Privacy Notice
ANINDACV PRIVACY NOTICE
Document ID: kvkk
Version: 2.0.0
Effective date: [PUBLICATION DATE]
Website: https://anindacv.com
1. Purpose and Scope
This Privacy Notice has been prepared under the Turkish Personal Data Protection Law No. 6698 ("KVKK") to explain how your personal data is processed within AnındaCV.
This notice covers personal data processing activities related to online CV creation, editing CV information, choosing templates, adding a profile photo, creating and downloading PDF files, user accounts, support, payments, cookie preferences, security controls and optional artificial intelligence features.
This document is not an explicit consent text. Separate explicit consent texts are provided for optional processing activities that require explicit consent. Accessing or reading this Privacy Notice does not mean that you have given explicit consent.
2. Data Controller
The data controller responsible for your personal data within AnındaCV is:
METEHAN ARDA MUTLU
Website: https://anindacv.com
KVKK request and contact e-mail: destek@anindacv.com
You may submit your KVKK-related requests to destek@anindacv.com, preferably by using the e-mail address registered to your AnındaCV account. Additional information may be requested to verify that the request belongs to you and to process your request securely.
AnındaCV does not currently provide a separate phone line, registered electronic mail address (KEP) or in-account request form for KVKK requests. If an in-account request channel is added later, this notice may be updated.
3. Categories of Personal Data Processed
The following categories of personal data may be processed within AnındaCV:
3.1. Account and Identity Data
E-mail address, full name, Google account information if you sign in with Google, Google profile image, password hash, account creation records, login records and verification records.
3.2. CV and Content Data
Full name, e-mail address, phone number, address/location, education information, work experience, skills, foreign language information, references, career summary, profile photo, uploaded CV files, created or downloaded PDF records and other information related to CV content that you add to your CV.
3.3. AI Processing Data
Only if you use AI features and give the relevant explicit consent, uploaded CV files in PDF, DOC, DOCX, TXT, RTF, JPG or PNG format, CV content, parsing results, AI analysis, scoring, suggestions and text improvement outputs may be processed.
3.4. Payment and Transaction Data
Purchased package, payment provider, payment status, credit movements, credit usage information, refund status, order information, payment proof and transaction history.
3.5. Support and Communication Data
Name, e-mail address, subject, message, request status and support correspondence that you share through contact or support requests.
3.6. Security and Technical Data
IP hash, user-agent hash, session security records, abuse prevention records, verification records, error records, bot prevention records, rate limit records, security keys, request count, timestamp, temporary security records and other technical information related to system security.
3.7. Marketing and Preference Data
Newsletter subscription, commercial electronic communication consent or refusal record, consent date, consent source, consent version, cookie and similar technology preferences.
3.8. Legal Evidence Records
Accepted contract type and version, explicit consent type and version, text hash, transaction time, IP hash, user-agent hash and identity-reduced association records.
4. Purposes and Legal Grounds for Processing Personal Data
Your personal data is processed for the following purposes and based on the relevant legal grounds:
| Processing purpose | Data categories processed | Legal ground |
|---|---|---|
| Creating an account, signing in and managing the user account | Account and identity data, technical data | Establishment and performance of a contract |
| Creating, editing, saving and using CV templates | CV and content data | Performance of a contract |
| Creating and downloading PDF files | CV data, PDF records, credit movements | Performance of a contract |
| Purchasing paid credits and processing payments | Payment and transaction data | Performance of a contract, legal obligation, establishment, exercise or protection of a right |
| Maintaining the paid download experience | CV snapshot records, PDF download records | Performance of a contract, legitimate interest |
| Responding to support requests | Support and communication data | Performance of a contract, legitimate interest |
| Security, rate limiting, abuse prevention and protection of system integrity | Technical and security data | Legitimate interest, legal obligation |
| Proof of contracts, payments, consents and transactions | Legal evidence records | Legal obligation, establishment, exercise or protection of a right |
| AI-supported CV parsing, analysis, scoring, suggestions and text improvement | AI processing data | Explicit consent |
| Sending commercial electronic communications | Marketing data | Explicit consent / commercial electronic communication consent |
| Understanding site usage and performance through analytics technologies | Cookie, usage and preference data | Explicit consent |
| Browser-side error and performance monitoring | Error, performance and technical data | Explicit consent |
| Using the profile photo in CV templates and PDF output | Profile photo | Explicit consent or the user's clear preference |
5. Provision of the Service Through Infrastructure Connected to Abroad
AnındaCV is an online digital service provided through cloud infrastructure and service providers that may be located abroad or connected to abroad. Account creation, storage of CV information, PDF creation, e-mail delivery, security controls, rate limiting, payment processes, error monitoring, analytics and optional AI features may be carried out through such infrastructure and service providers.
