Legal Information
Privacy Policy
Overview and Scope
This Privacy Policy explains how CVProfile (the service that turns a user CV into a public, shareable profile link) collects, uses, stores, and discloses personal data.
It applies to the CVProfile website, account dashboard, public profile pages, and related support, billing, and communication workflows.
This policy is written GDPR-first and is intended to be read together with our Terms of Service, Cookie Policy, and KVKK Aydinlatma Metni.
Data Controller Details (Pre-Incorporation Stage)
At this stage, CVProfile is operated as a pre-incorporation startup and personal data is controlled by the founder operator.
Data Controller: Emre Taptil operating the CVProfile service until formal incorporation is completed.
Based in: Istanbul, Türkiye
Primary Legal Contact: contact@cvprofile.tr
Privacy Contact: contact@cvprofile.tr
If and when CVProfile is transferred to an incorporated legal entity, this section will be updated and users will be notified through the update process in this policy.
Categories of Personal Data
We process the following categories of personal data depending on how you use CVProfile.
- Account and identity data: email address, first name, last name, account ID, plan/tier, email verification status.
- Authentication and security data: password hash, session identifiers, password reset tokens, verification tokens, request-origin checks, and rate-limit metadata.
- Legal acceptance records: Terms of Service and Privacy Policy acceptance timestamps, version identifiers, acceptance locale, and acceptance IP metadata.
- Profile and content data: username, display name, headline, CV PDF file key, optional custom preview image key, profile status (active/disabled/released), and related timestamps.
- Billing data (limited): billing customer ID, subscription ID, subscription status, product and tier metadata, period end dates, and billing webhook payload excerpts. Polar acts as Merchant of Record and independently handles payment cards, billing country/address details, tax, and invoicing.
- Technical and usage data: IP address, request IDs, log events, browser/connection metadata, and service diagnostics.
- Cookie and preference data: locale preference cookie and essential session cookie; analytics/performance cookies where enabled under applicable consent rules.
Sources of Data
We obtain personal data directly from you, automatically from your use of the service, and from selected third-party service providers.
Direct sources include registration forms, profile updates, CV and image uploads, support requests, and consent choices.
Automatic sources include security logs, anti-abuse controls, and technical telemetry generated when you access CVProfile pages.
Third-party sources include payment status and subscription events from Polar, and service metadata from infrastructure providers used to operate CVProfile.
Purposes and GDPR Legal Bases
We only process personal data when we have a valid legal basis under Article 6 GDPR.
| Purpose | Typical Data Used | Legal Basis | Retention Baseline |
|---|---|---|---|
| Create and maintain user accounts, login sessions, and verification workflows | Email, names, password hash, session ID, verification/reset tokens | Art. 6(1)(b) contract; Art. 6(1)(c) legal obligations | Account lifetime + 24 months of inactivity baseline |
| Publish and host public CV profile links selected by users | Username, display name, headline, CV file, preview image, profile status | Art. 6(1)(b) contract; user instruction to publish content | Until user changes status, releases link, or deletes account |
| Process subscription and billing operations | User ID, email, plan/tier, customer/subscription IDs, status metadata | Art. 6(1)(b) contract; Art. 6(1)(c) legal obligations | Account lifetime; removed from CVProfile when account is deleted |
| Secure the platform and prevent abuse or unauthorized access | IP address, request metadata, rate-limit counters, log events | Art. 6(1)(f) legitimate interests (security and integrity) | 90 days |
| Service analytics and performance measurement | Aggregated interaction and performance metrics, analytics identifiers | Art. 6(1)(a) consent where required; otherwise Art. 6(1)(f) | As defined in analytics settings and 35 for backups |
| Handle legal requests, disputes, and compliance duties | Relevant account, log, billing, and communication records | Art. 6(1)(c) legal obligation; Art. 6(1)(f) legal defense | For limitation periods and mandatory legal retention windows |
Public Profile Visibility and User Responsibility Notice
CVProfile is designed for public sharing. Your profile link is publicly accessible when your profile status is set to active.
When active, visitors with your link can view and download the CV file you publish.
