Privacy Policy

1. Who We Are

A-One Global Resourcing Ltd ("AOGRL", "we", "us") operates ReachX under the WimaCom brand. We are registered in Mauritius (BRN: C22185206), Morrisson Street, Souillac, Mauritius. Contact: deals@aogrl.com · +230 5788 7132.

ReachX processes two distinct categories of personal data, and our legal role differs between them:

• For your account data and staff records: AOGRL is the Data Controller — we determine how this data is collected and used to provide the platform.
• For candidate profiles, employer records, and placement data that you enter into ReachX: AOGRL is the Data Processor, acting on your instructions. Your organisation is the Data Controller for this data.

2. What Data We Process

The following categories of personal data are processed within ReachX:

• Candidate profiles (entered by you as Data Controller): Full name, email address, phone number, location/nationality, CV and work history, educational background, skills and certifications, sector preferences, salary expectations, availability, employment status, and any notes or tags added by your consultants.
• Employer (client) records (entered by you as Data Controller): Company name, registered address, sector, company size, primary hiring contacts (name, job title, direct email, phone), open role requirements, billing and commercial terms, and interaction history.
• Placement outcomes: Role filled, candidate placed, placement date, fee value, employer confirmation — used to build your agency's placement reporting and revenue analytics.
• Staff account data (AOGRL as Data Controller): Consultant name, work email address, assigned role and permissions, login history, and account activity logs.
• Usage logs (AOGRL as Data Controller): Login timestamps, IP addresses, feature usage patterns, and error logs used for platform security monitoring and performance improvement.
• Subscription and billing data (AOGRL as Data Controller): Invoicing name, business address, and payment records retained for financial compliance.

3. How We Use Your Data

• To provision, operate, and maintain the ReachX platform for your agency.
• To authenticate staff members and maintain secure session management.
• To power pipeline tracking, outreach sequencing, and analytics features within your organisation's isolated workspace.
• To generate aggregated, non-personal usage analytics that inform platform improvements.
• To send transactional system communications (account notifications, subscription invoices, security alerts).
• To fulfil legal and regulatory obligations under Mauritius law.

We do not sell your data or your candidates' data to any third party. We do not use candidate or employer data to train AI models or to serve advertising. We do not share your agency's data with any other ReachX customer.

4. Legal Basis for Processing (GDPR & Mauritius DPA 2017)

• Contract performance: Processing your account and staff data to deliver the ReachX service under your subscription agreement.
• Legitimate interests: Security monitoring, fraud prevention, abuse detection, and aggregated platform analytics.
• Legal obligation: Retention of financial records and audit trails as required under Mauritius law.
• On your documented instructions (processor basis): All processing of candidate profiles, employer records, and placement data, which you control as Data Controller and instruct us to process on your behalf.

5. Data Storage & Security

All ReachX data is stored on Supabase (EU region) infrastructure, providing PostgreSQL-backed storage with the following protections:

• Strict organisation-level data isolation — no cross-tenant data access is architecturally possible.
• Encryption in transit using TLS 1.2 or higher on all connections.
• Encryption at rest for all stored data.
• Staff passwords hashed with bcrypt — plaintext credentials are never stored or transmitted.
• Role-based access controls — consultants see only what their assigned role permits.
• Automated database backups with point-in-time recovery capability.
• Application deployed on Railway cloud infrastructure with environment variable isolation.

6. AI Features & Data Usage

Where ReachX includes AI-assisted features (such as outreach drafting, pipeline recommendations, or analytics summaries), these features operate as follows:

• AI queries are run against your organisation's isolated dataset only — no cross-tenant data is used.
• Where external AI models are invoked, only aggregated query results and non-identifying summaries are sent — raw personal data (candidate names, contact details, CVs) is not transmitted to external AI providers.
• AI-generated content is not used to make autonomous hiring, screening, or rejection decisions — all outputs are for consultant review only.
• AOGRL does not use candidate or employer data to train, fine-tune, or improve any AI model.

7. Data Retention

• Candidate profiles, employer records, and placement data are retained for the duration of your active subscription.
• Upon subscription termination, all data is available for export for 30 days, after which it is permanently and irreversibly deleted from AOGRL's systems.
• Staff login and activity logs are retained for 12 months for security and audit purposes.
• Financial records (invoices, payment history) are retained for 7 years in accordance with Mauritius tax and accounting law.
• You may request early deletion of specific data categories at any time by contacting deals@aogrl.com.

8. Your Rights & Candidates' Rights

Your rights as account holder (GDPR & Mauritius DPA 2017):

• Right of access to your account and staff data held by AOGRL.
• Right to rectification of inaccurate account data.
• Right to erasure of your account data (subject to legal retention obligations).
• Right to data portability of your account records.
• Right to object to processing based on legitimate interests.

Submit requests to deals@aogrl.com. We will respond within 30 days.

Candidate and employer data subject rights: As the Data Controller for candidate and employer data, you — the subscribing agency — are responsible for handling rights requests from those individuals. ReachX provides data export and deletion tools to assist you. AOGRL will support you in fulfilling these requests upon your written instruction.

9. Third-Party Services

• Supabase (EU region) — primary database and authentication infrastructure. Candidate, employer, and placement data is stored here. Supabase processes data under its own Data Processing Agreement and is GDPR-compliant.
• Railway — application hosting and deployment infrastructure. Application code and environment configurations are hosted here. Railway does not have direct access to your data.
• Email SMTP provider — configured by your organisation. AOGRL does not process the content of outreach emails you send through your own SMTP credentials.
• WhatsApp Business API provider — where integrated, subject to Meta's Business Policy and your own configuration. AOGRL does not store the content of WhatsApp messages sent through the integration.

AOGRL does not transfer your personal data to third parties for marketing, advertising, or data brokerage purposes.

10. Cookies & Tracking

ReachX uses only essential cookies required for authentication and session management. No advertising cookies, tracking pixels, or third-party analytics scripts are deployed on the ReachX platform. No cross-site tracking of candidates or employers is conducted.

11. Changes to This Policy & Contact

AOGRL will notify your registered email address at least 14 days before any material changes to this Privacy Policy take effect. Continued use of ReachX after the notice period constitutes acceptance of the updated policy.

Data Protection Contact:
A-One Global Resourcing Ltd
Morrisson Street, Souillac, Mauritius · BRN: C22185206
Email: deals@aogrl.com · Phone: +230 5788 7132

You may also lodge a complaint with the Data Protection Office of Mauritius: dataprotection.govmu.org