Privacy Policy

1.1 Information You Provide Directly

1.2 Automatically Collected Data

• IP address, browser type, device type, and operating system
• Pages visited, features used, session duration, and access times
• Referral source and navigation path through the platform

1.3 Data From Third Parties

• Google OAuth: If you sign in with Google or connect your Gmail, we receive your email address, name, and profile picture from Google — and, if you grant the gmail.send scope, OAuth tokens to send emails on your behalf
• Payment processors: Transaction confirmation and subscription status — we do not store raw card or mobile money details

1.4 Sensitive Data

We do not intentionally collect sensitive personal data (such as health information, religion, or political views). If you voluntarily include such information in your CV, it is processed only to the extent necessary to deliver the Service.

2.1 Core Service Delivery

• Creating and managing your account and profile
• AI-powered matching of your profile to suitable job vacancies
• Generating tailored cover letters and ATS-optimized CVs on your behalf
• Automatically submitting job applications to matched employers
• Sending job application emails via your connected Gmail account, if you have authorized this
• Displaying consultant profiles to prospective clients and employers

2.2 Gmail Data — Strict Limited Use

2.3 Platform Improvement

• Training and improving our AI matching models using anonymized data only — individual identifiable data is never used for model training
• Fraud detection, security monitoring, and abuse prevention
• Aggregated analytics to improve the user experience

2.4 Communications

• Always sent: Service updates, application status notifications, security alerts
• Opt-out available: Platform news and feature announcements
• Opt-in only: Marketing communications and promotional content

2.5 Legal Compliance

To comply with applicable Malawian laws and regulations, including data protection requirements, and to respond to lawful requests from public authorities.

3.1 With Employers

When we submit a job application on your behalf, we share the application materials with the relevant employer — including your name, email address, CV, generated cover letter, qualification certificates, and any other supporting documents you have uploaded. You are copied on all application emails.

3.2 With Trusted Service Providers

We share data with carefully selected third-party providers who help us deliver the Service, including cloud hosting, AI processing (OpenAI), email delivery, and payment processors. All providers are bound by strict confidentiality agreements and are prohibited from using your data for any purpose other than delivering services to us.

3.3 Google Gmail API

3.4 Legal Requirements

We may disclose your information where required by Malawian law, court order, or to protect the rights, property, or safety of Mvungi, our users, or the public.

3.5 Business Transfers

If Mvungi Masters is involved in a merger, acquisition, or asset sale, your information may be transferred. We will provide reasonable notice before your data becomes subject to a different privacy policy.

4.1 What We Request and Why

Mvungi requests the gmail.send scope — the narrowest permission available for outbound email — solely to send job application emails on behalf of users who have explicitly authorized this through Google's secure OAuth 2.0 flow. This feature is entirely voluntary.

Users voluntarily connect their Gmail account and grant permission for Mvungi Job Masters to submit applications using their own email address. This allows employers to identify the applicant clearly and reply directly to them — which would not be possible if applications were sent from our platform email address alone.

4.2 Why a More Limited Scope Is Not Sufficient

A more limited scope is not sufficient because our service requires sending application emails directly from the user's authenticated Gmail account. This is necessary so that:

• Employers can identify the actual applicant by their real email address
• Employers can reply directly to the applicant without Mvungi as an intermediary
• Applications appear professional and credible to hiring managers
• Users receive replies in their own inbox without depending on our forwarding

4.3 What This Permission Does NOT Allow

4.4 Data Stored for Gmail Integration

• Gmail email address: Stored to identify your connected account and display it in your profile settings
• OAuth access token: Short-lived token used to authenticate each email send, refreshed automatically
• OAuth refresh token: Long-lived token stored securely and encrypted at rest, used only to obtain new access tokens when needed
• All token data is stored on our secured servers, encrypted at rest, and never shared with any third party

5.1 Formal Limited Use Statement

Mvungi Job Masters' use of information received from Google APIs strictly adheres to the Google API Services User Data Policy, including the Limited Use requirements. The following applies without exception:

• Gmail API data is used only to send the specific job application emails explicitly requested and authorized by the user through our platform
• Gmail API data is not used to develop, improve, or train any generalized artificial intelligence or machine learning model
• Gmail API data is not used for advertising, retargeting, or profiling purposes of any kind
• Gmail API data is not transferred to, sold to, or shared with any third party — human or automated — for purposes other than sending the authorized application emails
• Humans at Mvungi do not read user Gmail data unless required for security investigation of a reported abuse incident, and only with the user's express consent

6.1 Two Ways to Disconnect

You may revoke Gmail access at any time through either of the following methods:

• From your Mvungi profile settings: Navigate to Settings → Connected Accounts → click "Disconnect Gmail"
• Directly from Google: Visit your Google Account Permissions page and remove Mvungi's access

6.2 What Happens After Revocation

• All future application sends will automatically fall back to our platform SMTP email system
• Your OAuth tokens are deleted from our database immediately upon disconnection
• No further Gmail access will occur after revocation
• Previously sent application emails are not affected or recalled

7.1 Rights You Hold

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data at any time
• Deletion: Request deletion of your account and all associated personal data
• Restriction: Request that we limit processing of your data in certain circumstances
• Portability: Request your data in a structured, machine-readable format
• Objection: Object to processing for specific purposes such as marketing
• Gmail Disconnection: Revoke Gmail access at any time via profile settings or directly through your Google Account

To exercise any right, contact us at info@mvungi.com. We will respond within 30 days.

7.2 Limitations

Some rights may be limited in specific circumstances — for example, we cannot delete data that is required for an active subscription period or that we are legally obligated to retain. We will always explain any limitation clearly when responding to your request.

8.1 Security Measures

• All data is encrypted in transit using HTTPS/TLS
• Sensitive data including OAuth tokens and passwords are encrypted at rest
• Access to personal data is restricted to authorized personnel only on a need-to-know basis
• We conduct regular security reviews and vulnerability assessments
• Uploaded documents are stored in access-controlled server directories

8.2 Retention Periods

You may request full account and data deletion at any time. We will complete deletion within 30 days of your verified request.

9.1 Types of Cookies We Use

• Essential cookies: Required for the platform to function — including session management and authentication. These cannot be disabled.
• Analytics cookies: Track usage patterns to help us improve the Service — such as pages visited and features used. Anonymized.
• Preference cookies: Remember your settings such as language and display preferences.

9.2 Managing Cookies

You can manage or disable non-essential cookies through your browser settings. Note that disabling certain cookies may affect the functionality of the platform.

10.1 Age Restriction

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately at info@mvungi.com and we will delete it promptly.

11.1 How We Notify You

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify registered users by email before the changes take effect
• Display a prominent notice on the platform where appropriate

Continued use of the Service after changes take effect constitutes your acceptance of the updated Policy.