You can disable profile visibility (disable status), release your CV link, or delete your account. These actions remove or stop public access according to the selected action.
You are responsible for reviewing the content you upload and for avoiding publication of special category data or any information you do not intend to make public.
Processors, Sub-Processors, and Third Parties
We use trusted providers to operate CVProfile. Provider roles may be processor or independent controller depending on the processing context and legal requirements.
The list below is service-specific and may be updated from time to time.
| Provider | Service Role | Purpose | Transfer Notes |
|---|---|---|---|
| Neon (PostgreSQL hosting) | Processor | Managed database infrastructure for accounts, profiles, and billing metadata | May involve cross-border processing; safeguards apply |
| Cloudflare R2 | Processor | Storage of CV files and preview assets | May involve cross-border processing; safeguards apply |
| Resend | Processor | Transactional emails (verification, reset, account communication) | May involve cross-border processing; safeguards apply |
| Polar | Merchant of Record (independent controller for payment/tax operations) | Checkout, payment processing, invoicing, tax handling, and subscription lifecycle events | Polar terms and transfer safeguards apply |
| Vercel Analytics and Speed Insights | Processor | Site analytics and performance monitoring | May involve cross-border processing; safeguards apply |
International Transfers and Safeguards
Some of our providers may process data outside your home jurisdiction (including outside the EEA, UK, or Turkiye).
Where required, we rely on legally recognized transfer safeguards such as adequacy decisions, Standard Contractual Clauses, contractual commitments, and supplementary technical and organizational measures.
Current transfer safeguard model: Standard Contractual Clauses (SCCs) and supplementary technical and organizational safeguards.
You may request additional transfer information by contacting contact@cvprofile.tr.
Retention Periods by Category
We keep personal data only for as long as needed for the purposes described above, unless longer retention is required by law.
When deletion is requested, operational records and files are removed, while limited legal/security traces may remain for mandatory retention periods.
Payment, invoicing, and tax retention obligations are handled by Polar as Merchant of Record under Polar legal terms.
| Data Category | Default Retention |
|---|---|
| Account profile records after account deletion | 30 days |
| Inactive account baseline retention | 24 months |
| Billing integration metadata in CVProfile | Account lifetime; removed on account deletion |
| Security and abuse logs | 90 days |
| System backups | 35 days |
Your Data Protection Rights (GDPR Articles 15-22)
Subject to applicable law and verification, you may request access, rectification, erasure, restriction, objection, and data portability.
You may also withdraw consent at any time for processing based on consent (for example, non-essential analytics cookies), without affecting processing carried out before withdrawal.
To exercise your rights, contact contact@cvprofile.tr or use the request process on /contact.
You have the right to lodge a complaint with your local supervisory authority, including the competent EEA authority where applicable or the Türkiye Kişisel Verileri Koruma Kurumu (KVKK Kurumu).
Automated Decision-Making
CVProfile does not use solely automated decision-making that produces legal effects or similarly significant effects on individuals under Article 22 GDPR.
We may use automated technical checks for fraud prevention, abuse detection, and service integrity, with human oversight where needed.
Security Measures
We apply technical and organizational safeguards appropriate to the risk, including access controls, password hashing, request-origin checks, secure session handling, and service-level logging.
No system is entirely risk free. You should use strong credentials and publish only information you are comfortable sharing publicly.
If we identify a personal data breach requiring notification under applicable law, we will notify affected users and regulators as required.
Children's Data
CVProfile is not directed to children and is not intended for users under 18.
If we become aware that we have collected personal data from a child in breach of applicable law, we will take steps to delete that data promptly.
Updates to This Privacy Policy
We may update this Privacy Policy from time to time to reflect legal, technical, or product changes.
The updated version will be published at /privacy with a revised Last Updated date.
Where required, we will provide additional notice for material changes.
Contact and Complaint Rights
For privacy questions, rights requests, or complaints, contact contact@cvprofile.tr.
General legal contact: contact@cvprofile.tr. CVProfile is based in Istanbul, Türkiye.
You also have the right to file a complaint with your competent data protection authority if you believe your personal data has been processed unlawfully.