Privacy Policy for TurboApplication

Last Updated: January 1, 2025

1. Introduction

Our Commitment to Your Privacy

TurboApplication (hereinafter referred to as "TurboApplication," "the Platform Operator," or "the Company") is profoundly committed to safeguarding the privacy and personal data of all users of its job application portal (the "Platform"). This commitment extends to ensuring compliance with all applicable data protection legislation, most notably the General Data Protection Regulation (EU) 2016/679 ("GDPR"). The trust of users is fundamental to the success of a platform designed to manage sensitive career and recruitment-related information, and this Privacy Policy ("Policy") is a testament to that foundational principle. This document aims to provide a transparent and comprehensive explanation of how personal data is collected, utilized, shared, retained, and protected. It is more than a regulatory obligation; it is a statement of the Platform Operator's dedication to ethical data stewardship.

About This Privacy Policy (Scope, Applicability)

This Policy outlines the data processing practices of TurboApplication concerning all individuals who interact with the Platform. This includes, but is not limited to:

• Job Candidates (individuals creating personal accounts to seek employment opportunities).
• Companies/Employers (organizations creating team accounts to post job vacancies and find suitable candidates).
• Team Members (employees or authorized representatives of Companies/Employers who use the Platform on behalf of their organization).
• Visitors to the TurboApplication website, even if they do not register for an account.

The scope of this Policy encompasses personal data collected through the TurboApplication website, the core Platform services, and any associated communications or interactions. It is designed to inform users about their rights and the Platform Operator's responsibilities, fostering a transparent environment for all data processing activities.

2. Who We Are & How to Contact Us (Data Controller)

Data Controller Details

The entity responsible for the processing of personal data described in this Policy (the "Data Controller" under GDPR) is:

• Company Name: TurboApplication
• Contact Email for Privacy Queries: For any questions, concerns, or requests related to this Privacy Policy or the processing of personal data, please contact: info@turboapplication.com.
• Business Address: Turin, Italy (Full address will be updated upon completion of company registration process)

Data Protection Officer (DPO) / Data Protection Contact

A formal Data Protection Officer (DPO) has not yet been designated. The Platform Operator is currently assessing the requirements for DPO appointment under Article 37 of the GDPR, based on the nature, scope, and scale of its data processing activities. This assessment is ongoing, particularly as the Platform moves from its test phase towards broader operation.

In the interim, and for all inquiries concerning data protection and privacy, individuals are directed to use the contact email address provided above: info@turboapplication.com. This ensures a dedicated channel for privacy-related communication, even before a formal DPO is appointed, reflecting an understanding of and commitment to addressing GDPR obligations. The decision regarding DPO appointment will be revisited as the Platform's user base and processing activities evolve.

3. What Personal Data We Collect and Why

General Principles

TurboApplication adheres to core GDPR principles in its collection and processing of personal data. Specifically:

• Data Minimization (Article 5(1)(c) GDPR): Only personal data that is adequate, relevant, and limited to what is necessary for the clearly defined purposes of processing is collected.
• Purpose Limitation (Article 5(1)(b) GDPR): Personal data is collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Data from Job Candidates

Job Candidates are individuals who register on the Platform to search for and apply to job opportunities.

