Legal

Privacy Policy

Last updated: 18 March 2025 · Jurisdiction: Africa

RoleForge (“we”, “our”, or “us”) is committed to protecting your personal data. This Privacy Policy explains what information we collect, why we collect it, and how we use and protect it. It is written in plain English and is designed to meet the standards of the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention) — the continental framework for data protection across Africa — and the applicable data protection laws of the jurisdictions in which our users are based.

We also apply GDPR-aligned practicesas an international best-practice benchmark, and we respect national data protection laws across Africa, including but not limited to the Kenya Data Protection Act 2019, Nigeria's NDPR, South Africa's POPIA, Ghana's Data Protection Act, and Rwanda's Law No. 058/2021.

Who We Are

RoleForge is an AI-powered job search and CV builder platform built exclusively for African professionals seeking local, remote, and international job opportunities. When this policy refers to “RoleForge”, it means the company and its products, including the website at getroleforge.com and any related mobile or web applications.

For the purposes of applicable data protection law, RoleForge acts as a data controller for the personal information you provide directly, and as a data processor where we handle data on behalf of third-party services you connect (for example, your LinkedIn profile).

Our designated Data Protection Officer (DPO) can be reached at privacy@getroleforge.com.

Data We Collect

We collect personal data in the following categories:

Account & Identity Data

Full name and email address (provided during sign-up or via OAuth)
OAuth tokens and profile data from Google or LinkedIn when you choose to sign in with those services
Password (stored as a one-way cryptographic hash — never plain text)

Professional Profile Data

Job title, work history, education, skills, and other information you enter into your RoleForge profile
Resume and CV content — including documents you upload or build using our CV builder tool
Job application history and saved jobs
Country of residence and location data — used to verify eligibility (the platform is available to African residents only) and to personalise job recommendations
Job preferences — including preferred job type, work arrangement (remote, hybrid, on-site), target regions or countries, and industry preferences

Usage & Technical Data

Pages visited, features used, search queries, and clickstream data
Device type, operating system, browser type and version, IP address, and approximate location (country/city level)
Session duration and interaction timestamps

Communications Data

Messages you send to our support team, feedback submissions, and survey responses

Data We Do Not Collect

We do not intentionally collect special-category data such as racial or ethnic origin, political opinions, health data, or biometric data. Please do not include such information in your CV or profile unless it is genuinely relevant and you consent to it being processed.

How We Use Your Data

We use your personal data only for the purposes described below. We will not use it in ways that are incompatible with the purposes for which it was originally collected without first seeking your consent.

Purpose	Data used
Providing and operating the RoleForge platform	Account data, professional profile data
AI-powered job matching and recommendations	Professional profile, job application history, usage data
Generating tailored CVs and cover letters	CV content, job descriptions you provide
Tracking your job applications	Application history, profile data
Submitting your application to an employer on your instruction (including international and remote employers in Europe, the USA, and elsewhere)	CV content, cover letter, profile data, contact details
Verifying African residency eligibility	Country of residence, IP address
Sending transactional emails (e.g., password reset)	Email address
Sending product updates and newsletters (only with your consent)	Email address, usage preferences
Improving and developing the platform (analytics)	Anonymised and aggregated usage data
Fraud prevention and platform security	Technical data, account activity logs
Complying with legal obligations	As required by applicable law

Legal Basis for Processing

We must have a lawful basis for processing your personal data under applicable data protection law. We rely on the following bases, which are recognised across African data protection frameworks (including the Malabo Convention, Kenya DPA, NDPR, POPIA, and GDPR):

Consent

When you create a RoleForge account you provide explicit, informed consent to the collection and processing of your personal data as described in this policy. You have the right to withdraw consent at any time (see Section 8). Withdrawing consent will not affect the lawfulness of processing that occurred before withdrawal.

We also rely on consent for optional activities such as marketing emails and the use of non-essential cookies.

Performance of a Contract

Much of our processing is necessary to perform the contract between you and RoleForge — i.e., to deliver the platform services you have signed up to use. Without this processing we could not provide job matching, the CV builder, or application tracking.

Legitimate Interests

We process certain data on the basis of our legitimate interests, including fraud detection, platform security, and improving our services through analytics. We have conducted a legitimate interests assessment and are satisfied that these interests are not overridden by your rights and freedoms.

