Privacy Policy
Effective: April 2026 · Last updated: April 2026
النسخة العربية قادمة قريبًا. The Arabic version is coming soon. In case of conflict, the English version is authoritative.
1. Introduction
Cheghel ("we", "us", "Cheghel") is a Lebanese job platform operating at cheghel.com. We connect job seekers (white-collar professionals, blue-collar workers, freelancers, and Lebanese diaspora) with employers who post real, paid, funded positions.
This Privacy Policy explains what personal data we collect, why we collect it, who we share it with, how long we keep it, and the rights you have over it. It applies to:
- The Cheghel website and Progressive Web App at cheghel.com
- Future Cheghel mobile apps for iOS and Android
- WhatsApp and Telegram alerts and integrations operated by Cheghel
- Transactional and opt-in emails sent from @cheghel.com
English is the authoritative version of this policy. An Arabic translation will follow. If there is any conflict, the English version prevails.
2. Data Controller and Contact
- Data controller: Cheghel (legal entity name to be finalised at launch).
- Privacy contact / DPO: privacy@cheghel.com
- Legal contact: legal@cheghel.com
- Postal address: Beirut, Lebanon (full address to be added at company registration).
- EU representative: Not currently appointed. Cheghel does not target EU residents, but we honour data rights requests from anywhere in the world.
3. Data We Collect
We group the data we collect into the same categories used by Apple's privacy labels and Google Play Data Safety, so you can compare directly.
a) Contact Info
- Email address — required to create an account.
- Full name — required on your profile.
- Phone number / WhatsApp number — optional, used mainly for blue-collar listings where one-tap WhatsApp apply is the expectation.
- Physical address — we do not collect a home address. We only store your Lebanese governorate selection.
b) Identifiers
- A Cheghel user ID (a random UUID generated at signup).
- Google account identifier — only if you sign in with Google OAuth.
- Device identifiers — we do not use Apple's IDFA or IDFV, nor any equivalent cross-app identifier. If a future mobile app ships, it will use Apple's session-only, on-device identifiers only.
c) User Content
- CV / resume file (PDF or DOCX) and extracted text.
- Profile photo, headline, bio.
- Skills, portfolio URLs, LinkedIn URL.
- Salary expectation and availability.
- Job applications you submit and cover messages.
- Reviews you leave about companies. Your review text is public; your identity as the reviewer is never shown publicly and is permanently protected under Law 81/2018 (see Section 5).
- Saved jobs and saved search alerts.
- Messages you send to employers through Cheghel, if any.
d) Usage Data
- Pages you view and links you click on Cheghel.
- Search queries you run on the platform.
- Which jobs you view, save, and apply to.
- Session duration and activity timing.
- Referrer URL (where you came from to reach Cheghel).
e) Diagnostics
- Crash logs via Sentry. Personal data is scrubbed from crash logs before they leave your device or our server.
- Performance metrics (load times, error rates).
- Error messages (without your personal content).
f) Location Data
- Your Lebanese governorate (Beirut, Mount Lebanon, North, Akkar, Bekaa, Baalbek-Hermel, South, Nabatieh) or "Abroad" selection.
- We do not collect precise GPS or device-level location.
- IP addresses are logged with login events for security, abuse detection, and fraud prevention, and retained for 90 days.
g) Sensitive Data — what we do not collect
- We do not collect religion, sect, political views, sexual orientation, or health data.
- We enforce this at the platform level: employer HR queries that contain religion, sect, or community keywords are hard-blocked and never reach our AI provider. The attempt is logged as a compliance event for moderation.
- Gender filters (male / female) are permitted only where a role lawfully requires them (for example, a women's-only workspace).
h) Financial Info
- All card payments are processed by Tap Payments. E-wallet payments are processed by Whish Money.
- We never store full card numbers, CVV, expiry dates, or banking credentials. These never touch our servers.