• Types of Data Collected:
  • Identity & Contact Data: This includes the Job Candidate's full name, email address, and phone number.
  • Professional & Application Data: This category is central to the Platform's function and includes CV/Resume files and all content within them (such as employment history, educational background, skills, qualifications, references, and any photographs if voluntarily included by the candidate). It also encompasses responses to job application questions and answers to pre-screening questions set by Companies/Employers.
  • Account Data: Username and securely hashed passwords for accessing the Platform.
  • Platform Usage Data: Information related to application tracking, such as the status of applications submitted, jobs saved, and interactions with job postings.
  • Communication Preferences: Choices made by the Job Candidate regarding receiving marketing communications or other optional notifications.
• Purpose of Collection & Use:
  • To enable the creation and ongoing management of the Job Candidate's account.
  • To facilitate the search for and application to job vacancies listed by Companies/Employers.
  • To transmit the Job Candidate's application materials (including CV/Resume) to Companies/Employers for roles they specifically apply to.
  • To allow Companies/Employers to evaluate the Job Candidate's suitability for specific roles.
  • To provide tools for tracking the progress and status of job applications.
  • To communicate essential information regarding the Job Candidate's account, applications, Platform updates, and security alerts.
  • Subject to explicit consent, to send marketing communications about new features, services, or relevant career content.
• Legal Basis for Processing (Article 6 GDPR):
  • Performance of a Contract: The primary legal basis for processing most Job Candidate data is the necessity to perform the service agreement established when a candidate creates an account and uses the Platform to apply for jobs. This includes processing applications and making CVs available to employers selected by the candidate.
  • Consent: For any optional data provided by the Job Candidate, for specific data sharing features that may be introduced (e.g., a CV database searchable by employers beyond direct applications, if implemented and consented to), and for direct marketing communications.
  • Legitimate Interests: For purposes such as improving Platform functionality, conducting internal analytics (with data anonymized or aggregated where feasible to protect privacy), and ensuring Platform security.

Data from Companies/Employers (Team Accounts)

Companies/Employers are organizations that use the Platform to advertise job openings and manage their recruitment processes.

• Types of Data Collected:
  • Company Information: The official name of the company or organization, and general business information such as industry, size, and location.
  • Contact Person Details: Name, email address, and phone number of the primary administrative contact for the company account, as well as similar details for other authorized team members.
  • Recruitment Data: Content of job postings and detailed job descriptions, screening questions created by the company for their vacancies, internal notes and decisions related to the hiring process for specific candidates.
  • Team Management Data: Information concerning team members added by the Company/Employer to their account, including their roles and access permissions (see section below for Team Member data).
  • Account & Billing Information: Account login credentials for company representatives. Billing information such as payment details and transaction history will be collected when payment processing is implemented.
• Purpose of Collection & Use:
  • To facilitate the creation and ongoing management of the Company/Employer account.
  • To enable the posting of job vacancies and the management of applications received through the Platform.
  • To facilitate communication between the Company/Employer and Job Candidates.
  • To allow for the management of access permissions and roles for different team members within the Company/Employer account.
  • To process payments for Platform services (once payment features are active).
  • To communicate essential information regarding the Company/Employer's account, available services, Platform updates, and security alerts.
• Legal Basis for Processing (Article 6 GDPR):
  • Performance of a Contract: The primary legal basis is the necessity to perform the service agreement with the Company/Employer, enabling them to use the Platform for recruitment.
  • Legitimate Interests: For managing the business relationship, enhancing Platform services, ensuring security, preventing fraudulent activities, and for operational analytics.
  • Legal Obligation: For processing related to billing, invoicing, and tax compliance, once payment functionalities are implemented.

Data from Team Members (employees of Companies/Employers)

Team Members are individuals authorized by a Company/Employer to use the Platform on their behalf.

• Types of Data Collected: Full name, business email address, their designated role within the company (as assigned by the Company/Employer's account administrator), specific access permissions granted on the Platform, activity logs detailing their actions on the Platform (for audit and security purposes), and collaborative data such as internal notes or comments on candidates shared within their hiring team.
• Purpose of Collection & Use:
  • To enable access to and utilization of Platform features relevant to their assigned role in the recruitment process.
  • To log actions for security monitoring, system auditing, and maintaining data integrity.
  • To facilitate effective collaboration among members of the hiring team within the Company/Employer's account.
• Legal Basis for Processing (Article 6 GDPR):
  • Legitimate Interests: The processing is based on the legitimate interests pursued by the Team Member's Employer (the Company/Employer account holder) to effectively manage their recruitment activities using the Platform. It is also based on TurboApplication's legitimate interest in providing the contracted services to the Company/Employer.

