Privacy Policy

Last updated: 6 August 2025

1. Introduction

Mint Kulca Pty Ltd ("we", "us", "our") provides an Applicant Tracking System ("ATS" or the "Service") used by organisations to manage recruitment processes. We are committed to safeguarding personal information in accordance with the Protection of Personal Information Act, 2013 ("POPIA") and this Privacy Policy.

This Policy describes:

• what personal information we collect,
• how we process it,
• our disclosures to third-party service providers,
• your rights under POPIA, and
• the measures we take to protect personal information.

This Policy applies to:

• job applicants and candidates ("Candidates"),
• employees and agents of customers using our ATS ("Customer Users"), and
• visitors to our websites or online services.

2. Our Role Under POPIA

Depending on the context:

• We may act as a Responsible Party when we determine the purpose and means of processing (for example, for website analytics, account administration or security monitoring).
• In most recruitment activities, we act as an Operator processing personal information on behalf of our customer (the employer). In these cases, the customer remains the Responsible Party and we process personal information strictly in accordance with their instructions and our Data Processing Agreement ("DPA").

3. Personal Information We Collect

We collect and process personal information necessary to support recruitment and ATS workflows, including:

3.1 Candidate Information

• Identity information (name, ID number or passport number, demographic information where provided).
• Contact information (email address, phone number, physical address).
• CV/resumé content, education, work history, qualifications, skills.
• Screening or assessment results, interview notes, and recruitment-related documents.
• Documents voluntarily uploaded by Candidates or Customer Users (e.g., certificates, supporting documents).

3.2 Customer User Information

• Identity and contact information.
• Login credentials, authentication details.
• System usage data, audit logs, and related metadata.

3.3 Technical and Usage Information

• IP address, browser type, device identifiers, operating system, timestamps, usage logs.
• Cookies and similar technologies (see Section 13).

We process only information that is reasonably necessary for the recruitment activities and for the proper functioning of the Service.

4. How We Use Personal Information

We process personal information for the following purposes:

• Delivering and maintaining the ATS, including candidate management, communication, scheduling and workflow automation.
• Supporting customer-approved integrations required in recruitment workflows (e.g., CV parsing, assessments, forms, messaging, email/calendar synchronisation).
• Authenticating users and securing access to the Service.
• Improving system stability, performance and troubleshooting.
• Fulfilling contractual and legal obligations.
• Assisting customers with data migration, reporting, analytics and exports.
• Responding to support requests and system-related queries.

We will not process personal information for any purpose unrelated to recruitment operations or system functionality without notice or consent, unless permitted under POPIA.

5. Third-Party Integrations and Sharing of Personal Information

Our ATS integrates with certain external services in order to perform required recruitment-related functions (such as document parsing, assessments, forms, email/calendar connectivity, or messaging gateways).

We do not sell personal information to any third party.

5.1 Limited Disclosure

Personal information is only shared with third-party service providers to the extent:

• necessary to perform the authorised workflow,
• permitted by the customer or Candidate,
• contractually restricted to specific purposes, and
• protected by suitable confidentiality and security obligations.

5.2 API-Based Access

Where integrations require API access to a customer’s third-party systems, we use only the minimum permissions required. Authorisations (including OAuth tokens or API keys) are stored securely and used solely for the intended workflow.

5.3 Operators and Sub-Operators

Where we engage third-party service providers as Operators (sub-processors):

• they process personal information exclusively on our documented instructions;
• they must implement appropriate security measures;
• they may not further process or disclose personal information except as permitted by the agreement and law.

A current list of sub-operators is available upon request.

6. Legal Grounds for Processing (POPIA)

Under POPIA, we process personal information on the following lawful bases:

• Performance of a contract: to provide the ATS to our customers.
• Compliance with legal obligations: verifying identity, maintaining system logs, responding to lawful requests.
• Legitimate interests: securing, maintaining, improving and supporting the Service.
• Consent: where Candidates voluntarily submit information or where consent is required for specific optional processing activities.

In most cases, the customer as Responsible Party will determine the legal justification for Candidate-related processing. We act strictly on their instructions.

7. Security Safeguards

We implement appropriate, reasonable technical and organisational measures to protect personal information against:

• loss,
• unauthorised access,
• unlawful processing,
• accidental destruction,
• alteration, and
• disclosure.

These include (but are not limited to):

• encryption in transit and at rest (where applicable),
• access controls and role-based permissions,
• secure API communication,
• logging, monitoring, and intrusion detection,
• vulnerability management,
• secure development lifecycle practices,
• disaster recovery and backup procedures.

Details of our security compliance approach, certifications, or cloud provider compliance references are available to customers upon request as part of your procurement and security review.

8. Retention of Personal Information

We retain personal information only:

• for as long as necessary to fulfil the purposes described above,
• in accordance with customer instructions,
• as required by applicable law,
• until a lawful request for deletion is received.

Where we act as Operator, the customer controls retention requirements and may request deletion, anonymisation or export of data at any time.

9. Cross-Border Transfers

Our Service may be hosted or processed in data centres located outside South Africa.

When transferring personal information outside South Africa, we implement safeguards required under POPIA, including:

• contractual agreements ensuring adequate protection,
• equivalent privacy standards in the receiving country, or
• transfers necessary for performance of a contract with the data subject.

Customers may request details of applicable safeguards and hosting regions.

10. Candidate and User Rights Under POPIA

Data subjects have the right to:

• Access their personal information.
• Correct or update personal information that is inaccurate or incomplete.
• Request deletion, where legally permissible.
• Object to processing, where grounds exist.
• Withdraw consent, where processing is based on consent.
• Request a record of processing activities, where applicable.

Where the information is controlled by our customer, we will direct the request to that customer and assist them in fulfilling it.

11. Data Breach Notification

If a security compromise involving personal information occurs, we will:

• take immediate steps to investigate and mitigate harm, and
• notify the customer and/or affected data subjects and the Information Regulator where required under POPIA.

12. Children’s Information

Our ATS is not intended for use by individuals under 18 years of age. We do not knowingly collect or process children’s personal information unless specifically authorised by the customer and permitted under law.

13. Cookies and Online Tracking

We use cookies and similar technologies for system functionality, analytics, and performance monitoring. You may manage cookie settings via your browser. Additional information is available in our Cookie Notice (if applicable).

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through our Service or via email where appropriate.

15. Contact Details and PAIA/POPIA Requests

For privacy-related enquiries, access requests, corrections, or complaints, please contact:

Information Officer:
Email: info@mintkulca.co.za
Address: Unit 11, First Floor, Bellfour Office Park, 3 Edmar St, Bellville, Cape Town, 7750
Telephone: 082 835 6278

If you are not satisfied with our response, you may lodge a complaint with the Information Regulator (South Africa).

Website: https://www.justice.gov.za/inforeg

16. Summary of Commitments

• We do not sell personal information.
• We share personal information only with authorised third-party service providers and only to support required workflows.
• We act as Operator for most customer recruitment data.
• We maintain POPIA-aligned security, retention, and breach-response processes.

For further assistance or to request the DPA, PAIA Manual, candidate consent statements, or a job application privacy notice, please contact our Information Officer.