top of page

Where Careers Grow and Privacy is Respected

At Employtree, we believe growth begins with trust. Whether you're planting the seeds of a new career or searching for the right candidate, your personal information deserves to be treated with care. Our Privacy Policy gently guides you through how we collect, use, and protect your data always with transparency and intention. You're safe here, and your journey matters.

Privacy Policy

  • EmployTree (Pty) Ltd (referred to below as “EmployTree,” “we,” or “us”) operates a job‑board and recruitment platform for job‑seekers and employers. This Privacy Policy sets out how we collect, use, disclose and protect personal information in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA). The policy applies to personal information we process about job‑seekers (individuals submitting CVs) and companies (employers, recruiters or other corporate users) when using our website and services.

  • EmployTree is a responsible party under POPIA because we determine the purposes and means of processing personal information. The policy covers all processing done on our platform, whether it takes place in South Africa or in another country (e.g., storage on Wix’s servers). Third‑party service providers who process personal information on our behalf (operators) are also contractually bound by POPIA’s obligations.

  • Term
    Definition
    Child
    A natural person under the age of 18 years.
    Competent person
    Any person who is legally competent to consent to the processing of a child’s personal information.
    Consent
    Any voluntary, specific and informed expression of will permitting the processing of personal information.
    Data subject
    The person (individual or company) to whom the personal information relates.
    Operator
    A person or entity that processes personal information for a responsible party in terms of a contract without coming under the responsible party’s direct authority. Third‑party services (e.g., payment processors) act as operators.
    Personal Information
    Information relating to an identifiable individual or juristic person, including contact details, identity numbers, employment history, education, financial information, communication records, opinions, and biometric information.
    Processing
    Any operation concerning personal information, such as collection, recording, organisation, storage, retrieval, use, dissemination, or destruction.
    Responsible party
    A public or private body that determines the purpose of and means for processing personal information. EmployTree is the responsible party when processing personal information of job‑seekers and employers.
    Special personal information
    Information relating to race, religious or philosophical beliefs, trade‑union membership, political persuasion, health or sex life, biometric data or criminal behaviour.

  • POPIA requires that personal information may only be processed on a lawful basis and in a reasonable manner that does not infringe the data subject’s privacy. EmployTree relies on the following lawful grounds under section 11 of POPIA:

    1. Consent – we obtain voluntary, specific and informed consent from job‑seekers and employers before collecting and processing their personal information. Users may withdraw consent at any time by contacting us; withdrawal does not affect the lawfulness of prior processing.

    2. Contractual necessity – some processing is necessary to perform or conclude a contract with the data subject (e.g., to enable job applications or subscription services).

    3. Legal obligation – processing may be required by law (e.g., tax or employment legislation).

    4. Legitimate interests – we may process personal information to pursue legitimate interests of EmployTree or a third party, provided such interests are not overridden by the data subject’s rights and the processing is necessary and proportionate.

    5. Public interest – in limited circumstances, processing may be necessary to carry out tasks in the public interest or to protect the vital interests of data subjects.

    If we need to process special personal information (see below) or information about children, we will obtain explicit consent or rely on other authorisation available under sections 27 and 35.

Purpose specification and collection

  • Personal information must be collected for a specific, explicitly defined and lawful purpose related to our job listing services. We collect personal information only to:
     

    • Create and manage user accounts;

    • Post or apply for job vacancies;

    • Facilitate communication between job‑seekers and employers;

    • Process payments for paid plans;

    • Provide marketing and service updates (where permitted under section 69); and

    • Comply with legal obligations.

  • We collect most personal information directly from the data subject. Section 12 of POPIA states that personal information must be collected from the data subject themselves unless an exception applies, such as when information is contained in a public record, the data subject has consented to collection from another source, or collection from another source does not prejudice the data subject. When collecting personal information, we notify the data subject of the following as required by section 18:
     

    • Our identity and contact details;

    • The purpose for collecting the information;

    • Whether the supply of information is voluntary or mandatory and the consequences of failing to provide it;

    • Any law authorising the collection;

    • Whether the information will be transferred to a third country and the level of protection;

    • Recipients or categories of recipients to whom the information may be supplied; and

    • The data subject’s rights to access, correct, object or complain.
       

    This notification is provided in this Privacy Policy or at the point of data collection.

  • We only process personal information that is adequate, relevant and not excessive for the purpose and we take reasonably practicable steps to ensure that it is complete, accurate, not misleading and updated when necessary.