Data from Platform Administrators

Personnel designated as Platform Administrators by TurboApplication will have access to personal data stored on the Platform. This access is strictly limited to what is necessary for purposes such as Platform maintenance, providing user support, ensuring system security, troubleshooting issues, and fulfilling contractual service obligations. The legal basis for this processing is the legitimate interest of TurboApplication in operating, securing, and improving the Platform, and fulfilling its service commitments to users.

Special Categories of Personal Data (Article 9 GDPR)

CVs/Resumes and other job application materials submitted by Job Candidates may, in some instances, voluntarily include "special categories of personal data" as defined by GDPR Article 9. This could include, for example, information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health, or data concerning a natural person's sex life or sexual orientation.

TurboApplication does not actively request, require, or encourage the submission of such special category data. However, if a Job Candidate voluntarily includes such information within their CV, resume, cover letter, or application responses, and submits these documents via the Platform to apply for a specific job, this data will be processed as part of the application.

In such cases, the processing of this special category data (e.g., making it visible to the Company/Employer to whom the Candidate applies) is based on the Job Candidate's explicit consent. This explicit consent is understood to be given when the candidate, of their own volition, includes such sensitive information in documents clearly intended for job applications and then actively submits these documents through the Platform for consideration for a specific role or by a specific employer. Job Candidates are strongly advised not to include any special category personal data in their application materials unless they are entirely comfortable with this information being processed for the specific purpose of that job application and seen by the prospective employer. The platform's design does not inherently require such data, and its inclusion is solely at the candidate's discretion. This approach ensures that the candidate is in control of disclosing such sensitive information and that a clear affirmative action (submission of the application) signifies their consent for that specific context.

Automatically Collected Data (Technical Data)

When any user visits or interacts with the TurboApplication Platform, certain technical information may be automatically collected from their device.

• Types of Data Collected: This typically includes the device's Internet Protocol (IP) address, browser type and version, operating system and platform, device identifier (if applicable), time zone setting and location (if enabled), and information about the user's interaction with the Platform. This interaction data can include the full Uniform Resource Locators (URL) clickstream to, through, and from the Platform (including date and time), pages viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.
• Purpose of Collection & Use: This data is collected to ensure the proper technical functioning and security of the Platform, to protect against fraudulent or malicious activity, and for analytical purposes. Analytics help in understanding how users interact with the Platform, which in turn informs improvements to its design, functionality, and overall user experience.
• Legal Basis for Processing (Article 6 GDPR): The primary legal basis for processing this technical data is Legitimate Interests. These interests include operating and maintaining a secure and functional platform, preventing abuse, and improving the services offered. For cookies and similar tracking technologies used for analytics that are not strictly necessary, Consent will be obtained where required by applicable law (e.g., ePrivacy Directive), as detailed in Section 11 of this Policy.

Summary of Personal Data Processing

To enhance transparency and provide a clear overview, the following table summarizes the main categories of personal data processed by TurboApplication:

