NDPR-aware Data Protection Handling

JobRadarNG is designed for Nigeria and Africa, so its privacy programme should be aligned with the Nigeria Data Protection Act 2023, NDPC guidance, and NDPR-aware handling practices that remain useful for operational privacy discipline.

The practical goal is simple: collect only what the marketplace needs, explain why it is needed, protect it, limit internal access, respect user rights, and keep auditable records for high-risk operations such as CV processing, identity verification, AI matching, and scam moderation.

Applicant data includes account details, CVs, skills, work history, saved jobs, applications, cover notes, alerts, and AI match signals. Employer data includes company profiles, logos, billing status, subscriptions, job posts, application analytics, and moderation history.

Individual recruiter data includes profile details, phone/email verification, identity-review status where used, job posting limits, hidden-contact settings, and listing history. Admin and safety data includes reports, scam flags, AI logs, scraping logs, source health, and moderation events.

JobRadarNG should maintain a lawful-basis register. Common examples include contract performance for account features and applications, consent or user request for CV upload and AI matching, legitimate interests for fraud prevention and service improvement, legal obligation for compliance and safety records, and consent for optional marketing.

Where a feature relies on consent, the interface should make the choice clear and should not treat silence or inactivity as consent.

Core controls include Supabase row-level security, protected admin routes, role-based access checks, private resume storage, public logo storage separation, service-role keys kept out of GitHub, environment variable controls in Vercel, strict input validation, rate limiting for sensitive actions, moderation queues, and user report workflows.

New sensitive features should go through a lightweight data protection impact review before launch, especially where they involve identity documents, fraud scoring, automated recommendations, or large-scale job aggregation.

AI features should be presented as assistance, not guaranteed truth. Job summaries, category predictions, scam flags, duplicate detection, skill extraction, and match scores should be reviewable and correctable where they materially affect users.

Applicants should understand that CV uploads may be processed to infer skills, experience level, career category, and job recommendations. Employers should understand that AI summaries and trust scores do not replace their own due diligence.

JobRadarNG should support requests for access, correction, deletion, restriction, portability, objection, consent withdrawal, and human review of relevant automated decisions. Requests should be logged, identity-checked where needed, and answered within a reasonable legal timeframe.

Admins should avoid deleting safety-critical records where retention is required for fraud prevention, disputes, legal obligations, or platform integrity; in those cases, data should be restricted, anonymised, or retained with a documented reason where appropriate.

Core vendors currently include Supabase, Vercel, OpenAI where enabled, and future payment/email/SMS providers. JobRadarNG should keep a vendor register, review vendor security posture, document cross-border transfers, and use data-processing terms where appropriate.

Service-role credentials, API keys, and webhook secrets should never be committed to GitHub and should be rotated after exposure, staff changes, or suspicious activity.

A personal-data incident should be triaged immediately for scope, affected data, affected users, containment, evidence preservation, notification duties, and remediation. Security incidents involving resumes, identity documents, account sessions, service keys, or admin privileges should be treated as high priority.

JobRadarNG should maintain an incident log, assign an owner, preserve relevant audit evidence, and notify affected users or regulators where legally required.

Before full public launch, configure a real privacy inbox, publish the final reviewed policies, set Vercel environment variables, add the Supabase service-role key only in Vercel, configure OpenAI credentials, verify storage policies, create admin accounts through privileged SQL only, and test data-subject request handling.

Before monetisation, add payment terms, refund language, invoicing records, subscription cancellation flows, and payment-provider privacy disclosures.