Privacy Policy

JOM is operated by Jom IT Technologies Sdn. Bhd. ("JOM", "we", "us"), a company incorporated in Malaysia. We provide a multi-tenant talent platform that helps client organisations understand and develop their people through AI-assisted competency assessments, interview tooling, and talent analytics.

For account holders signing up directly, JOM is the data controller. When we process employee data on behalf of a client organisation (our customer), JOM acts as a data processor and the client organisation is the controller — their privacy notice governs that processing in addition to this one.

Questions about this policy or your data: dpo@get-jom.com.

Account data. When you sign in we record your email address, name, and (for SSO users) your provider profile picture. With email OTP we also record the one-time code (hashed) and the time it was issued.

Employee and assessment data. If your organisation uses JOM, we process employee profile information, role and competency data, CVs, assessment narratives, interview transcripts, and chat conversations with our AI assistant. This data is uploaded by your employer or generated by your use of the platform.

Voice recordings. If you use voice features, audio is stored temporarily (24 hours) for transcription and is then deleted automatically.

Usage data. We collect basic analytics (pages visited, features used, error events) via PostHog to understand and improve the product. We do not collect browsing history outside JOM.

Cookies. We use first-party cookies strictly to keep you signed in. We do not use advertising or cross-site tracking cookies.

We use personal data to:

• Provide and operate the JOM platform you or your employer subscribed to
• Generate AI-assisted outputs such as competency assessments, skill maps, and interview questions (these outputs are decision support, not automated decisions)
• Send transactional emails such as sign-in codes and account notifications
• Diagnose errors, prevent abuse, and improve the service
• Comply with legal obligations

We do not sell personal data, share it with advertisers, or use it to train third-party AI models outside the providers listed in our subprocessors page.

JOM processes personal data in accordance with the Malaysian Personal Data Protection Act 2010 (PDPA). We commit to its seven principles:

• Notice and Choice — this policy is our notice to you about how your data is handled.
• Disclosure — we only disclose data to the subprocessors listed on our subprocessors page, and only for the purposes described here.
• Security — we use encryption, access controls, and audit logging to protect personal data.
• Retention — we keep data only as long as needed; see the retention section below.
• Data Integrity — we keep personal data accurate and let you correct it.
• Access — you have the right to access and correct your personal data (see “Your rights” below).
• General Principle — we process personal data only with consent or another lawful basis under the PDPA.

This notice is provided in English. A Bahasa Malaysia translation is available on request — email dpo@get-jom.com.

We share personal data with the vetted infrastructure and tooling providers listed on our subprocessors page. Each is bound by a data processing agreement and may only process data on our instructions.

If your employer is a JOM customer, we share your assessment and profile data with authorised users in that organisation — that is the point of the platform.

We may disclose data to law enforcement where compelled by a valid legal order, and will notify affected users where lawful to do so.

Our primary infrastructure (database, application hosting) is located in Singapore. Some subprocessors are based in the United States — see our subprocessors page for the full list of locations. Cross-border transfers follow Section 129 of the Malaysian PDPA: data is only transferred to jurisdictions or subprocessors that offer substantially similar protection, or where you have consented to the transfer.

• Account data: while your account is active, plus 12 months
• Employee and assessment data: for the duration of your employer's contract with us, then deleted or returned per their instructions
• Voice recordings: automatically deleted after 24 hours
• Sign-in codes: 10 minutes (then expired)
• Server logs: 30 days
• Analytics events: 12 months

We may retain anonymised, aggregated data indefinitely for product and research purposes — this data cannot be linked back to you.

Depending on where you live, you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Delete your data (subject to legal exceptions)
• Export your data in a portable format
• Object to or restrict certain processing
• Withdraw consent at any time
• Lodge a complaint with your data protection authority

If your data is held on behalf of your employer, please direct rights requests to them first — they control that data. For data we hold as controller, email dpo@get-jom.com and we will respond within 30 days.

We encrypt data in transit (TLS) and at rest, use role-based access controls, audit sensitive operations, and follow least-privilege principles for our team. No system is completely secure — if you believe your account has been compromised, contact support@get-jom.com immediately.

JOM is not directed to children under 16. We do not knowingly collect data from children. If you believe a child has provided data to us, contact us and we will delete it.