Privacy Policy for Compass by Tabiya

Last updated: March 03, 2025

1. Introduction

1.1 Purpose

Welcome to Compass (“Compass” or the “Service”), an AI-driven platform designed to help individuals assess and articulate their skills. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use Compass. We comply with the EU General Data Protection Regulation (GDPR), South Africa’s Protection of Personal Information Act (POPIA), and Kenya’s Data Protection Act, 2019 (DPA). In line with these laws, we ensure transparency, fairness, and security in all our data processing activities. For Kenyan users: We have appointed a Kenya-based representative to facilitate compliance with Kenya’s DPA, as detailed in the Contact section of this Policy.

1.2 Who We Are

Compass is operated by Tabiya, a fiscally sponsored project of the Global Development Incubator (GDI), a 501(c)(3) nonprofit organization based in the United States. While Tabiya manages day-to-day operations of Compass, GDI is the legal entity responsible for our compliance and liability matters. In this document, references to “we,” “us,” or “our” mean Tabiya and/or GDI acting on Tabiya’s behalf.

1.3 Additional References

Your use of Compass is also subject to our Compass Terms of Use (the “Terms”), which incorporate this Privacy Policy by reference. If you have any questions about how Compass works from a technical or usage standpoint, please see our documentation or Terms of Use.

2. Personal Data We Collect

When you use Compass, we may collect the following types of personal information:

  • Account Information: When you register or use Compass, you provide us with personal details such as your name and email address. This information is used to create your account and identify you on the platform.
  • Basic Demographics: You may be asked to provide or we may infer basic demographic information such as your age range, language preference, or general location. This helps us tailor the user experience and content (for example, selecting appropriate language models or content relevant to your region).
  • Usage Analytics: We collect data about how you interact with Compass. This includes details like the features you use, pages or screens you visit, time spent on the platform, and other usage statistics. We may also collect technical information such as your IP address, device type, browser type, and operating system. This data is typically collected through analytics tools or cookies to help us understand and improve how users use Compass.
  • Conversation Content: Compass is an AI-powered platform that may involve conversational interactions. We store the content of your conversations or queries and the AI-generated responses (“conversation contents”) when you use the service. This allows you to review past interactions and helps us ensure the service functions correctly.
  • Skill Outcomes and Results: If Compass provides assessments, recommendations, or skill-related outcomes, we record those results for your reference and to track your progress. For example, if Compass helps you with learning or decision-making tasks, the outcomes or feedback from those tasks may be saved.

We collect the above information either directly from you (when you input it into Compass) or automatically through your use of the platform (in the case of usage analytics and certain conversation data). Where we ask for personal information, you can choose not to provide it; however, some features (like account-related services) may not be available without the necessary data.

We do not collect or process any information considered sensitive personal data under Kenya’s DPA (and similar laws like GDPR or POPIA) unless you have provided explicit consent or it is otherwise permitted by law. This means we do not ask for data such as biometric identifiers, health information, or details about your race or ethnicity in the normal course of our services. By limiting our data collection in this way, we avoid processing data that would require explicit consent under Kenyan law or other regulations.

3. How We Use Your Personal Data

We use the collected personal data for various purposes consistent with this Privacy Policy:

  • Providing the Service: We use your account information to authenticate you and allow access to Compass. Conversation content and skill outcome data are used to operate the AI features, generate appropriate responses, and provide you with personalized or context-aware results.
  • Improving and Developing Compass: Usage analytics and conversation data help us understand user interactions and preferences. We analyze this information to fix bugs, improve AI accuracy, develop new features, and enhance the overall user experience. For instance, knowing which features are most popular or where users encounter difficulties helps us refine Compass.
  • Communication: We may use your email address to send service-related communications, such as account verification, notifications about important changes or updates to Compass, security alerts, or to respond to your inquiries. If you agree, we might also send occasional newsletters or tips on using Compass effectively. You can opt out of non-essential emails at any time.
  • Safety and Legal Compliance: We may monitor use of Compass to prevent abuse and keep the platform safe (for example, detecting use that violates our Terms of Use or could be harmful). We also process personal data as necessary to comply with legal obligations, such as keeping records required by law or responding to lawful requests by public authorities.
  • Third-Party Services Operation: Some of your data is used in conjunction with third-party services that enable Compass’s core functions (detailed below in “Third-Party Services”). For example, your conversation queries are sent securely to our AI provider (Google Gemini API) to generate responses, and your information may be stored in our database service (MongoDB Atlas).

