GDPR Privacy Policy

1. Data Controller

ProCvLab ("we", "us", "the Platform") is the data controller responsible for processing your personal data. This privacy policy has been prepared in accordance with the EU General Data Protection Regulation (GDPR - Regulation 2016/679).

2. What Data We Collect and Why (Lawful Basis)
2.1 Data You Provide Directly
Data Category Purpose Lawful Basis
Account info (name, email, hashed password) User account management and authentication Contract performance (Art. 6(1)(b))
CV data (personal details, education, work experience, skills, languages, certificates, references) CV creation and PDF generation service Contract performance (Art. 6(1)(b))
Profile photo (optional) Inclusion in CV if requested by user Consent (Art. 6(1)(a))
Payment information Processing premium template purchases via iyzico Contract performance (Art. 6(1)(b))
2.2 Data Collected Automatically
Data Category Purpose Lawful Basis
Technical data (IP address, browser type, OS, device info) Platform security and abuse prevention Legitimate interest (Art. 6(1)(f))
Usage data (page views, session duration, click data) Service quality improvement Legitimate interest (Art. 6(1)(f))
Cookie data (session, language preference, consent cookies) Site functionality and user preferences Consent (Art. 6(1)(a)) / Legitimate interest for essential cookies
3. How We Process Data (Purposes)
  • Providing the CV creation and editing service
  • Generating and delivering PDF documents (download and/or email)
  • User account management and authentication
  • Processing premium service purchases
  • AI-powered professional summary generation (via OpenAI)
  • Platform security, fraud prevention, and abuse detection
  • Service quality improvement and analytics
  • Compliance with legal obligations
  • Sending informational emails (only with your consent)
4. Data Retention Periods
Data Type Retention Period
User account data Until account deletion or 3 years of inactivity
CV data (registered users) Until user deletes CV or account
CV data (guest users) 30 days after creation
Generated PDF files 24 hours after generation
Payment records 10 years (legal requirement)
Consent records 5 years after consent withdrawal or account deletion
Audit logs 2 years
Server/access logs 90 days
5. Third-Party Data Sharing

Your personal data may be shared with the following third parties only for the purposes described:

Third Party Purpose Data Shared
iyzico Payment Services Payment processing for premium templates Name, email, payment details (card data processed by iyzico, not stored by us)
OpenAI AI-powered professional summary generation CV content (work experience, skills) for summary generation only
SMTP Email Provider Email delivery of CVs and notifications Email address, CV PDF attachment
Hosting Provider Technical infrastructure All data as processor (data processing agreement in place)

Your CV data is never shared with third parties for advertising or marketing purposes.

6. International Data Transfers

Our platform is hosted in Turkey. When your data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

  • OpenAI (USA): Data is processed under Standard Contractual Clauses (SCCs) and OpenAI's data processing agreement. Only CV content necessary for summary generation is transmitted; data is not retained by OpenAI for training purposes.
  • iyzico: Payment processing is conducted within Turkey under Turkish data protection regulations (KVKK) which provide adequate protection.
  • Email delivery: Where SMTP services involve data transfer outside the EEA, appropriate safeguards (SCCs) are in place.
7. Your Rights Under GDPR

Under the General Data Protection Regulation, you have the following rights:

  • Right of Access (Art. 15): You have the right to obtain confirmation as to whether your personal data is being processed and to access that data.
  • Right to Rectification (Art. 16): You have the right to request correction of inaccurate personal data.
  • Right to Erasure (Art. 17): You have the right to request deletion of your personal data ("right to be forgotten").
  • Right to Restriction of Processing (Art. 18): You have the right to request restriction of processing of your personal data under certain circumstances.
  • Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON). You can exercise this right through the Data Export feature in your user panel.
  • Right to Object (Art. 21): You have the right to object to processing of your personal data based on legitimate interests.
  • Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing prior to withdrawal.
  • Right Not to Be Subject to Automated Decision-Making (Art. 22): You have the right not to be subject to decisions based solely on automated processing, including profiling. ProCvLab does not make automated decisions that produce legal effects concerning you.

To exercise any of these rights, please contact our Data Protection Officer at dpo@procvlab.com or use the Data Subject Request Form.

We will respond to your request within 30 days. If the request is complex, we may extend this period by an additional 60 days, in which case we will inform you of the extension and the reasons for it.

8. Data Protection Officer (DPO)

You can contact our Data Protection Officer for any questions or concerns about data protection:

  • Email: dpo@procvlab.com
  • Address: ProCvLab - Data Protection Officer, Istanbul, Turkey
9. How to Lodge a Complaint

If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

You may also contact the Turkish data protection authority:

We encourage you to contact us first at dpo@procvlab.com so we can attempt to resolve your concern before you contact a supervisory authority.

10. Cookie Policy

We use cookies on our platform to ensure functionality and improve your experience. Cookies are categorized as follows:

  • Required Cookies: Essential for the site to function (session management, language preference, CSRF protection). These cannot be disabled.
  • Analytics Cookies: Help us understand how visitors use the site. You can opt out via the cookie consent banner.
  • Marketing Cookies: Used to deliver relevant advertisements. You can opt out via the cookie consent banner.

For full details, please see our Cookie Policy.

You can manage your cookie preferences at any time using the cookie consent banner at the bottom of the page or by clearing your browser cookies and revisiting the site.

11. Data Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • SSL/TLS encryption for all data transmission
  • Password hashing using Argon2ID/bcrypt algorithms
  • AES-256 encryption for sensitive data at rest
  • CSRF protection on all forms
  • Rate limiting to prevent brute-force attacks
  • Database access restricted to necessary privileges only
  • Regular security updates and vulnerability assessments
12. Children's Privacy

Our platform is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If a parent or guardian becomes aware that their child has provided us with personal data, they should contact us so that we can take appropriate action.

13. Changes to This Policy

We may update this GDPR Privacy Policy to reflect changes in our practices, legal requirements, or for other operational, legal, or regulatory reasons. Material changes will be communicated via the platform. We encourage you to review this policy periodically.

14. Contact Us

For any questions regarding this GDPR Privacy Policy or your personal data:

Related Policies

Last updated: 19.04.2026