Privacy Policy (GraduatesHub.co.za)
Introduction and Scope
GraduatesHub (“GraduatesHub“, “we“, “us” or “our“) values privacy and is committed to protecting personal information. This privacy policy explains how we collect, use, disclose, store and secure personal information when you use graduateshub.co.za (the “Website“) or our associated services. It applies to visitors, registered users, clients and any other individuals whose personal information is processed by GraduatesHub. We process personal information in accordance with South Africa’s Protection of Personal Information Act, 2013 (POPIA), its April 2025 amendments and any applicable global data‑protection laws such as the EU General Data Protection Regulation (GDPR) and U.S. privacy laws (e.g., CCPA). Under POPIA, “personal information” includes any information relating to an identifiable, living individual or juristic person, including names, contact details, identifiers such as IP addresses and cookies, biometric data and financial or employment history.
By accessing or using our Website you consent to our handling of your personal information as described in this policy. If you do not agree with this policy, please do not use our services. This policy may be updated periodically; the “Last updated” date at the top indicates the effective date. We encourage you to review it regularly.
Information We Collect
We collect personal information only to the extent reasonably necessary for the specific purposes described below and consistent with POPIA’s processing limitation condition. The categories of personal information we collect include:
| Category | Examples |
|---|---|
| Contact Information | Name, email address, postal address, telephone numbers. |
| Account Credentials | Usernames, passwords or other authentication data when you register an account. |
| Educational & Professional Data | Information about your academic background, qualifications, employment history and skills provided by you when creating a profile or applying for opportunities. |
| Transactional Data | Records of services purchased or used and payment information (e.g., transaction identifiers). We do not store full credit‑card numbers; payments are processed via third‑party providers. |
| Device & Usage Data | IP address, browser type/version, device identifiers, pages visited, referring/exit pages, date/time stamps and click‑stream data collected via cookies and similar technologies. POPIA classifies cookies and IP addresses as personal information. |
| Location Data | Approximate geographic location derived from IP addresses for analytics and geo‑targeted consent. |
| Sensitive Data (only if provided voluntarily) | In rare cases we may collect sensitive information (e.g., health or disability information) when required for specific opportunities. We will obtain explicit consent and treat such data with enhanced safeguards. |
We may also receive personal information from third‑party sources (e.g., recruitment partners, educational institutions, professional references) as part of our services. When we obtain information indirectly we will inform you of the source as required by Section 18 of POPIA.
Legal Bases and Purposes for Processing
POPIA requires that personal information be processed lawfully, fairly and in a manner that does not infringe privacy. We process personal information based on one or more of the following lawful bases:
- Consent – We process personal information when you have given explicit, informed and voluntary consent. POPIA defines consent as a “voluntary, specific and informed expression of will”. For example, you may consent to receive marketing communications or to use non‑essential cookies.
- Performance of a Contract – To provide and manage services you request (e.g., creating an account, matching you with employment opportunities and communicating with employers).
- Legal Obligation – To comply with legislation such as tax laws, employment regulations, consumer protection law or requests from regulators.
- Legitimate Interests – We may process information for our legitimate interests (e.g., running and improving our Website, preventing fraud, protecting security), provided those interests do not override your rights.
We only process personal information for specific, explicit and lawful purposes (the “purpose specification” condition), including:
- Service Delivery – to register you, verify your identity, provide access to job and internship listings, manage applications, connect you with employers, facilitate interviews and respond to enquiries.
- Account Management – to manage your profile, provide user support, maintain transaction records and communicate about updates or changes.
- Analytics and Improvement – to understand how our services are used, analyse usage patterns, improve functionality and user experience, and develop new services. We use aggregated or anonymised data whenever possible.
- Marketing and Communications – to send newsletters, promotional information and event invitations where you have opted‑in. You can withdraw consent at any time.
- Legal Compliance & Risk Management – to comply with legal obligations, resolve disputes, enforce our terms and protect our rights and users’ safety.
We will not further process personal information in a manner incompatible with these purposes without obtaining additional consent.