Our processing of personal data is based on lawful grounds as required under GDPR, POPIA, and Kenya’s DPA:

  • Contractual Necessity: Much of our data processing is to fulfill our contract with you (for example, providing the services you signed up for).
  • Legitimate Interests: We may process data for our legitimate business interests, such as improving our services, understanding how users interact with our platform, and ensuring IT security. We will always consider your rights and objections in such cases.
  • Legal Obligation: Some processing is necessary for compliance with our legal obligations, such as maintaining records for tax purposes or responding to lawful requests by authorities.
  • Consent: Where we rely on your consent (for instance, for optional marketing communications), you have the right to withdraw that consent at any time.

Importantly, we do not process any sensitive personal data (also known as special personal information under POPIA or special category data under GDPR) that would require explicit consent under Kenyan law. By design, our services avoid collecting data like health details, biometric data, or information on your race/ethnicity. In the rare event we need to handle sensitive personal data, we will only do so in strict compliance with the law – meaning we would first obtain your explicit consent or ensure another authorized legal basis applies.

5. International Data Transfers

Compass is a global service, and your personal data may be transferred and stored across international borders. Kenyan user data, in particular, is stored and processed on Google Cloud servers located in the United States. This means your information is transferred outside of Kenya (and may also leave the EU/EEA and South Africa). We understand the importance of protecting your data during these transfers and implement appropriate safeguards in line with GDPR, POPIA, and Kenya’s DPA requirements:

  • We use Standard Contractual Clauses (SCCs) and similar legal agreements to ensure that any personal data transferred out of the EU or Kenya is afforded an equivalent level of data protection. These contractual safeguards bind our service providers (like Google Cloud) to protect your information and respect your privacy.
  • We have assessed that Google Cloud’s security measures (including encryption of data at rest and in transit, access controls, and regular security audits) provide robust protection for your data.
  • In compliance with Kenya’s DPA, we have provided proof of adequate data protection safeguards for transfers outside Kenya. We only transfer Kenyan personal data when we are satisfied that legal mechanisms and security measures are in place to protect it, or when you have given us consent where required by law.
  • Regardless of where your data is processed, we apply the same privacy protections described in this Policy. Our practices ensure that all international transfers of personal data are conducted securely and lawfully.

6. Your Data Protection Rights

We want you to be fully aware of your rights regarding your personal data. Compass respects and upholds the rights granted to individuals under GDPR, POPIA, and Kenya’s DPA. These rights include:

  • Right to Be Informed: You have the right to clear and transparent information about how your data is collected and used. This Privacy Policy, and any related privacy notices, are intended to keep you informed.
  • Right of Access: You can request a copy of the personal data we hold about you, as well as information on how we process it. We will provide this information, subject to some exceptions (for example, if providing certain data would infringe on someone else’s rights).
  • Right to Correction (Rectification): If any personal data we have about you is incorrect or outdated, you have the right to request that we correct or update it. We strive to ensure that all data is accurate and will promptly make corrections when notified.
  • Right to Deletion (Erasure): You may ask us to delete your personal data. For Kenyan users, the DPA specifically allows you to request deletion of any false or misleading data about you. Under GDPR and other laws, you can request erasure of data in certain circumstances (for instance, if the data is no longer needed for the purposes it was collected, or if you withdraw consent and no other legal basis for processing applies). We will honor valid deletion requests and inform you if any legal obligations prevent us from deleting certain data (e.g., statutory record-keeping requirements).
  • Right to Restrict Processing: You can request that we limit the processing of your personal data in certain situations. For example, if you contest the accuracy of your data or have objected to processing (pending our verification of those issues), you have the right to ask that we restrict processing your data (aside from simply storing it) until the matter is resolved.
  • Right to Object to Processing: You have the right to object to the processing of your personal data for particular purposes. For instance, Kenyan and EU users have the right to object to processing that is based on our legitimate interests, or to object at any time if data is used for direct marketing. If you raise an objection, we will consider it and stop or adjust processing unless we have a compelling legitimate ground to continue or if it’s needed for legal claims.
  • Right to Object to Automated Decision-Making: If we ever use automated decision-making (including profiling) that has legal or significant effects on you, you have the right not to be subject to such decisions without human intervention. Currently, Compass does not carry out any purely automated decisions that would significantly affect you. In the event this changes, we will notify you and ensure all safeguards required by GDPR and Kenya’s DPA (such as obtaining your consent or providing an opt-out) are in place.
  • Right to Data Portability: Where applicable (under GDPR), you have the right to request that we provide your personal data in a structured, commonly used, and machine-readable format, and you can ask us to transmit it to another data controller when technically feasible.
  • Right to Withdraw Consent: If we are processing your personal information based on consent, you have the right to withdraw that consent at any time. Once you withdraw consent, we will stop the specific processing that relied on consent. (Please note, withdrawing consent does not affect the lawfulness of processing we conducted prior to the withdrawal.)