For this reason, your personal data may be transferred to service providers located abroad or connected to abroad for the provision and technical operation of the service.
Cross-border transfer processes are evaluated under the transfer mechanisms set out in Article 9 of the KVKK. Depending on the relevant provider, applicable mechanisms such as adequacy decisions, appropriate safeguards, standard contractual clauses, undertakings, binding corporate rules or other relevant transfer mechanisms may be taken into account.
AnındaCV aims to limit transfers to service providers located abroad or connected to abroad to the data categories necessary for providing the service, to avoid unnecessary personal data transfers and to take into account, to the extent possible, the data processing and security terms of the service providers used.
Since AnındaCV's core infrastructure operates through service providers connected to abroad, if you request that processing through such infrastructure be completely stopped, it may not be possible to continue providing the account actively. In such a case, you may request the closure of your account and the deletion of active service data.
This section is not an explicit consent text. Separate explicit consent is obtained for optional activities that require explicit consent.
6. Recipient Groups and Service Providers to Whom Personal Data May Be Transferred
Your personal data may be transferred to the following recipient groups only to the extent limited to the relevant purpose:
| Recipient / provider | Purpose of use | Data categories that may be transferred | Status |
|---|---|---|---|
| Vercel | Hosting and running the web application | Technical data, request records, data required for application operation | Active |
| MongoDB | Data storage and database infrastructure | Account data, CV data, transaction records, legal evidence records | Active |
| Upstash Redis | Rate limiting, security controls, abuse prevention, temporary security records | IP hash, user-agent hash, rate limit key, request count, timestamp, session or user-related technical security records | Active |
| Resend | Transactional e-mails and system notifications | E-mail address, transactional notification content | Active |
| Google OAuth | Signing in with Google or linking a Google account | Google account information, e-mail address, full name, profile image | Active |
| Google Gemini | AI-supported CV parsing, analysis, scoring and text improvement | CV file, CV content, AI processing outputs | Active, only with AI consent |
| Google Analytics | Site usage and performance analysis | Cookie, device, usage and page interaction data | Only with analytics consent |
| Sentry | Browser-side error and performance monitoring | Error records, performance data, technical metadata | Only with error monitoring consent |
| Shopier | Processing payments | Order information, payment status, e-mail address and information required for payment | Active |
| Cloudflare Turnstile | Bot, spam and abuse prevention | Technical verification and security data | Active |
| Authorized public institutions and judicial authorities | Compliance with legal obligations | Data requested and required to be shared under applicable law | When necessary |
LemonSqueezy is not currently used as an active payment provider. If the active payment provider changes, this notice may be updated.
Google Gemini is currently used as the AI provider. According to Google's terms for Gemini API paid services, prompts, files and responses are stated not to be used to improve Google products. This statement depends on the provider's current terms.
If the AI service provider changes in the future or if a new provider such as OpenAI, DeepSeek or a similar provider is added, the relevant data processing and transfer activity through that provider will be communicated to users appropriately and, where necessary, this notice and the relevant explicit consent texts will be updated.
