EXPLICIT CONSENT AND DISCLOSURE TEXT FOR PERSONAL DATA PROCESSING

Effective Date: 05.07.2025

Last Updated: 05.07.2025

1. SCOPE AND LEGAL BASIS
This text covers data processing activities that require explicit consent to benefit from digital platform services provided by Profylee ("Company").
1.1 Legal Compliance:
Turkey: KVKK Article 5/1
EU & United Kingdom: GDPR Article 6/1(a), 9/2(a)
USA: California CCPA/CPRA, Virginia CDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA and other state regulations including nationwide data protection laws
Brazil: LGPD

2. CONSENTED DATA AND PROCESSING PURPOSES
Data processed with the user's explicit consent and their usage purposes are as follows:
2.1) Profile Photo
Processing Purpose: Enhancing CV visibility and inclusion in promotional content.
Special Status: Not considered "special category data" under GDPR Article 9, but optional.
2.2) Location & IP Data
Processing Purpose: Security auditing based on user's geographical region and creation of regional analysis statistics.
Special Status: Used anonymously; no direct identification is made.
2.3) Behavioral Data
Processing Purpose: AI-assisted job posting and candidate matching; improving user experience.
Special Status: Processed only through explicitly consented cookies in compliance with cookie policy.
2.4) Health Data
Processing Purpose: Providing appropriate content and accessibility experience for disabled candidates.
Special Status: Considered "special category data" under GDPR Art. 9 and KVKK Art. 6, requiring additional explicit consent.
2.5) Marketing and Communication Data
Processing Purpose: Sending campaigns, special offers, events, and informational messages.
Special Status: "Unsubscribe" link is mandatory in every email or SMS message.

Note: AI algorithms within Profylee are trained only with anonymized and ethically audited datasets. Automated decisions are never solely binding; human oversight is applied.

3. CONSENT DECLARATION AND ACCEPTANCES
You are expected to read and approve the following articles separately. Each will be evaluated independently and recorded in the system:
3.1 I accept that my personal data will be processed for the purposes described above.
(Ref. Article 2: Data Categories and Processing Purposes)
3.2 I accept that my data may be shared with US/EU-based subcontractors when necessary (e.g., AWS, Stripe, SendGrid).
(Ref. Article 6: Data Security and Subcontractors)
3.3 I accept that I can withdraw my explicit consent at any time, that my data will be deleted as a result, and that the details of this process have been explained to me.
(Ref. Article 4: Consent Withdrawal and Data Deletion)
3.4 If I am under 16 years old, I know and accept that my legal representative's consent is required and that no processing can be done without this condition being met.
(Ref. Article 5.1: Minor Users)
3.5 I accept that processing will be valid as of the date I give this consent.
(Consent start date will be recorded in the log)

4. CONSENT WITHDRAWAL AND DATA DELETION
4.1 Withdrawal Methods:
4.1.1 Online: Through Privacy Settings > My Consents tab in your account
4.1.2 Email: consent-withdrawal@profylee.com
4.1.3 Mail: By sending a signed petition to [Company Address]
4.2 Consequences
4.2.1 Processing will be stopped within 7 business days.
4.2.2 Data will be deleted/anonymized within 90 days (except legal obligations)

5. SPECIAL SITUATIONS
5.1 Minor Users
5.1.1 Parental/authorized representative permission is required for users under 16 years old.
5.1.2 Verification: ID/passport + parent-signed consent form (notarized if necessary)
5.2 Artificial Intelligence and Automated Decisions
5.2.1 AI matching is not 100% automatic. Human oversight is available.
5.2.2 Users can contact ai-review@profylee.com for inquiries about algorithmic results.

6. SUBCONTRACTORS AND LEGAL BASIS
6.1 Subcontractors and Shared Data
6.1.1 AWS (Amazon Web Services – USA)
Service: Server hosting (cloud hosting)
Data Sharing: Encrypted personal data
Legal Basis: SCC (Standard Contractual Clauses – GDPR Art. 46)
Additional technical and organizational security measures
6.1.2 Stripe (USA)
Service: Payment infrastructure and processing
Data Sharing: Tokenized credit card and payment information
Legal Basis: PCI-DSS compliant security infrastructure
Adequate level of protection under GDPR Art. 46
6.1.3 SendGrid (European Union)
Service: Email delivery and system notification infrastructure
Data Sharing: Email address and basic communication data
Legal Basis: GDPR compliant Data Processing Agreement (DPA)
6.2 Sharing Guarantee
6.2.1 Profylee does not sell any user data for commercial gain.
6.2.2 User data is not shared with advertising networks or third parties for user profiling purposes.
6.2.3 All transfers are carried out only in a functional and explicit consent-based manner.

NOTE: No personal data shared is sold for commercial purposes. User data is not transmitted to advertising networks and is not shared with third parties for profiling purposes.

7. RETENTION PERIODS
7.1 Retention Periods and Procedures
7.1.1 Behavioral Data
Retention Period: +6 months after user consent is withdrawn
Deletion Procedure: Permanently removed from the system with automatic deletion algorithm
7.1.2 Health Data
Retention Period: 1 year
Deletion Procedure: Manually deleted only with Data Protection Officer (DPO) approval.
7.1.3 Marketing Permissions
Retention Period: Valid as long as user subscription continues
Deletion Procedure: User can request deletion through the "unsubscribe" link in each message

8. OTHER MATTERS
8.1 Multilingual Support: Profylee Explicit Consent Text is provided in both Turkish and English.
8.2 Policy Updates: Changes to the policy will be announced by email at least 30 days in advance.