User Type	Category of Personal Data	Specific Data Examples	Purpose(s) of Processing	Primary Legal Basis (GDPR Art. 6; Art. 9 if applicable)
Job Candidate	Identity & Contact	Full name, email, phone number	Account creation, communication, application submission	Performance of Contract
	Professional & Application	CV/Resume content, application responses, pre-screening answers	Job application, employer assessment, skills matching	Performance of Contract; Explicit Consent (for any special category data voluntarily included in CV/application for that specific application)
	Account Data	Username, hashed password	Secure platform access	Performance of Contract
	Platform Usage	Application tracking	Service provision, user experience	Performance of Contract; Legitimate Interests
	Communication Preferences	Opt-in/out choices	Marketing (if consented), service updates	Consent (marketing); Performance of Contract (service updates)
Company / Employer	Company Information	Company name, business details	Account creation, service provision	Performance of Contract
	Contact Person Details	Name, email, phone of representatives	Account management, communication	Performance of Contract
	Recruitment Data	Job postings, screening questions, hiring notes	Facilitating recruitment process	Performance of Contract
	Team Management	Team member details (name, email, role)	Enabling collaborative platform use	Legitimate Interests (of employer)
	Account & Billing (Future)	Login credentials, payment info	Secure access, payment processing	Performance of Contract; Legal Obligation (financial records)
Team Member	Identity & Role	Name, email, role in company	Platform access, collaboration	Legitimate Interests (of employer and TurboApplication)
	Access & Activity	Permissions, activity logs	Security, audit, service provision	Legitimate Interests
All Users	Technical Data	IP address, browser type, device info, usage patterns	Platform operation, security, analytics, service improvement	Legitimate Interests; Consent (for non-essential cookies)

This table provides a structured overview, aiding users in understanding the data processing activities relevant to them. It reflects a commitment to clarity, which is a cornerstone of GDPR compliance.

4. How We Use Artificial Intelligence (AI)

AI Technology Used

TurboApplication utilizes advanced Artificial Intelligence (AI) technologies, specifically Large Language Models (LLMs), from reputable third-party providers such as OpenAI and Google Vertex AI. These technologies are integrated into the Platform to enhance its functionality and provide sophisticated features to users.

Purpose of AI Processing

The integration of AI serves several key purposes within the recruitment workflow:

• CV Analysis and Content Extraction: LLMs are employed to parse Curriculum Vitae (CVs) and Resumes uploaded by Job Candidates. This process involves automatically identifying and extracting pertinent information such as skills, work experience, educational qualifications, and contact details. This facilitates a more structured and efficient review process for Companies/Employers.
• Candidate Matching: AI algorithms analyze the extracted information from CVs, alongside the content of job descriptions provided by Companies/Employers and any application responses from Job Candidates. Based on this analysis, the AI assists Companies/Employers by suggesting candidates whose profiles appear to align with the requirements of specific job postings. This is intended to streamline the initial screening phase.
• Potential Future Uses: The Platform Operator may explore further AI applications, such as assisting Companies/Employers in drafting or refining job descriptions for clarity and effectiveness, or providing insights into talent market trends (using aggregated and anonymized data). Any such new uses involving personal data will be assessed for their privacy implications and this Policy updated accordingly.

Data Processed by AI

The personal data subjected to AI processing primarily includes:

• The full textual content of CV/Resume files submitted by Job Candidates.
• The content of job descriptions and requirements posted by Companies/Employers.
• The content of responses provided by Job Candidates to application-specific questions.

TurboApplication is committed to the principle of data minimization in its AI processing. Steps are taken to ensure that only data reasonably necessary for the specific AI task (e.g., CV parsing, matching against a job description) is submitted to the AI service providers.

Automated Decision-Making (GDPR Article 22)

The use of AI for candidate matching and suggestion may involve profiling, where an individual's characteristics (derived from their CV and application data) are analyzed to predict their suitability for a role. In certain contexts, the outcomes of such AI processing could contribute to decisions that have a significant effect on Job Candidates, for instance, influencing whether they are shortlisted for further consideration by an employer. This necessitates careful consideration of GDPR Article 22, which pertains to automated individual decision-making, including profiling.

