1. Data we collect, by feature
- Contact form (/contact): name, email, company, country, intent and message body.
- Careers application (/careers/apply): name, email, role applied for, expected compensation, availability, links, resume (required), cover letter (optional), and an optional government ID. Files are limited to 10 MB and stored privately in our “job-applications” bucket.
- Investor Deal Matcher (/investors): sector interest, geography, stage preference and check-size band. By default these stay in your browser only; they leave your device only if you opt in to email matches.
- Email me these matches: name and email address, plus the matcher inputs and the generated best-match / runners-up summary that we email you once.
- PDF deck downloads (/investors/industries): the deck is generated entirely in your browser; the sectors you tick and the file you download are not transmitted to our servers.
- Unsubscribe (/unsubscribe): the token from your email link plus the email address it represents, used to mark your address as suppressed.
- Server logs: standard request metadata (IP-derived geo, user agent, timestamp, requested path) used for security, abuse detection and to evidence consent.
2. Why we use it (lawful basis)
We process your data to (a) respond to your inquiry, application or matcher request; (b) operate, secure and improve the site; (c) comply with legal obligations including PIPEDA accountability, CASL consent records and Nepal Electronic Transactions Act record-keeping; and (d) where you have opted in, send you the one transactional email and one IR follow-up described in the Terms. Our lawful bases are your consent (matcher email opt-in, careers application, contact form), the necessity of contract performance (after we engage you), and our legitimate interests in running a secure website.
3. What we do not do
We do not sell personal data. We do not share it with third parties for advertising. We do not run third-party advertising trackers, retargeting pixels or social-media beacons. We do not enrol you in marketing newsletters from a single matcher submission. We do not transfer applicant data outside our processors without equivalent safeguards.
4. Storage, access & retention
Documents you upload are stored in private object storage; they are accessible only via signed links by named Sachaltech hiring leads and never made public. Application records are retained for up to 24 months unless you request deletion sooner. Matcher email records are retained for 12 months under CASL recordkeeping, then purged unless you separately engage with us. Server logs are retained for 90 days.
5. International transfers
Sachaltech operates between Nepal and Canada. Personal data may be processed in either country and by our infrastructure providers. Where Canadian personal information is processed in Nepal, we apply contractual safeguards equivalent to the protections required by PIPEDA. Where Nepali personal data is processed in Canada, we comply with the Individual Privacy Act, 2075 cross-border provisions.
6. Your rights
You may request access to, correction of, or deletion of your data at any time by emailing privacy@sachaltech.com. We will respond within the statutory timeframes — 30 days under PIPEDA, comparable windows under Nepal's Individual Privacy Act, 2075. If you are unhappy with our response you may complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca) or the National Information Commission, Nepal (nic.gov.np). You may also unsubscribe from any future email by clicking the link in any email we send or by visiting /unsubscribe.
6a. Rights by jurisdiction (worldwide)
- EU / EEA (GDPR): rights of access (Art. 15), rectification (16), erasure (17), restriction (18), portability (20), objection (21), and not to be subject to solely automated decision-making with legal effects (22). Lodge complaints with your local Supervisory Authority (list at edpb.europa.eu).
- UK (UK GDPR + DPA 2018): equivalent rights; complaints to the Information Commissioner's Office (ico.org.uk).
- Switzerland (FADP): right to information, correction, deletion; complaints to the FDPIC.
- California (CCPA/CPRA): right to know, delete, correct, opt-out of sale/sharing (we do neither), limit use of sensitive PI, and non-discrimination. We honour Global Privacy Control signals. We do not knowingly sell or share personal information of minors under 16.
- Quebec (Law 25): right to data portability (in force Sept 2024), right to be informed of automated decisions, complaints to the Commission d'accès à l'information.
- Canada — federal (PIPEDA): access & correction within 30 days; complaints to the Office of the Privacy Commissioner of Canada (priv.gc.ca).
- Brazil (LGPD): rights under art. 18 — confirmation, access, correction, anonymisation/blocking/deletion, portability, information about shared parties; complaints to ANPD.
- India (DPDP Act 2023): right to access, correction, erasure, grievance redressal and nominate; complaints to the Data Protection Board of India.
- Australia (Privacy Act 1988 + APPs): APP 12/13 access & correction; complaints to OAIC.
- Singapore (PDPA): access & correction; complaints to PDPC.
- South Africa (POPIA): rights under s. 23 & 24; complaints to the Information Regulator.
- Nepal (Individual Privacy Act 2075): rights of access, correction and confidentiality; complaints to the National Information Commission (nic.gov.np).
6b. Automated decision-making & AI
We do not use solely automated decision-making to make decisions producing legal or similarly significant effects on you. The Investor Deal Matcher and the proposal ROI calculator generate illustrative output only; humans review every commercial decision. AI features comply with the EU AI Act (Reg. 2024/1689) transparency obligations and the Canadian Voluntary Code on Generative AI.
6c. Children & minors (worldwide)
The site is intended for adults. We do not knowingly process data of users under 16 (EU/UK), 14 (Quebec, Brazil, Spain, South Korea), or 13 (US COPPA). If a minor has submitted data, contact us and we will delete it.
7. Cookies & similar technologies
We use only the minimum cookies necessary to operate the site and remember your preferences. We do not run third-party advertising trackers. Full table of every storage key we set is in the dedicated Cookie Policy.
8. Children
Sachaltech's services are intended for adults. We do not knowingly collect personal data from anyone under 16. If you believe a minor has submitted data, contact us and we will delete it.
9. Changes
We may update this policy from time to time. The version in effect when you submitted a form applies to that submission; material changes are dated above.
10. Contact
Privacy questions and data-rights requests: privacy@sachaltech.com. General: hello@sachaltech.com.