The data controller for your personal data is SakaMboka, operated from Nairobi, Kenya. For data-related enquiries, contact our Data Protection Officer at [email protected].
Account data: email address and hashed password on registration.
Profile & resume data: your resume text, work history, skills, education, and job preferences that you enter into the profile builder.
API keys: if you supply your own Gemini or Groq API keys, these are stored encrypted at rest using AES-256 (Fernet).
Job interaction data: jobs discovered on your behalf, fit scores, tailored resume files, and cover letter files associated with your account.
Payment data: your M-Pesa phone number, transaction reference, and payment status for credit purchases. We do not receive or store your M-Pesa PIN.
Contact form data: name, email, phone, and message if you contact us via the Get In Touch form.
Usage data: pipeline execution logs (last 500 lines, rolling) stored server-side for diagnostics.
- To provide and operate the job application pipeline service.
- To process credit purchases and record payment history.
- To tailor resumes and generate cover letters using AI providers on your behalf.
- To respond to your enquiries submitted via the contact form.
- To diagnose service errors via pipeline logs.
- To notify you of material changes to these policies (via email).
We do not use your resume or job data to train AI models. Data passed to third-party AI providers (Google Gemini, Groq) is used solely to fulfil your individual request and is subject to those providers' own data retention policies.
Under the Kenya Data Protection Act, 2019, we process your data on the following bases:
- Contractual necessity — processing required to provide the service you signed up for (account data, profile data, pipeline execution, payments).
- Legitimate interests — pipeline logs for error diagnostics and fraud prevention, provided these do not override your rights.
- Consent — contact form submissions, where you voluntarily provide your details.
We do not sell your personal data. We share data only as follows:
- Safaricom (M-Pesa / Daraja API) — your phone number and payment amount are shared to initiate STK Push transactions. Safaricom's own privacy policy applies.
- Google (Gemini AI) — your resume text and job descriptions are sent to Gemini for tailoring and cover letter generation. Google's data processing terms apply.
- Groq — job and resume content is sent to Groq for scoring. Groq's privacy policy applies.
- Google Fonts — font files are loaded from Google servers; your IP address may be logged by Google as a result.
- Infrastructure — your data is hosted on a VPS in Nairobi, Kenya.
We may disclose personal data if required to do so by law or in good faith to comply with legal obligations.
- Account and profile data: retained until you delete your account.
- Tailored resumes and cover letters: retained on the server until you delete your account or individual files.
- Pipeline logs: rolling 500-line buffer per user, overwritten on subsequent runs.
- Payment records: retained for 7 years in compliance with Kenya tax and financial regulations.
- Contact form messages: retained for up to 12 months for follow-up purposes.
Under the Kenya Data Protection Act, 2019, you have the following rights:
- Access (s.26) — request a copy of the personal data we hold about you.
- Rectification (s.27) — request correction of inaccurate or incomplete data.
- Erasure (s.38) — request deletion of your data, subject to legal retention requirements.
- Restriction (s.33) — request that we limit how we process your data in certain circumstances.
- Portability (s.36) — receive your data in a structured, machine-readable format.
- Objection (s.35) — object to processing based on legitimate interests.
- Self-service deletion — you may delete your account at any time from the Profile tab of your dashboard. This removes all personal data except payment records retained for legal compliance.
To exercise any of the above rights, email [email protected]. We will respond within 21 days as required by the DPA.
We implement the following technical measures to protect your data:
- HTTPS enforced on all connections (Let's Encrypt TLS).
- Passwords hashed with bcrypt before storage.
- API keys encrypted at rest with AES-256 (Fernet); the encryption key is stored separately from the database.
- Secure, HttpOnly, SameSite=Lax session cookies.
- Rate limiting on authentication and payment endpoints.
- M-Pesa callback endpoint restricted by Safaricom IP allowlist.
No system is completely secure. If you discover a security vulnerability, please disclose it responsibly to [email protected].
We use a single session cookie to maintain your logged-in state. This cookie is strictly necessary for the service to function and does not track you across other websites. We do not use advertising or analytics cookies.
We may update this Privacy Policy from time to time. We will notify registered users by email at least 14 days before material changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.
For any privacy-related questions or to exercise your data rights, contact us at [email protected] or via our contact form.
If you are unsatisfied with our response, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya at odpc.go.ke.