Legal Obligation

We may process data where we are required to do so by applicable law, including cybercrime legislation in the jurisdictions in which we operate.

Sharing Your Data

We do not sell your personal data. We share it only in the following circumstances:

Employers (Upon Your Instruction)

When you choose to apply for a job through RoleForge, we transmit your CV, cover letter, and relevant profile data to the employer on your explicit instruction. This is the primary act of data sharing on our platform.

Key facts about employer data sharing:

You initiate every application. We only send your data to an employer when you take a deliberate action to apply.
Employers become independent data controllers. Once your application data is received by an employer, that employer controls how it is used, stored, and retained under their own privacy policies. This is particularly significant for employers based in the European Union (who are subject to GDPR) or the United States.
RoleForge is not responsible for employer data handling after your application is submitted. We encourage you to review the employer's privacy policy before applying.
International transfers. Applying to employers in Europe, America, or elsewhere means your personal data will be transferred to those jurisdictions. See Section 6 for details.

Service Providers (Data Processors)

We engage trusted third parties to help us operate RoleForge. These providers act as data processors under binding agreements and may only use your data on our instructions:

Google — OAuth sign-in and, where applicable, Google Cloud infrastructure services
LinkedIn — OAuth sign-in and professional profile import
AI Providers (OpenAI / Anthropic) — processing CV content and job descriptions to generate tailored resume text. These providers process data transiently and are contractually prohibited from training their models on your personal data submitted through our platform.
Hosting & Infrastructure Providers — cloud hosting, database storage, content delivery, and email delivery services
Analytics Providers — aggregated, anonymised usage analytics (see Section 9)

Legal Requirements

We may disclose your data to law enforcement, regulators, or courts where we are legally required to do so under applicable law or by a valid court order.

Business Transfers

If RoleForge is acquired, merged, or its assets are transferred, your data may be transferred as part of that transaction. We will notify you before any such transfer and ensure the receiving party is bound by equivalent privacy protections.

With Your Explicit Consent

We will share data with any other party only where you have given us clear, specific consent to do so.

International Transfers

RoleForge is an African platform and we store your personal data within Africa where possible. However, international data transfers occur in two distinct ways:

1. Applications to International Employers

RoleForge curates job listings from employers worldwide — including remote roles from companies in Europe, the United States, and elsewhere. When you apply to a job outside Africa, your CV, cover letter, and profile data are transferred to that employer's jurisdiction.

For EU employers, your data enters the European Economic Area and is subject to GDPRon the employer's side. EU employers are required by GDPR to handle your data lawfully and to provide you with certain rights.
For US employers, your data is subject to applicable US federal and state privacy laws (such as CCPA in California).
By submitting an application through RoleForge you give your explicit, informed consent to the transfer of your application data to the employer in their jurisdiction. You may withdraw from an application process by contacting the employer directly.

2. Infrastructure and AI Service Providers

Some of our third-party service providers (including AI providers and cloud infrastructure) are based outside Africa and process data in the United States and the European Union.

Where data is transferred outside Africa, we ensure that appropriate safeguards are in place consistent with the African Union Malabo Convention and applicable national data protection laws, including:

Transfers only to countries or processors that provide an adequate level of data protection, as assessed by the relevant data protection authority
Standard contractual clauses or data processing agreements that require the recipient to protect personal data to an equivalent standard
Binding corporate rules or equivalent intra-group transfer mechanisms where applicable

As more African states ratify the Malabo Convention and enact national data protection legislation, we will continuously align our practices to meet the applicable requirements across all jurisdictions where our users reside.

Data Security

We take the security of your personal data seriously. Our technical and organisational measures include:

Encryption in transit — all data is transmitted over HTTPS/TLS
Encryption at rest — sensitive data fields (including CV content) are encrypted in our database
Password hashing — passwords are stored using a strong, salted one-way hash (bcrypt or equivalent); we never store passwords in plain text
Access controls — internal access to personal data is limited to staff who need it to perform their role, governed by role-based access controls
Regular security reviews — we conduct periodic vulnerability assessments and penetration testing
Incident response — in the event of a personal data breach, we will notify affected users and the relevant data protection authority within the timeframes required by applicable law

While we take all reasonable precautions, no system is perfectly secure. You should also protect your account by using a strong, unique password and enabling two-factor authentication where available.

