PrivacyTermsSub-processorsCookies

Privacy Policy

Last updated: 25 May 2026 · Effective: 25 May 2026

Kuntum & Embun ("Kuntum", "we", "our") is an AI-powered recruitment platform built for the Malaysian tech market. This policy explains what personal data we collect, why we collect it, how we protect it, and what rights you have under the Personal Data Protection Act 2010 (Malaysia).

1. What we collect

  • Account data — your email address and an encrypted password hash (managed by Supabase Auth).
  • Candidate profile — your full name, professional headline, current role, years of experience, skills, salary expectations, work-arrangement preferences, location preferences, referral source, AI-generated profile summary derived from your resume.
  • Resume — the PDF you upload and the text we extract from it. Both are stored encrypted at rest.
  • Communications — your WhatsApp phone number (if you opt in) and your message frequency preference (proactive / on demand / never). Message bodies sent on our behalf by Twilio.
  • Employer profile (Embun) — your full name, company name, company website, and email when you sign up to hire on Embun.
  • Waitlist data — if you join the Embun hiring waitlist, your email and optional company name and notes.
  • Technical data — IP address (hashed before storage), browser user agent strings (transient), session cookies (see Cookies).

2. Why we collect it

Lawful basis under PDPA §6: explicit consent at signup and onboarding.

  • Match candidates with relevant Malaysian tech jobs.
  • Send you transactional WhatsApp messages: interview reminders, match alerts, hiring-manager pings — only at the frequency you choose.
  • Send transactional emails: account creation, deletion notices, password reset, email-change confirmations.
  • (If you opt in separately) marketing updates about new features and career resources.

3. How we protect it

  • Encryption at rest. Resumes, WhatsApp numbers, AI profile summaries, and other sensitive PII columns are encrypted with AES-256-GCM before being written to the database.
  • Row-level security. Every database table enforces access policies — you can only read or modify your own data.
  • Audit log. Every privacy-sensitive action is recorded for compliance review and litigation defense. Audit logs retain for 5 years per PDPA §40 and the Malaysian Companies Act retention norms.
  • Server-side processing. Decryption only happens on our servers, scoped to your authenticated session.

4. Sub-processors

We use the third-party services listed at /legal/sub-processors. Each entry names the service, the data we share with it, the region/jurisdiction, and a link to its own privacy policy.

4.1 Optional LinkedIn profile data enrichment

During onboarding, you may choose to import your profile from LinkedIn instead of uploading a CV or filling in your details manually. If you select this option, we use Apify Limited (an EU-based service provider, listed at /legal/sub-processors) to retrieve publicly-available profile data on your behalf.

  • Data shared with Apify: the LinkedIn profile URL you provide.
  • Data returned to us: publicly-available profile fields (name, headline, work history, education, skills) as they appear on your LinkedIn profile.
  • Opt-in only:this enrichment runs only when you explicitly choose "Import from LinkedIn" and tick the consent checkbox. You may decline and provide your information via CV upload or our manual profile builder instead — neither path contacts Apify.
  • Apify privacy practices: apify.com/privacy-policy

5. Data subject rights (PDPA §30, §34, §38, §43)

  • Access (§30). Download all your data as JSON or CSV via /account/data.
  • Correction (§34). Edit your profile via /account/profile, change your email via /account/email, or write to privacy@kuntum.app.
  • Deletion (§38). Request account deletion via /account/data. We hold the request for 30 days during which you can cancel; after that, your account, profile, resume, matches, and communications history are permanently deleted.
  • Withdrawal of consent (§38). Toggle marketing or WhatsApp notifications via /account/notifications.
  • Documentation of processing (§43). The export includes timestamps and processing context for your records.
  • Complaint to PDP Commissioner. If you believe we have mishandled your data, you may complain directly to the Personal Data Protection Commissioner of Malaysia.

6. Cross-border transfer (PDPA §39)

Your data may be processed outside Malaysia by our sub-processors: Supabase (Singapore + global), Vercel (global edges), Azure OpenAI Service (selected Azure region), Twilio (US), Resend (US), and Apify Limited (Czech Republic / EU — only when you explicitly opt in to LinkedIn import). By creating an account, you consent to this cross-border processing.

7. Retention

  • Active candidate accounts — kept while you use the service. After 24 months of inactivity (no login), we anonymise PII (drop name, headline, encrypted resume blobs) and at 36 months we hard-delete the row.
  • Resume PDFs in storage — deleted within 30 days of your account deletion request being processed.
  • WhatsApp message logs — retained 6 months for delivery audit + abuse detection.
  • Match scores — retained 12 months after last activity on the candidate or the linked job posting.
  • Embun hiring waitlist — retained until Embun launches OR explicit deletion request.
  • Audit log — 5 years (PDPA §40 + Malaysian Companies Act).

8. Children

Kuntum & Embun is a service for users aged 18 and above. We do not knowingly collect data from minors. If you are under 18, do not register or submit personal data through our service. If you become aware that a minor has registered, contact us at privacy@kuntum.app and we will delete the account.

9. Breach response

If we detect a security incident affecting your data, we will: (1) pause affected writes via feature flag, (2) rotate the encryption key, (3) notify affected users within 72 hours per PDPA §12B, and (4) document the incident in our security log.

10. Contact

For any data subject rights request, breach concern, or general privacy question, contact us at privacy@kuntum.app. We aim to respond within 21 days as required by PDPA §43.

11. Changes to this policy

Material changes are announced via email and reflected in the "Last updated" date at the top of this page. Continuing to use the service after a change indicates acceptance of the updated policy.