7. Method of Collecting Personal Data
Your personal data is collected electronically through the registration screen, Google sign-in, CV creation forms, file upload areas, profile photo upload, payment screen, support forms, cookie preference panel, account settings, security systems, rate limit systems, bot prevention systems and system transaction records.
8. Cookies and Similar Technologies
Mandatory technologies are used within AnındaCV for login, security, remembering preferences, bot prevention, rate limiting and operating the core site functions. These technologies are necessary for the secure and basic provision of the service.
Analytics and browser-side error/performance monitoring technologies only operate if you give consent. You can manage your analytics and error monitoring preferences through the cookie banner or preference panel shown when you first visit the site.
Currently, the following tools are used within optional categories:
- Google Analytics for analytics,
- Sentry for error and performance monitoring.
You can access detailed information about cookies and similar technologies through the Privacy and Cookie Policy.
9. AI-Supported Features
AnındaCV may provide AI-supported CV parsing, automatic form filling, analysis, scoring, suggestions and text improvement features. These features are not mandatory.
AI features operate only upon the user's request and with the relevant explicit consent. You can create, edit and download your CV manually without using AI.
AI results are only assistive and advisory. They do not guarantee employment, job suitability, success or absolute accuracy.
You are advised not to include special categories of personal data such as health information, religious belief, political opinion, union membership, criminal conviction or similar information in your CV files. Additional warnings and explicit consent text may be shown on AI analysis screens regarding this matter.
10. Retention of Personal Data
Your account and CV data are stored as long as your user account remains active.
Active service data belonging to inactive accounts that have not been used for a long time may be taken into the deletion process within 2 years from the date of the last login or last transaction. Limited records that must be retained for technical or legal reasons are stored with identity links reduced to the extent possible.
Rate limit, bot prevention and temporary security records are retained only for the period necessary to carry out security controls and prevent abuse.
If you delete your account, CV contents, CV assets, profile photo, uploaded files, support records, newsletter record and active service data linked to your account are deleted.
Payment records, contract acceptance records, explicit consent records, withdrawal exception acknowledgements, security records and legal evidence records may be retained for up to 10 years for the purposes of resolving disputes, complying with legal obligations and establishing, exercising or protecting rights.
After account deletion, these records may not be made completely anonymous. A limited link with the account may be preserved for legal evidence purposes. However, such records are stored in a masked, hashed or identity-reduced manner to the extent possible.
Limited records retained after account deletion are not kept for the purpose of continuing active account use. They are retained only for payment, contract, explicit consent, security, dispute and legal evidence processes.
11. Rights of the Data Subject
Under Article 11 of the KVKK, you have the following rights regarding your personal data:
- To learn whether your personal data is being processed,
- To request information if your personal data has been processed,
- To learn the purpose of processing and whether your personal data is used in accordance with that purpose,
- To know the third parties to whom your personal data has been transferred in Türkiye or abroad,
- To request correction if your personal data has been processed incompletely or incorrectly,
- To request deletion or destruction of your personal data under the conditions set out in the KVKK,
- To request that correction, deletion or destruction operations be notified to third parties to whom your personal data has been transferred,
- To object to any result against you that arises exclusively through analysis by automated systems,
- To request compensation if you suffer damage due to unlawful processing of your personal data.
12. Method of Application
You may submit your KVKK-related requests to destek@anindacv.com.
It is recommended that you send your requests from the e-mail address registered to your AnındaCV account, if possible. Additional verification information may be requested to confirm that the request belongs to you, to protect your account and to prevent unauthorized requests by third parties.
Applications are concluded as soon as possible and within the maximum period prescribed by applicable legislation, depending on the nature of the request.
13. Changes to This Notice
This KVKK Privacy Notice may be updated if AnındaCV's service structure, service providers used, personal data processing purposes, retention periods or cross-border transfer structure changes.
If there is a material change in a processing activity that requires explicit consent, new explicit consent may be obtained separately for the relevant activity.