  • Type
    Explanation
    Account credentials
    Username and password for platform access
    Communication data
    Correspondence between job‑seekers and employers, inquiries sent to our support team and any chat messages
    Company information
    Business name, industry, size, contact persons, and recruitment needs
    Contact details
    Name, email address, telephone numbers, postal address
    Identification and profile data
    CV or résumé information (e.g., education, employment history, skills, languages), identity numbers or company registration numbers, and demographic details provided voluntarily
    Payment details
    Transaction and billing information (payment method, invoice data) processed through a secure third‑party payment provider
    Special personal information (sensitive data)
    We do not intentionally process sensitive personal information such as race, political affiliation or health except where the data subject chooses to include such details voluntarily (e.g., within a CV) and subject to explicit consent
    Usage data
    IP addresses, device information, and usage statistics collected through cookies or analytics for legitimate business and security purposes

Use and further processing of personal information

  • Section 15 requires that any further processing be compatible with the purpose for which the information was initially collected. Factors considered include the relationship between the original purpose and the intended further processing, the nature of the information, consequences for the data subject, and any relevant contractual rights. We will not use personal information for unrelated purposes without consent or another lawful basis. If we intend to use personal information for statistical or research purposes, we will de‑identify or anonymise it, and ensure that such use does not adversely affect data subjects.

  • We will not use personal information for unsolicited direct marketing via electronic communications (SMS, email, automated calls) unless the data subject is an existing customer or has given prior consent. Section 69 allows a responsible party to approach a data subject once to request consent for future electronic marketing. All marketing communications will identify EmployTree as the sender and provide a simple opt‑out mechanism. Data subjects have the right to object to direct marketing at any time.

  • We do not rely solely on automated decision‑making that produces legal or similarly significant effects for data subjects. Section 71 prohibits such decisions unless they relate to contract performance or are authorised by law, and appropriate measures (e.g., human review and explanation of logic) are in place. We assess each situation to ensure compliance and to provide opportunities for job‑seekers or employers to request human intervention.

Special personal information and children’s information

  • POPIA prohibits processing special personal information unless one of the authorisations in section 27 applies. We will only process sensitive personal information:
     

    • with the data subject’s explicit consent;

    • when necessary to establish, exercise or defend a legal right;

    • to comply with international public obligations;

    • for historical, statistical or research purposes where it serves a public interest and sufficient safeguards are in place; or

    • when the information has deliberately been made public by the data subject.
       

    If we rely on research or public interest grounds, we will de‑identify the information where possible and apply appropriate safeguards to protect the data subject’s privacy.

  • Under section 34, processing personal information about children is prohibited unless section 35 authorises it. We will only process information about minors when:
     

    • we have the prior consent of a competent person (parent or legal guardian);

    • the processing is necessary to establish, exercise or defend a legal right;

    • it is required to comply with an obligation of international public law;

    • the processing is for historical, statistical or research purposes in the public interest and obtaining consent would be disproportionate, provided sufficient safeguards are implemented; or

    • the information has deliberately been made public by the child with consent of a competent person.
       

    Where permitted processing occurs, the Information Regulator may impose conditions to ensure transparency, parental access, a ban on encouraging unnecessary disclosure by children and measures to protect integrity and confidentiality.

Retention and restriction of records

  • We will not retain personal information longer than necessary for achieving the purpose for which it was collected. We may retain information for longer where:
     

    • retention is required or authorised by law;

    • it is necessary to perform a lawful function or to comply with a contract;

    • the data subject has consented to continued retention; or

    • it is stored solely for historical, statistical or research purposes and safeguards prevent the information being used for other purposes.
       

    When a record of personal information is used to make a decision about a data subject, it must be kept for the period required by law or for a period that gives the data subject a reasonable opportunity to request access. Once personal information is no longer authorised to be retained, we will destroy or de‑identify it in a way that prevents its reconstruction.
     

    Processing may be restricted instead of deleting the information where:
     

    • the accuracy of the information is contested and we are verifying it;

    • we no longer need the information for the original purpose, but it must be retained for legal proof;

    • the processing is unlawful and the data subject requests restriction; or

    • the data subject wants the information transmitted to another service.

Security safeguards

  • Under section 19, EmployTree implements reasonable, organisational and technical measures to secure personal information against loss, damage, unauthorised access or processing. These measures include but are not limited to:
     

    • encryption and secure transmission (HTTPS) on our platform;

    • access controls ensuring that only authorised personnel can access personal data;

    • regular security audits and vulnerability assessments;

    • secure storage on Wix servers with appropriate backups;

    • contractual requirements for operators to comply with similar security standards and to notify us if a breach occurs.
       

    We continuously identify internal and external risks, establish and maintain safeguards, verify that the safeguards are effectively implemented, and update them in line with industry best practices.

