Privacy Policy
This policy explains how we handle personal information on this Platform (smorg.co.za). We try to collect as little as necessary and be clear about what we do with what we keep.
1. Who we are
CDSoft Ltd is a South African company. We operate this Platform. For the account information of our users we are the responsible party under the Protection of Personal Information Act 4 of 2013 (POPIA). For candidate data that organisations store on the Platform, the organisation is the responsible party and we act as their operator (see section 5).
2. What we collect
For account holders (recruiters and hiring organisations):
- Your name and email address (account creation)
- Organisation name and chosen Platform address (e.g. your-name.smorg.co.za)
- Job listing content you post
- Session data (login state, device type, browser — standard web auth)
For all visitors:
- Basic usage logs (pages visited, actions taken) — used for debugging and improving the Platform
- IP address — retained briefly for security purposes, not used for analytics profiling
3. What we don’t collect
- Payment card details (handled entirely by PayFast — we never see your card number)
- Data from social networks unless you explicitly connect them
- Behavioural tracking across other websites
4. Why we collect it
| Data | Purpose |
|---|---|
| Email address | Account authentication, platform notifications |
| Organisation details | Your branded presence and job listings on the Platform |
| Usage logs | Debugging, platform reliability |
| Session data | Keep you logged in securely |
We do not sell personal information. We do not use your content for advertising.
5. Candidate data in your organisation’s records
The Platform lets organisations store and manage candidate information — applications, CVs, contact details, notes. For that data, the organisation is the responsible party under POPIA and CDSoft Ltd is an operator processing it on the organisation’s instructions. The organisation decides what is collected and why; we store and process it to provide the software.
If you are a candidate whose information is held in an organisation’s records on this Platform: your relationship is with that organisation. Requests for access, correction, or deletion should go to them. If you contact us directly, we will refer your request to the organisation and may act ourselves where the law requires.
6. Who we share data with
We use a small number of infrastructure providers to operate the Platform:
- Cloudflare — hosting, database, CDN, DDoS protection. Data may be processed on servers outside South Africa. Cloudflare is a POPIA-compliant data processor under a data processing agreement.
- Resend — transactional email delivery (login links, notifications). Your email address is shared only to send emails you’ve requested.
- PayFast — payment processing for paid features. The Platform passes you to PayFast’s secure environment to complete payment. We do not receive or store your card details.
- Anthropic (Claude API) — where the Platform extracts structured information from documents your organisation uploads or receives (e.g. CVs attached to applications), document content is sent to Anthropic’s API for extraction. Anthropic does not use this data to train its models under our agreement, and does not retain content beyond the immediate API response.
We do not share your data with third parties beyond what you choose to publish in your organisation’s listings and public pages.
7. Cross-border transfers
Cloudflare and Anthropic operate globally. Your data may be processed outside South Africa. This is permitted under POPIA Section 72 where the recipient is subject to equivalent protection obligations — both Cloudflare and Anthropic satisfy this requirement through their respective data processing agreements.
8. How long we keep your data
| Data | Retention |
|---|---|
| Active account | Held while your account is active |
| Deleted account | Account, organisation, and its records removed within 30 days of deletion |
| Usage logs | 90 days rolling |
| Payment records | 5 years (SARS compliance) |
If your account has been inactive for 12 months, we will email you before deleting it.
9. Your rights under POPIA
As an account holder you have the right to:
- Access — request a copy of the personal information we hold about you
- Correction — ask us to correct inaccurate information
- Deletion — ask us to delete your account and associated data
- Objection — object to specific processing (e.g. marketing emails)
- Complaint — lodge a complaint with the Information Regulator at inforeg.org.za
To exercise any of these rights, contact us. We will respond within 30 days. Candidates whose data is held in an organisation’s records: see section 5.
10. Security
Connections to the Platform are encrypted (HTTPS). Data at rest is encrypted by Cloudflare’s storage infrastructure. Access to production systems is restricted to authorised personnel.
No system is completely immune to breach. If a breach occurs that poses a material risk to your rights, we will notify you and the Information Regulator as required by POPIA.
11. Children
The Platform is not directed at anyone under 18. We do not knowingly collect information from minors.
12. Changes to this policy
If we make material changes to how we handle your personal information, we will notify active users by email at least 14 days before the change takes effect.
Information Officer: Brent Greeff — contact us