Data Retention

We retain your personal data for as long as your account is active. After you delete your account:

Account and profile data is permanently deleted within 90 days of the deletion request
Anonymised, aggregated analytics data (which cannot identify you) may be retained indefinitely for platform improvement purposes
Data we are required to retain for legal compliance purposes (e.g., financial records) will be kept only for the period required by law

Your Rights

Under applicable African and international data protection law, you have the following rights in relation to your personal data. You can exercise most of these rights directly from your account settings page, or by contacting us at privacy@getroleforge.com.

Right of Access

You have the right to request a copy of the personal data we hold about you. We will respond to access requests within 21 days.

Right to Rectification (Correction)

If the data we hold is inaccurate or incomplete, you have the right to have it corrected. You can update most profile information directly in your account settings.

Right to Erasure (Deletion)

You may request that we delete your personal data. We will honour deletion requests subject to any legal retention obligations. Note the 90-day post-deletion retention window described in Section 7.

Right to Data Portability

You may request a machine-readable export of the personal data you have provided to us (e.g., your profile, CV data, and application history) in a commonly used format (JSON or CSV).

Right to Object to Processing

You may object to processing based on legitimate interests or for direct marketing purposes at any time. We will stop the relevant processing unless we can demonstrate compelling legitimate grounds.

Right to Withdraw Consent

Where processing is based on consent, you may withdraw it at any time without penalty. Withdrawal does not affect the lawfulness of processing before withdrawal.

Right Not to Be Subject to Automated Decision-Making

You have the right not to be subject to decisions made solely by automated means that produce a significant legal or similarly significant effect on you. Our AI features generate suggestions to assist you — final decisions about your job applications are always made by you.

We will respond to all rights requests within 21 days. In complex cases we may extend this by a further 21 days, and we will notify you if that extension is needed.

Cookies & Tracking

We use cookies and similar tracking technologies on the RoleForge platform. Cookies are small text files placed on your device by your browser.

Types of Cookies We Use

Type	Purpose	Can opt out?
Strictly necessary	Session management, authentication, security (CSRF tokens). Required for the platform to function.	No — essential
Analytics	Measuring how users interact with the platform so we can improve it. Data is aggregated and anonymised where possible.	Yes — see below
Preference	Remembering your settings (e.g., theme or language preference).	Yes

Opting Out of Analytics

You can opt out of non-essential cookies at any time via the Cookie Settings link in the footer of any page, or by adjusting your browser settings. Note that opting out of analytics cookies does not affect the platform's core functionality.

Do Not Track

We honour browser-level “Do Not Track” signals where technically feasible.

Children's Privacy

RoleForge is a professional job platform intended for adults. Our services are not directed at persons under the age of 18. We do not knowingly collect personal data from children.

If you are a parent or guardian and believe that a child under 18 has created an account or submitted personal data to us, please contact us immediately at privacy@getroleforge.com and we will take prompt steps to delete the information and close the account.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

Update the “Last updated” date at the top of this page
Send you an email notification to the address associated with your account (for material changes)
Display a notice within the platform on your next login, where appropriate

We encourage you to review this policy periodically. Continued use of RoleForge after the effective date of any changes constitutes your acceptance of the updated policy.

Contact & Regulator Complaints

If you have any questions about this Privacy Policy, wish to exercise your rights, or have a concern about how we handle your data, please contact our Data Protection Officer:

RoleForge — Data Protection Officer
Email: privacy@getroleforge.com
Website: getroleforge.com

How to Complain to Your Data Protection Authority

If you are not satisfied with our response, or believe we are processing your data unlawfully, you have the right to lodge a complaint with the data protection authority in your country. Below are the relevant authorities for key African jurisdictions:

Country	Authority	Website
Kenya	Office of the Data Protection Commissioner (ODPC)	odpc.go.ke
Nigeria	Nigeria Data Protection Commission (NDPC)	ndpc.gov.ng
South Africa	Information Regulator (POPIA)	inforegulator.org.za
Ghana	Data Protection Commission (DPC)	dataprotection.org.gh
Rwanda	National Cyber Security Authority (NCSA)	ncsa.gov.rw

If your country is not listed above, please contact your national telecommunications or ICT regulatory authority, which typically handles data protection matters where a dedicated authority does not yet exist.

We ask that you contact us first so that we have the opportunity to address your concern directly, but you are always free to contact your local regulator at any time.