Operator agreements

  • Where personal information is processed by a third‑party operator (e.g., payment processors, email service providers, IT support), we ensure that a written contract requires the operator to treat the information as confidential and to implement appropriate security measures. Operators may only process personal information with our knowledge or authorisation and must notify us immediately if there is a security breach.

Cross‑border transfers

  • Personal information may be stored or processed outside South Africa (for example, on Wix’s global servers). POPIA restricts cross‑border transfers of personal information unless the recipient is subject to a law, binding corporate rules or contract that provide an adequate level of protection; or the data subject consents; or the transfer is necessary for contract performance or in the data subject’s interests. Accordingly, EmployTree will only transfer personal information to a foreign country when:
     

    1. the receiving country’s data protection laws or the third‑party recipient’s binding corporate rules provide adequate protection;

    2. we have concluded a binding agreement with the recipient requiring compliance with POPIA standards;

    3. the data subject consents to the transfer;

    4. the transfer is necessary for the performance of a contract with the data subject or for the implementation of pre‑contractual measures;

    5. the transfer is for the benefit of the data subject and it is not reasonably practicable to obtain consent, and the data subject would be likely to consent if asked; or

    6. it is otherwise permitted by law or required for important public interest reasons.
       

    External guidance notes emphasise that cross‑border transfers are permitted when the recipient’s legal regime provides protection substantially similar to POPIA or when the data subject consents or the transfer is required for a contract. We will maintain documentation of cross‑border flows and assess adequacy of protection before transferring data.

Rights of data subjects

  • Right
    Description
    Right of access
    Data subjects may request confirmation that we hold personal information about them and a record of that information and the identity of all third parties who have had access. We will respond within a reasonable time and may charge a prescribed fee after providing an estimate. Access may be refused on grounds set out in the Promotion of Access to Information Act (PAIA).
    Right to be informed
    Data subjects have the right to be notified when personal information is collected and when a security breach has occurred.
    Right to correction or deletion
    Data subjects may request correction or deletion of information that is inaccurate, irrelevant, excessive, out‑of‑date, incomplete, misleading or unlawfully obtained, or information we are no longer authorised to retain. Upon receipt, we will correct, delete or provide the data subject with credible evidence supporting the information; or attach a note indicating the request when it was not implemented. If a change affects previously disclosed information, we will notify third parties.
    Right to data portability
    The Act allows data subjects to request transmission of their personal information to another responsible party when technically feasible.
    Right to lodge a complaint
    Data subjects may lodge a complaint with the Information Regulator if they believe that we are interfering with their personal information. They also have the right to institute civil proceedings for damages.
    Right to not be subject to automated decision‑making
    Data subjects may request a review of decisions based solely on automated processing and are entitled to request human intervention.
    Right to object
    Data subjects may object to the processing of personal information on reasonable grounds relating to their particular situation, unless legislation compels such processing. They may also object to processing for purposes of direct marketing.

    To exercise these rights, please contact EmployTree using the details provided under Contact Us below. We may request proof of identity and may refuse a request under applicable law.

Notification of data breaches

  • If there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person, we will notify the Information Regulator and the affected data subject as soon as reasonably possible, unless a law enforcement agency determines that notification will impede a criminal investigation. Notifications will be in writing and may be communicated by mail, email, publication on our website or as directed by the Regulator. The notification will describe the breach, steps taken to mitigate harm, recommendations on how data subjects can protect themselves, and, if known, the identity of the unauthorised individual.

Information officer and accountability

  • EmployTree’s appointed Information Officer is responsible for encouraging compliance with POPIA, dealing with requests made to us by data subjects, working with the Information Regulator on investigations, and ensuring overall adherence to this policy. The Information Officer is registered with the Regulator and may delegate certain duties to deputy information officers but remains accountable for compliance.

Third‑party services and disclosures

  • We may share personal information with third parties (operators) where necessary to provide our services (such as hosting providers, payment processors, analytics providers, and communication platforms). These third parties are contractually obligated to process personal information only on our instructions and to maintain confidentiality and security. We do not sell personal information to third parties. Where required by law, we may disclose personal information to regulatory authorities, courts or law enforcement.

Liability and indemnity

  • EmployTree is liable for any processing activities it undertakes, including those performed by operators on its behalf. However, nothing in this policy excludes or limits liability that cannot be excluded under applicable law. Data subjects who suffer damage as a result of interference with their personal information have the right to institute civil proceedings against the responsible party.

Contact us

Let's Grow
Together

Email :
info@employtree.co.za

 

WhatsApp/Phone :

+27 69 068 0011
 

Business Hours :
Mon -Fri : 08:00 - 16:00

 

  • Whatsapp
  • Instagram
  • Facebook
  • LinkedIn
  • TikTok
bottom of page