• Human Oversight – A Critical Safeguard: A cornerstone of TurboApplication's approach to AI is the principle of human oversight. All final hiring decisions are made by humans – specifically, the representatives of the Companies/Employers using the Platform. The AI tools are designed as assistive technologies to augment and support human judgment, not to replace it entirely. Companies/Employers are responsible for independently reviewing any AI-generated suggestions or scores and making their own informed assessments of candidates. This human intervention is a key safeguard against potentially erroneous or unfair automated outcomes.
• Explanation of Logic Involved (High-Level): The AI models employed by TurboApplication analyze the textual data from a candidate's CV and application materials, comparing it against the requirements, skills, and keywords present in a specific job description. Through complex pattern recognition and semantic understanding, the models identify alignments and discrepancies, which may result in a relevance score, a ranking, or a qualitative suggestion provided to the Company/Employer. The aim is to highlight potential matches based on the provided data.
• Significance and Envisaged Consequences: The AI-assisted matching feature may influence which candidate profiles are prioritized for review by a human recruiter or hiring manager. While the goal is to improve the efficiency and accuracy of identifying relevant candidates, thereby benefiting both candidates (by surfacing relevant opportunities) and employers (by focusing their attention), it is acknowledged that the AI's output is a tool, and the ultimate decision-making power and responsibility remain with the human user.
• Safeguards Implemented: In addition to the paramount safeguard of human oversight in all final decisions, TurboApplication implements further measures concerning its AI usage:
  • Commitment to Human Review: Reinforcing that AI outputs are advisory and subject to human verification.
  • Monitoring for Bias: Ongoing efforts to monitor the performance of AI models to identify and mitigate potential biases that could lead to unfair or discriminatory outcomes (further addressed in Section 15 regarding Employment Law Considerations).
  • Transparency: Providing clear information about the use of AI in this Privacy Policy.
  • Data Subject Rights: Ensuring Job Candidates can exercise their rights in relation to automated processing, as detailed in Section 9.

Your Rights in Relation to Automated Decision-Making

Under GDPR Article 22, individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, unless certain conditions are met (e.g., explicit consent, necessary for a contract, authorized by Union or Member State law with suitable safeguards).

While TurboApplication's current implementation emphasizes meaningful human oversight in final hiring decisions, thereby aiming to avoid solely automated decisions with such significant effects, the Platform Operator is fully committed to upholding the spirit and requirements of Article 22. Job Candidates have the right to:

• Obtain human intervention on the part of the controller (in this case, typically the Company/Employer making the hiring decision, facilitated by TurboApplication where appropriate).
• Express their point of view regarding a decision influenced by automated means.
• Contest such a decision.

Instructions on how to exercise these and other data protection rights are provided in Section 9 of this Policy. The use of AI in recruitment is an evolving area, and TurboApplication is committed to responsible innovation, ensuring that technological advancements are deployed in a manner that respects individual rights and promotes fairness. The transparency provided in this section is intended to empower users with knowledge about how these technologies operate and how their data is used, which is critical in a high-stakes domain like employment.

5. Legal Basis for Processing Personal Data

Summary of Legal Bases Used

TurboApplication only collects and processes personal data when there is a lawful basis to do so under the GDPR. The specific legal basis relied upon depends on the type of personal data being processed and the context of that processing. The primary legal bases include:

• Performance of a Contract (Article 6(1)(b) GDPR): This basis is used when the processing of personal data is necessary for the performance of a contract to which the data subject (e.g., Job Candidate or Company/Employer representative) is a party, or to take steps at the request of the data subject prior to entering into such a contract. This is the predominant legal basis for providing the core services of the TurboApplication Platform, such as enabling account creation, job applications, and job postings.
• Legitimate Interests (Article 6(1)(f) GDPR): Processing is permissible if it is necessary for the legitimate interests pursued by TurboApplication or by a third party (such as a Company/Employer using the platform for recruitment), except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. When relying on legitimate interests, TurboApplication conducts a balancing test to ensure that the rights of individuals are not unduly impacted.
• Consent (Article 6(1)(a) GDPR; Article 9(2)(a) GDPR for special categories): This basis is used where the data subject has given explicit consent for their personal data to be processed for one or more specific purposes. Examples include consent for receiving direct marketing communications, consent for the use of certain non-essential cookies, or, crucially, explicit consent from a Job Candidate for the processing of any special category data they voluntarily include in their CV or application materials when applying for a specific job.
• Legal Obligation (Article 6(1)(c) GDPR): This basis applies when the processing of personal data is necessary for compliance with a legal obligation to which TurboApplication is subject. This may include, for example, obligations related to financial record-keeping (once billing is implemented), tax laws, or responding to lawful requests from public authorities.