- We store only: subscription status, the last four digits of the card (if the payment processor returns them), transaction IDs, amount, currency, and timestamps.
i) Data Linked to You vs. Not Linked to You
| Linked to your identity | Not linked to your identity |
|---|---|
| Account data, CV, applications, saved jobs, job alerts, subscription status, payment history, review content. | Aggregate analytics, anonymised usage heatmaps, anonymised A/B test assignments, anonymised performance metrics. |
Reviewer identity on company reviews is stored internally but is never returned by any API, UI, or admin screen. See Section 5.
4. How We Use Your Data
a) App Functionality
- Match seekers with jobs using profile data and search filters.
- Process applications (CV + profile + the job you applied to).
- Manage reviews, including moderation and employer replies.
- Manage subscriptions and payment status.
b) Communications
- Transactional emails: welcome, application received, application status changes, review published, password reset, billing receipts.
- Weekly "Top Jobs for You" digest — opt-in only, with a one-click unsubscribe link in every email.
- WhatsApp job alerts via Twilio — opt-in only, and you can opt out at any time from your profile or by replying STOP.
- We do not send marketing or promotional emails without your explicit consent.
c) Analytics
- We use PostHog for product analytics, anonymised by default.
- Analytics only load if you accept analytics cookies in the consent banner. If you choose "Essential only", PostHog is never initialised.
- We use analytics to understand feature usage in aggregate, not to profile individuals.
d) Product Personalisation
- AI job recommendations based on your extracted profile and activity.
- Search result ranking tailored to your history.
- All personalisation happens server-side. The results are visible only to you.
e) Fraud Prevention and Security
- Detecting spam accounts, fake jobs, and abusive behaviour.
- Rate limiting to prevent automated abuse.
- Login anomaly detection based on IP and session patterns.
f) Legal Compliance
- Retaining financial records for 7 years as required by Lebanese tax law.
- Responding to valid legal requests from Lebanese authorities where there is a lawful basis.
5. The 3-Tier Information Wall
Cheghel uses a tiered disclosure model for job listings:
| Tier | Sees |
|---|---|
| Visitors (logged out) | Job title, description, category, governorate, type. |
| Registered free users | Everything above, plus the company name. |
| Cheghel Plus subscribers ($2.99/month tier) | Everything above, plus the full salary and the Apply button. |
Reviewer identities are never disclosed — not to other seekers, not to employers, not through the admin UI, and not via any API. This is a permanent protection under Law 81/2018 and is enforced at the database row-level security layer.
6. Legal Bases for Processing
| Purpose | Legal basis |
|---|---|
| Account, applications, subscriptions | Contract performance |
| Fraud prevention, security, abuse detection | Legitimate interest |
| Marketing, analytics cookies, WhatsApp alerts | Consent (opt-in) |
| Financial record retention, law enforcement cooperation | Legal obligation |
7. Third-Party Service Providers
We rely on the following providers. Each one processes data only for the purpose listed below, under a written contract.
| Provider | Purpose | Data shared | Location | Policy |
|---|---|---|---|---|
| Supabase | Database, authentication, file storage | All user data | AWS US-East | link |
| Resend | Transactional email delivery | Email address, email contents | United States | link |
| Tap Payments | Card payment processing | Card details (on their infrastructure), billing metadata | MENA region | link |
| Whish Money | E-wallet payment processing | Phone number, payment metadata | Lebanon | whish.money |
| Sentry | Error and crash reporting | Scrubbed error logs (PII removed) | United States | link |
| PostHog | Product analytics (opt-in only) | Anonymised usage events | United States / EU | link |
| Anthropic (Claude) | AI screening, CV extraction, HR queries | CV text and job text submitted by our servers. Anthropic does not train on API data. | United States | link |
| OAuth sign-in (optional) | Email, name, avatar (only if you choose Google sign-in) | United States | link | |
| Twilio | WhatsApp alerts (opt-in) | Phone number, message content | United States | link |
| Vercel | Hosting and edge network | Request logs (IP, user agent, path) | United States | link |
What we do NOT do:
- We do not sell your personal data.
