Legal

Privacy Policy

Last updated: 2 July 2026. Kompasu is operated by Revenue Champ Pte. Ltd., a company incorporated in Singapore (“Kompasu”, “we”, “us”).

1. Who we are & how this policy works

Kompasu is a global product offered by Revenue Champ Pte. Ltd. (Singapore). We serve users worldwide.

We apply a single, high-standard privacy baseline to every user, and we grant additional rights based on where you live. The baseline is built to the strictest widely-applicable standard (the EU/UK GDPR), which covers most requirements around the world. Region-specific rights — for California, the EU/UK, Singapore, Australia, and Canada — are set out in section 10.

2. What we collect

  • Account details — email address and display name provided at sign-up (or via your chosen sign-in provider).
  • Profile settings — current role, location, remote preference, and the career-context fields you fill in.
  • CV content — the text and structured fields (skills, tools, education, experience) extracted from the PDF you upload. Your PDF is processed in memory to extract this text; we do not retain the original uploaded file.
  • Product analytics — pseudonymous, bucketed usage events collected via PostHog, and only if you consent (see section 7).
  • Feedback — any text you submit through in-product feedback forms.

We never receive your payment card details — billing is handled by Stripe.

3. How we use your data & our legal bases

We use your data to operate Kompasu: parsing your CV, comparing it against real job-market signals, generating a career score, and producing a personalised roadmap and recommendations, plus product-related emails. Where a legal basis is required (e.g. the EU/UK), we rely on:

  • Performance of a contract — to provide the analysis and features you sign up for.
  • Consent — for non-essential analytics and for optional marketing emails.
  • Legitimate interests — for security, abuse prevention, and content-free cost/usage metering.
  • Legal obligation — to keep transaction records for tax purposes.

We do not sell your personal information and we do not use it for advertising.

4. AI processing of your CV

To analyse your CV we send its text to our AI sub-processor, Microsoft Azure OpenAI, processed in the EU (Sweden Central) region, under a Zero-Data-Retention (ZDR) agreement.

Under ZDR, your CV text is used only to produce your result for that request — it is not stored by the AI provider and is never used to train AI models. Every request is technically restricted to zero-data-retention endpoints.

5. Sub-processors

We rely on the following sub-processors, each under a data processing agreement:

  • Supabase — database and application data hosting.
  • Microsoft Azure OpenAI — AI analysis of your CV, under Zero-Data-Retention (see section 4).
  • Stripe — payment processing for subscribers.
  • Resend — transactional email delivery.
  • PostHog — product analytics (consent-gated; EU instance).
  • Vercel — application hosting and infrastructure.

6. International data transfers

As a global service, your data may be processed outside your home country. We enter into data processing agreements with our sub-processors and rely on recognised transfer safeguards, including the Standard Contractual Clauses where applicable. In particular, AI processing of your CV occurs via Microsoft Azure OpenAI, which may process your data in the EU (Sweden Central); this is disclosed as an international transfer with appropriate safeguards in place, and under Zero-Data-Retention.

7. Cookies & analytics (your choice)

Essential cookies (for sign-in and security) are always on and require no consent. Non-essential product analytics (PostHog) are off by default and only run after you accept them in our cookie banner. You can change or withdraw your choice at any time via “Cookie settings” in the footer — withdrawing is as easy as giving consent.

8. Data retention

  • Your extracted CV text, analyses, and scores are kept while your account is active and are automatically deleted after 24 months of inactivity.
  • When you delete your account, your personal data (CV text, analyses, scores, and profile) is permanently deleted.
  • We retain minimal transaction records (that a payment occurred — amount, date, and plan tier) for 5 years to meet Singapore tax requirements (IRAS), after which they are deleted. These records contain no CV content.

Analytics events are pseudonymous and are removed when your account is deleted.

9. Your rights

You can access, export, correct, and delete your personal data:

  • Export — download a copy of your data (a data-portability / access request) via the in-product export tool, served by our /api/user/export endpoint.
  • Delete — delete your account and personal data in Settings → Danger zone → Delete account.
  • Access / correction / any other request — email hello@nimelo.com. We respond within the timeframe required by your region’s law.

10. Regional privacy rights

If you are in California (CCPA/CPRA): you have the right to know, access, delete, and correct your personal information, to opt out of its “sale” or “sharing”, to limit the use of sensitive personal information, and to non-discrimination for exercising these rights. We do not sell your personal information. We do not currently share your personal information for cross-context behavioral advertising. If this changes, we will update this policy and provide a “Do Not Sell or Share My Personal Information” opt-out as required. Comparable rights apply under other US state laws (including Virginia, Colorado, Connecticut, Texas, and Utah).

If you are in the EU/EEA or UK (GDPR / UK GDPR): you have the rights of access, rectification, erasure, restriction, portability, and objection, and the right to lodge a complaint with your local data-protection authority (or the UK ICO). Our legal bases are in section 3 and international-transfer safeguards in section 6.

If you are in Singapore (PDPA): you have the rights to access and correct your personal data, and we handle it in line with the PDPA, including the Transfer Limitation Obligation for cross-border processing (section 6). Revenue Champ Pte. Ltd. is our Singapore home entity and data controller.

If you are in Australia (Privacy Act / APPs): we handle your personal information under the Australian Privacy Principles, including notice of collection and accountability for the overseas disclosure involved in AI processing (sections 4 and 6).

If you are in Canada (PIPEDA): we rely on meaningful consent and provide access and correction rights.

Everywhere else: the GDPR-grade baseline in this policy applies to you.

11. Children

Kompasu is intended for users aged 18 and over. It is not directed at children, and we do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us data, contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email or in-product, and — where the change affects cookie consent — re-prompt you for a fresh choice.

13. Contact

Revenue Champ Pte. Ltd. (Singapore). For any privacy question or request, email hello@nimelo.com.