To exercise any of these rights, please contact us using the information provided in the Contact section below. We will respond to all legitimate requests within the timeframe required by law (for example, within one month for most requests under GDPR). There is no fee for making such requests, but we may need to verify your identity to ensure we do not disclose data to the wrong person.

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. This means:

  • If you have an account with us, we will keep your information for as long as your account is active and for a reasonable period thereafter in case you decide to return to our services. If you close your account or it becomes inactive, we will delete or anonymize your data after a defined retention period.
  • If we process your data for a specific campaign or based on your consent for a limited purpose (for example, a promotion you signed up for), we will delete the data after the campaign ends or if you withdraw consent, unless we need to retain it for another lawful reason.
  • In all cases, we review the necessity of keeping personal data. We follow the principle set by Kenya’s DPA and other laws that personal data should not be kept longer than is necessary. When data is no longer needed, we securely erase, anonymize, or destroy it.

Certain laws may require us to keep information for fixed periods. For instance, financial or transaction records might be kept for several years for tax or auditing purposes. Even if we keep data for these reasons, we will not use it for other purposes and will archive or secure it appropriately.

8. Data Security

We take the security of your personal data seriously and implement appropriate technical and organizational measures to safeguard it:

  • Encryption & Access Control: We use industry-standard encryption to protect data during transmission (TLS/SSL) and at rest. Access to personal data is restricted to authorized personnel who require it for their job duties, and we employ strong authentication measures (such as secure passwords and two-factor authentication) to prevent unauthorized access.
  • Administrative Safeguards: Our staff are trained on data protection principles and are bound by confidentiality obligations. We have internal policies and procedures to handle data securely and to respond quickly to potential incidents.
  • Physical and Network Security: Our servers (including those hosted on Google Cloud in the U.S.) are protected in secure facilities with measures like firewalls, intrusion detection systems, and regular security monitoring. Google Cloud’s infrastructure is certified under internationally recognized security standards, which helps ensure that your data is stored safely.
  • Regular Audits and Testing: We periodically review our security practices and conduct risk assessments. We also maintain a data breach response plan. In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify you and the appropriate authorities as required by GDPR, POPIA, and Kenya’s DPA.

While we strive to protect your information, no method of transmission over the internet or method of electronic storage is 100% secure. However, we continuously update and improve our security measures to mitigate risks and protect your personal data.

9. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us. We are here to help and will respond to your inquiries promptly.

  • General Privacy Contact: You can reach our designated Privacy Officer for Compass via email at compass-privacy@tabiya.org. This is our primary contact for all data protection queries, including requests to exercise your rights or complaints about how we handle your information.
  • Kenya Data Protection Representative: In compliance with Kenya’s Data Protection Act, we have appointed a representative based in Kenya to act on our behalf regarding Kenyan data protection matters. Kenyan users (or the Office of the Data Protection Commissioner) may contact our Kenya representative by email at compass-privacy-kenya@tabiya.org.
  • Other Jurisdictions: If you are in the EU/EEA or South Africa, our general privacy contact above will also route your inquiry appropriately. We treat all region-specific requests with equal care and in accordance with applicable laws.

We value your privacy and encourage you to reach out if you have any questions or if you believe your personal data is not being handled in accordance with this Policy or applicable law. Additionally, you have the right to lodge a complaint with a supervisory authority or data protection regulator. For example, Kenyan users can contact the Office of the Data Protection Commissioner (ODPC) in Kenya, South African users can reach out to the Information Regulator (South Africa), and EU users can contact their local Data Protection Authority. We would, however, appreciate the chance to address your concerns directly before you approach a regulator, so please consider contacting us first.

10. Updates to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or to ensure compliance with legal requirements. When we make significant changes, we will notify you through appropriate channels (for example, via email or a notice on our website). The “last updated” date at the top of this Policy will always indicate when the latest changes were made.

By continuing to use our services after an update, you acknowledge the revised Policy. However, if the changes require your consent (e.g., if we start processing new categories of personal data), we will seek your consent as required.