, settings, integrations, audit records) and delete stored CV documents.
• System Purges: Cached files, transient job scraper outputs, and telemetry data are cleaned from our servers periodically. Lockout logs are preserved for security audit purposes for a maximum of 90 days.

8. Your Statutory Rights

Under both GDPR and the Kenya Data Protection Act, 2019, you have specific rights that you can exercise directly without fee:

• Right to Access and Portability: You can download a complete structured JSON file containing all database records associated with your account from the Settings page.
• Right to Erasure (Wiping): You can completely erase all profile data, files, and third-party integrations using the text-verified account deletion panel.
• Right to Rectification: You can modify your name, contact fields, and job preferences at any time in the profile interface.
• Right to Object or Restrict Processing: You can revoke third-party API integration keys or delete your uploaded CV, which immediately stops matching processes.

9. Changes to This Privacy Policy

We may revise this Privacy Policy to reflect changes in our security configurations, infrastructure sub-processors, or statutory updates under Kenyan law or GDPR. Any update will be marked with a revised date at the top of this page, and users will be notified on the dashboard of any material shifts in data handling practices.