How RezSync handles your data.Plain English. Specific. Updated regularly.

We collect three categories of information. Each is tied to a specific purpose described later in this policy.

Account information you provide

• Email address and password (passwords are stored as salted hashes, never in plain text).
• Full name.
• Optional phone number.
• For RezSync Jobs only: resume content (PDF / DOCX text and parsed structure), Scout Cycle preferences (titles, locations, work styles), and cover-letter inputs.
• For RezSync Algo only: account entitlement and license status, Managed RezSyncIQ usage counters if applicable.

Product and usage data

• Pages visited, features used, dashboard activity, and timestamps — kept for product improvement and abuse prevention.
• Device and browser metadata (type, version, IP, approximate region from IP).
• Application logs that include the result of automated actions taken on your behalf (Jobs) or telemetry for crash and error reporting.

What we do not collect

• We do not collect government IDs, passport numbers, or SSNs.
• We do not require home addresses or postal codes to use the product.
• We do not collect financial account numbers, card data, or bank information — payment is handled by Paystack and never touches our servers.
• For RezSync Algo: we do not collect your broker login, OAuth tokens, or model-provider API keys when you run in BYOM mode. Those stay on your machine.

You can act on every piece of data we hold about you. Most controls are immediate from inside the dashboard.

Application Control (RezSync Jobs)

From your dashboard: Settings → Notifications → Application Control. When set to Paused, zero applications will be submitted on your behalf. Your resumes, Scout Cycles, and history stay intact so you can resume later. Toggle effect is immediate.

Access, correction, export

• Access: view what we hold from Settings → Account.
• Correct: edit any of it directly in the dashboard.
• Export: request a downloadable copy of your data (JSON / CSV where applicable) by emailing privacy@rezsync.com. We respond within 30 days.

Deletion (right to be forgotten)

Delete your account from Settings → Account → Delete, or email privacy@rezsync.com. Deletion removes your account, resume, Scout Cycles, application history, and product usage data within 30 days. Some records may be retained where the law requires (for example, transaction records for accounting or court orders).

Withdraw consent

You can pause Application Control, opt out of marketing emails (one click in any email footer), or revoke specific integrations at any time. Withdrawing consent does not affect processing already performed lawfully before the withdrawal.

We use what we collect for these specific purposes only:

• Run the product: authenticate you, render your dashboard, and operate the features you turn on.
• Submit job applications on your behalf (Jobs only) — and only when Application Control is set to Active and a role matches your Scout Cycle.
• Generate AI-tailored documents — your resume and cover letter are passed to your configured model provider so the document can be tailored per role.
• Communicate with you about your account, security, billing, and important product changes. Marketing emails are opt-in.
• Detect abuse, fraud, and outages, and fix bugs.
• Comply with the law — respond to lawful requests, enforce terms, and meet our accounting and tax obligations.

We do not use your data to train models, build advertising profiles about you, or sell to recruiters or third parties as marketing leads.

We share data with a small set of categories — never for sale.

Employers (RezSync Jobs)

When Application Control is on and a job matches your Scout Cycle, we submit your resume, the tailored cover letter, your contact details, and any extra fields the application form requires. The employer becomes an independent controller of that data once it is received.

Model providers (Jobs & Algo)

When you generate a tailored document or run an AI decision, the context required for that single call is sent to the configured model provider (yours in BYOM mode, ours under Managed RezSyncIQ). Each provider processes data under its own privacy policy.

Infrastructure and tooling vendors

• Cloud hosting and database (encrypted at rest and in transit).
• Email delivery (transactional and opt-in marketing).
• Error and crash reporting (no resume content, no PII bodies).
• Payments — handled by Paystack; we receive a token, not card data.

All vendors are bound by data-processing agreements that require confidentiality and use limited to the service we hired them for.

Accounts you connect (Canva & social platforms)

RezSync Marketing lets you connect third-party accounts — including Canva and social networks (X, LinkedIn, Facebook, Instagram) — so RezSync can create on-brand designs and publish the content you approve. When you authorize an account via OAuth, we store an encrypted access token scoped to your user and use it only for the actions you enable:

• Canva: we create and export designs in your own Canva account by autofilling your brand templates. We do not read or modify designs beyond the ones RezSync creates, and we never share your Canva content with other users.
• Social networks: we publish only the posts you have approved, to the accounts you connected.