Cookies and Tracking Technologies
A cookie is a small text file that a website stores on a visitor’s device. Under POPIA cookies and IP addresses are considered “online identifiers” and fall under the scope of personal information. Data‑protection laws such as POPIA, GDPR and the ePrivacy Directive require us to obtain prior consent before deploying non‑essential cookies and to provide clear information about their purposes. Our use of cookies includes:
| Cookie Category | Purpose |
|---|---|
| Necessary Cookies | Enable core features (e.g., session management, security, load balancing) that are essential for the Website to function. These do not require consent. |
| Preferences (Functional) Cookies | Remember your settings (language, region, and login state) to personalise your experience. |
| Analytics Cookies | Collect information about how you use the Website (e.g., pages visited, time spent) to help us improve performance and user experience. We use tools such as Google Analytics and may implement Google Consent Mode to ensure scripts are blocked until consent is obtained. |
| Marketing/Advertising Cookies | Track browsing behaviour to deliver personalised advertising and measure the effectiveness of campaigns. Under GDPR and POPIA you must actively opt‑in; legitimate interest cannot replace consent for non‑essential cookies. |
When you first visit the Website, our cookie banner will appear asking you to accept or reject non‑essential cookies. In line with 2025 cookie consent requirements, consent must be freely given, specific, informed and unambiguous. We do not use pre‑checked boxes or implied consent mechanisms. Users can select granular categories (analytics, marketing, AI‑training, etc.) and can withdraw or modify their preferences at any time via the cookie settings link. We also deploy geo‑targeting to apply the strictest standards (e.g., GDPR) when we are uncertain of a visitor’s location.
You can manage cookies through your browser settings (e.g., clearing or blocking cookies) or by using our consent management platform. Blocking cookies may impact your experience on the Website.
Data Sharing and International Transfers
We may share your personal information with third parties in the following situations:
- Service Providers and Processors – We engage trusted third‑party companies to host our Website, analyse data, process payments, conduct background checks, send emails, manage marketing campaigns or provide other services. These providers are bound by confidentiality and data‑protection obligations and may process information only on our instructions.
- Employers and Recruitment Partners – When you apply for job or internship opportunities, we may share your profile and application materials with relevant employers or recruitment agencies. You will always know which organisations receive your information.
- Legal or Regulatory Authorities – We may disclose information when required by law, court order, or government request (e.g., to prevent fraud or comply with POPIA obligations).
- Business Transfers – If we sell or transfer all or part of our business, personal information may be transferred to the buyer under appropriate confidentiality protections.
Personal information may be transferred to countries outside South Africa. POPIA restricts international data transfers unless the recipient is subject to an adequate law, binding agreement or other mechanism upholding POPIA principles. We will ensure any cross‑border transfer complies with POPIA and, where applicable, GDPR or other regional laws by using safeguards such as:
- Adequacy decisions or equivalent regulations;
- Standard contractual clauses or data‑transfer agreements;
- Explicit consent from data subjects;
- Necessity for the performance of a contract.
Data Retention
We retain personal information only for as long as necessary to fulfil the purposes outlined in this policy or to comply with legal, tax or accounting requirements. Data retention timelines vary depending on the type of information and applicable regulations. Best practices recommend deleting or anonymising personal data once it has served its purpose. For example, we may keep account records for the duration of your use plus six years to meet legal obligations, while cookies are retained according to their category (session or persistent). Once retention periods expire, we will securely delete or de‑identify information.
Security Measures
We implement appropriate technical and organisational measures to protect personal information against unauthorised access, accidental loss, destruction or damage, in line with POPIA’s security safeguards condition. These measures include:
- Encryption of data in transit using HTTPS and encryption of sensitive data at rest.
- Access controls and role‑based permissions to restrict data to authorised personnel.
- Regular vulnerability assessments and penetration testing to detect potential risks.
- Security awareness training for employees and contractors.
- Incident response procedures to manage and report data breaches. POPIA requires responsible parties to notify data subjects and the Information Regulator as soon as reasonably possible if an unauthorised party accesses personal information. We will provide a description of the breach, consequences and measures taken to address it.
Your Rights
POPIA grants individuals several rights regarding their personal information. Data subjects have the right to:
- Be notified that their personal information is being collected and if it has been accessed by an unauthorised person;
- Access their personal information and receive a copy;
- Request correction, destruction or deletion of their information;
- Object to processing on reasonable grounds or for direct marketing;
- Not be subject to automated decision‑making based solely on automated processing;
- Submit complaints to the Information Regulator and pursue civil proceedings.
For individuals located in the European Economic Area (EEA) or the United Kingdom, GDPR provides additional rights, including the rights to data portability and to restrict processing. To exercise any of these rights, please contact us using the details below. We will respond within a reasonable time and may request proof of identity.
Children’s Privacy
Our services are not intended for children under 13 years of age. If we learn that personal information of a child has been collected without parental consent, we will take steps to delete that information as soon as possible. If you believe we might have information about a child, please contact us immediately.
Changes to This Privacy Policy
We may update this policy from time to time to reflect changes to our practices or legal requirements. We will post the updated policy on this page and, where appropriate, notify you via email or through a notice on the Website. Continued use of the Website after changes take effect constitutes acceptance of the updated policy.
Contact Us
If you have any questions, concerns or requests regarding this privacy policy or your personal information, please contact:
GraduatesHub (Pty) Ltd
Email: privacy@graduateshub.co.za
Postal Address: Pretoria, Gauteng, South Africa
You also have the right to lodge a complaint with the Information Regulator (South Africa). Visit https://inforegulator.org.za for contact details.