- We do not share your data with advertisers.
- We do not use data brokers.
- We do not transfer your data to any third party outside the providers listed above.
8. Data Retention
| Data | Retention |
|---|---|
| Account data (profile, applications, saved jobs) | While your account is active |
| Deleted account data | Removed within 30 days |
| Reviews written by a deleted user | Review text remains published; reviewer link is set to NULL permanently |
| Payment and billing records | 7 years (Lebanese tax law) |
| IP address logs | 90 days |
| Email delivery logs | 90 days |
| Crash / error logs (Sentry) | 30 days |
| Database backups | 35-day rolling window |
| Email unsubscribe suppression list | Kept indefinitely, so we never email you again after you opt out |
9. Your Rights
Under Lebanon Law 81/2018 and GDPR-equivalent principles, you have the following rights:
- Right of access — request a copy of the personal data we hold about you. Self-serve at /data-request.
- Right of deletion — request deletion of your account. Self-serve at /data-request.
- Right of correction — edit your profile, or email privacy@cheghel.com.
- Right of portability — get a JSON export of your data via /data-request.
- Right to withdraw consent — unsubscribe links in emails, WhatsApp STOP, and your profile settings.
- Right to object to a specific processing activity — email privacy@cheghel.com.
- Right to lodge a complaint with the relevant Lebanese data protection authority.
We respond to all rights requests within 30 days, as required by Law 81/2018. Self-serve actions are immediate.
10. Children's Privacy
- Cheghel is not intended for users under 18.
- We do not knowingly collect data from minors.
- If we discover that an account belongs to a minor, we delete it within 7 days.
- Parents or guardians can email privacy@cheghel.com to report a minor's account or request its deletion.
11. International Data Transfers
Your data may be processed in the United States or the European Union by our providers (see Section 7). Where available, we rely on standard contractual clauses or equivalent safeguards. By using Cheghel from Lebanon, you consent to this transfer for the purposes described in this policy.
12. Security Measures
- Encryption in transit using TLS 1.2 or higher.
- Encryption at rest at the database level.
- Row-level security on every database table.
- Two-factor authentication available on your account.
- Regular security reviews and dependency audits.
- Documented incident response plan. Any confirmed breach is notified within 72 hours, as required by Law 81/2018.
13. Cookies and Tracking
- Essential cookies (cannot be disabled): authentication session, language preference, and your cookie consent choice itself.
- Optional cookies (require consent via the banner): PostHog analytics.
- No third-party advertising trackers.
- No Meta / Facebook pixels.
- No cross-site tracking.
- No device fingerprinting.
See our Cookie Policy for details and controls.
14. Mobile App Privacy (Future iOS and Android Apps)
Cheghel is currently a web and Progressive Web App. When native iOS and Android apps launch, the following additional rules will apply, consistent with this policy:
- App Tracking Transparency (ATT): We do not track you across apps or websites owned by other companies. Our ATT answer is "not tracking".
- No IDFA or IDFV collected or used.
- Push notifications: opt-in only, with system-level and in-app toggles.
- Background location: not collected.
- Contacts, photos, microphone, camera: accessed only with your explicit permission, and only when you use the feature that needs it (for example, uploading a profile photo).
- Face ID / Touch ID: used on-device only to unlock the app if you enable it. We never see biometric data.
15. Changes to This Policy
- We notify users of material changes by email and an in-app banner, at least 30 days before they take effect.
- Non-material changes (typo fixes, clarifications, broken links) may be posted without notification.
- Previous versions are available on request.
16. Contact Us
- Privacy questions: privacy@cheghel.com
- Data access, export, or deletion requests (fastest route): /data-request
- Legal notices: legal@cheghel.com
- Postal: Beirut, Lebanon (full address at company registration).