Privacy Policy

1. Who does this policy cover?

This policy applies to:

• People browsing, searching, chatting, shopping, or applying through Mthandizi;
• Registered users and people using career or opportunity features;
• Business owners, organization representatives, and their authorized team members;
• Contributors who submit public information or documents; and
• People interacting with organization assistants, widgets, APIs, or communication channels powered by Mthandizi.

2. Who is responsible for your data?

Mthandizi acts as a data controller for account administration, platform security, payments, recommendations, service communications, moderation, analytics, and the operation and improvement of Mthandizi.

When an employer or organization receives an application through Mthandizi, it becomes a separate controller of the application information it receives. For certain organization features, including hosted applicant workflows and private Mthandizi Pro knowledge bases, Mthandizi may also act as a data processor on the organization's documented instructions. Those processor activities are governed by our Data Processing Agreement.

3. What information do we collect?

General users and applicants

• Name, username, email address, phone number, birth year, and district;
• Interests, field of study, education, employment preferences, and recommendation feedback;
• Searches, chat messages, bookmarks, alerts, saved preferences, and platform interactions;
• CVs, cover letters, certificates, application answers, and other documents you choose to submit;
• Orders, enquiries, delivery details, and customer contact information; and
• Browser, device, security, usage, and approximate IP-based location information.

Businesses and organizations

• Business or organization name, category, registration details, address, and public contact information;
• For organization onboarding: the applicant's name, official role, office or programme, work email, and any reference links (such as an official staff page or LinkedIn profile) the applicant chooses to provide to assist verification;
• Owner, representative, and team-member identity, role, and contact details;
• Products, services, prices, images, promotions, opportunities, and public updates;
• Orders, customer enquiries, applicant records, fulfilment, and dispute information;
• Verification, subscription, payment, payout, and account-usage records; and
• Private knowledge content and end-user interactions where Mthandizi Pro is used.

Contributors

• Contributor profile, contact, district, and payout information;
• Submitted content, uploaded files, source information, and attribution details;
• Moderation, originality, quality, and policy-compliance history; and
• Content-performance, credit, earning, withdrawal, and payout records.

We do not collect or store payment-card numbers, mobile-money PINs, or other payment credentials. Payment providers process those details and return transaction status and reference information to us.

4. How do we use personal data?

• Create and manage accounts, profiles, roles, and dashboards;
• Provide search, chat, recommendations, alerts, and saved content;
• Match users with opportunities using declared interests, profile information, or a CV;
• Store career documents and support applications selected by the user;
• Operate shops, business profiles, orders, subscriptions, withdrawals, and payouts;
• Publish, verify, review, moderate, and distribute submitted information;
• Provide Mthandizi Pro, organization assistants, APIs, widgets, and applicant-management tools;
• Deliver support, service communications, and optional marketing or opportunity alerts;
• Detect fraud, abuse, security incidents, and violations of platform rules; and
• Meet legal, accounting, dispute-resolution, and regulatory obligations.

Depending on the activity, our legal basis may be consent, performance of a contract or requested service, legitimate interests, or compliance with a legal obligation. We do not sell personal data or use it for third-party targeted advertising.

5. How do we use AI?

Mthandizi uses artificial intelligence to answer questions, summarize information, extract structured details, support moderation, improve search, and recommend opportunities. AI-generated results may be inaccurate or incomplete and should be checked against original or official sources.

Public and contributor-submitted informational content may be indexed, summarized, embedded, and used to improve Mthandizi's retrieval and information services. CVs, applications, private messages, verification documents, payout information, private uploads, and private organization knowledge are not licensed for general AI training. They may still be processed by AI providers where necessary to deliver a feature requested by the user or organization.

Mthandizi Pro organization knowledge is private by default: it can be retrieved only through the organization's own secret credentials and dashboard. Authorized organization administrators may publish selected knowledge documents to the organization's public widget, in which case information extracted from those documents may be returned in answers shown to members of the public. Knowledge that has not been published in this way is excluded from public-widget retrieval and from general AI training.

Mthandizi does not make final hiring, payment, credit, or account-termination decisions solely through automated processing. Recommendations, match scores, summaries, and moderation flags assist people and do not guarantee eligibility, selection, employment, funding, or any other outcome.

6. Who receives personal data?

We may disclose the minimum information required to:

• Cloud hosting, storage, database, search, and infrastructure providers;
• AI and language-model providers processing a requested query or document;
• Email, SMS, push-notification, WhatsApp, and communication providers;
• Payment, payout, fraud-prevention, and security providers;
• Businesses fulfilling an order or responding to a customer enquiry;
• Employers or organizations receiving an application selected by the applicant; and
• Regulators, courts, or law-enforcement authorities where disclosure is legally required.

Providers process data under contractual and security obligations. Some providers process data outside Malawi. We use appropriate contractual, technical, and organizational safeguards for cross-border processing as required by applicable law.

7. How long do we retain information?

• Account information: while the account remains active and for any short period needed to complete deletion and prevent abuse;
• Search and ordinary chat history: normally up to 30 days;
• CVs and private documents: until deleted, the account closes, or the relevant application, review, or organization workflow ends;
• Applications: while required for recruitment, data-subject requests, disputes, or applicable legal obligations;
• Orders and payment records: for accounting, fraud prevention, fulfilment, and dispute handling;
• Communication records: normally up to 90 days unless a longer period is reasonably required;
• Contributor and payout records: while required for payment, accounting, fraud prevention, or disputes; and
• Security and audit records: for a limited period proportionate to the security or compliance purpose.

Account deletion removes or anonymises personal data, except where records must be retained for accounting, legal claims, fraud prevention, public-information integrity, or regulatory obligations.

8. How do we protect information?

• HTTPS/TLS encryption for data in transit;
• Private storage and signed access for sensitive uploaded documents;
• Verification evidence is requested only where needed, kept only for as long as the verification decision requires, and can be removed by the uploader before review concludes;
• Role-based and tenant-scoped access controls;
• Application-level protection for particularly sensitive payout information;
• Security logging, rate limits, verification, and abuse-prevention controls; and
• Periodic security and access reviews.

No online service is perfectly secure. We investigate suspected incidents and follow applicable recordkeeping and breach-notification requirements.

9. What rights do you have?

Subject to applicable law, you may request to:

• Access personal data held about you;
• Correct inaccurate or incomplete data;
• Receive an available portable copy of your data;
• Delete data that no longer has a lawful or necessary purpose;
• Restrict or object to certain processing;
• Withdraw consent without affecting earlier lawful processing; and
• Request human review of a significant automated decision.

Use your account settings or contact us at privacy@mthandizi.com. You may also complain to the Malawi Communications Regulatory Authority (MACRA) in its capacity as Malawi's Data Protection Authority.

10. Cookies, local storage, and analytics

We use essential cookies and browser storage for authentication, security, session continuity, preferences, and PWA functionality. We may use privacy-conscious analytics to understand aggregate performance and usage. We do not use advertising cookies or cross-site advertising profiles. Where an optional cookie or similar technology requires consent, it will not be activated after you choose “Essential only.”

11. Children

Creating an account, uploading personal information, applying for opportunities, becoming a contributor, registering a partner, or making a purchase requires the user to be at least 18 years old. People under 18 may browse public information with appropriate parental or guardian supervision but must not submit personal information without lawful authorization.

12. Changes and contact details

We may update this policy as our services, practices, or legal obligations change. Material changes will receive a new effective date and will be communicated through the platform or email. Where appropriate, registered users will be asked to review and accept a new version. Continued use alone will not be treated as consent where an affirmative choice is required.