You can disconnect any account at any time from Settings → Connections. On disconnect we revoke the token with the provider and delete it within 30 days.

Legal and safety

We may disclose data if a valid court order, government request, or regulatory obligation requires it, or to defend RezSync's rights in a legal proceeding. We push back on overreaching requests and notify affected users where the law allows.

RezSync Algo is a downloadable application. The default posture is local-first: most sensitive data lives on the device or server where you installed it.

• settings.json, broker OAuth tokens, model-provider API keys, and decision logs are written to your machine. They are never uploaded to RezSync.
• BYOM (Bring Your Own Model): prompts and outputs are sent directly from your machine to the model provider you configure. RezSync does not see them.
• Managed RezSyncIQ: the trade context required for a decision is sent to RezSync infrastructure. That context may include symbol, timeframe, market/session context, news context, spread, account environment, risk profile, open-position summary, and recent decision metadata. We route that context to the configured model and return the validated decision. We retain metering counters and a short-lived debug record, auto-purged within 7 days, to investigate failures.
• Telemetry: license validation, version, install ID, and operational error reports. No trade data, no prompts, no broker credentials.
• You should not paste API keys, broker secrets, or OAuth tokens into public repos, screenshots, or support tickets.
• If you send support screenshots, logs, or screen recordings, you are responsible for redacting account numbers, balances, device codes, API keys, OAuth tokens, and any other secrets before sending them.

We use a small number of cookies and similar technologies. They fall into three groups.

• Essential (always on): authentication session, CSRF protection, and remembering whether you accepted this cookie notice. Without these, the product cannot function.
• Functional (always on): remembering your theme (light / dark) and dashboard layout choices.
• Analytics (opt-out): aggregated page-view metrics so we know which docs and product pages are actually used. No cross-site tracking, no advertising pixels.

You can refuse non-essential cookies at the consent banner or in your browser settings. Doing so will not break the product.

Concrete periods, not "as long as necessary." Where the law requires longer, the legal period takes precedence.

• Active account data: kept for the life of your account.
• After account deletion: removed from production within 30 days. Encrypted backups age out within 90 days.
• Application history: kept for 24 months while your account is active so you can review what was sent.
• Server access logs: 90 days, then aggregated.
• Managed RezSyncIQ debug records: 7 days, then purged.
• Billing and tax records: 7 years, as required by Kenyan tax law.
• Marketing list: until you unsubscribe; suppression list kept indefinitely so we don't re-contact you by accident.

RezSync is operated from Nairobi, Kenya. Our infrastructure providers may store and process data in data centers outside of Kenya — for example in the EU or the US — under appropriate safeguards.

• For transfers out of Kenya, we rely on the safeguards permitted by the Kenya Data Protection Act (2019).
• For transfers out of the EEA / UK, we use Standard Contractual Clauses with our processors.
• All data is encrypted in transit (TLS) and at rest where the provider supports it.

We use commonly accepted security practices: TLS in transit, encryption at rest where supported, hashed passwords, scoped access for staff, audit logs, dependency monitoring, and routine backups.

No system is perfectly secure. If we discover a breach that affects your data, we will notify you within 72 hours of becoming aware of it, in line with the GDPR and Kenya DPA timelines, with a clear description of what was affected and what we are doing about it.

RezSync is intended for adults aged 18 and over. Both products are aimed at users making employment and financial decisions on their own behalf. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, email privacy@rezsync.com and we will delete it.

When we make material changes, we update the "Last updated" date at the top of this page and notify active users by email at least 14 days before the new version takes effect.

Minor edits (typos, clarifications without policy changes) are published without notice but always reflected in the "Last updated" date. We keep an archive of prior versions; ask privacy@rezsync.com if you need a copy.

For privacy questions, data requests, or breach reports, email privacy@rezsync.com. For general support, use the contact page.

RezSync · Nairobi, Kenya. We respond to privacy requests within 30 days, in line with Kenya DPA and GDPR.