The selection of an appropriate legal basis is a critical aspect of GDPR compliance. TurboApplication has undertaken an internal assessment to map its data processing activities to these lawful bases, ensuring that each processing operation is justified and documented.

Further Details on Legitimate Interests

When TurboApplication relies on legitimate interests as a legal basis for processing personal data, these interests are carefully considered and balanced against the potential impact on the data subject. Examples of legitimate interests pursued by TurboApplication include:

• Operating, Maintaining, and Improving the Platform: Ensuring the smooth functioning of the TurboApplication Platform, developing new features, enhancing existing services, and improving the overall user experience.
• Ensuring Platform Security: Protecting the Platform, its users, and their data from unauthorized access, fraud, cyber threats, and other malicious activities.
• Service-Related Communications: Communicating with users about important service updates, security alerts, changes to terms or policies, and providing necessary customer support.
• Understanding Platform Usage: Analyzing how users interact with the Platform (often using aggregated or anonymized data) to identify trends, measure effectiveness of features, and inform business strategy and service improvements.
• Facilitating Recruitment for Companies/Employers: Enabling Companies/Employers to efficiently manage their recruitment pipelines, identify suitable candidates, and fill vacant positions.
• Enabling Team Member Participation: Allowing Team Members of Companies/Employers to access and use the Platform to fulfill their roles in their organization's recruitment process.

Before processing personal data based on legitimate interests, TurboApplication undertakes a Legitimate Interests Assessment (LIA) to ensure that the processing is necessary for the stated purpose and that the interests pursued are not overridden by the rights and freedoms of the individuals whose data is being processed. This internal due diligence is fundamental to responsibly relying on this legal basis.

6. Data Sharing and Disclosure (Recipients of Personal Data)

TurboApplication may share personal data with various parties under specific circumstances and for defined purposes, always in accordance with applicable data protection laws.

Sharing with Companies/Employers

When a Job Candidate actively applies for a specific job vacancy posted on the TurboApplication Platform, their personal data, including their CV/Resume, application responses, and contact information, will be shared directly with the Company/Employer (or their designated Team Members) that posted that particular job. Upon receiving this data, the Company/Employer becomes a separate and independent data controller for that personal data. They will process it for their own recruitment purposes, in accordance with their own privacy policies and applicable employment laws. Job Candidates are advised to review the privacy policies of any Company/Employer to whom they submit an application. TurboApplication acts as a conduit in this scenario, facilitating the connection based on the candidate's explicit action of applying.

Internal Access

Access to personal data within TurboApplication's internal systems is strictly limited on a need-to-know basis. Authorized Platform administrators and other designated personnel (e.g., technical support, security teams) may access personal data only to the extent necessary for operational requirements, such as providing user support, performing system maintenance and upgrades, ensuring the security of the Platform, troubleshooting technical issues, or fulfilling contractual obligations. All such personnel are subject to confidentiality obligations.

Third-Party Service Providers (Data Processors)

TurboApplication engages a number of trusted third-party service providers to perform various functions and provide specialized services necessary for the operation and enhancement of the Platform. These providers act as data processors on behalf of TurboApplication and are only granted access to personal data to the extent required to perform the tasks for which they have been engaged. TurboApplication ensures that all such engagements are governed by legally binding contractual agreements, specifically Data Processing Agreements (DPAs), which obligate the processors to protect the personal data, process it only in accordance with TurboApplication's instructions, and not to disclose or use it for any other purpose. This contractual framework is a key element in maintaining accountability for data processed by third parties.

Key categories of third-party service providers include:

• Database Hosting and Authentication: Supabase is utilized for primary database hosting and authentication services. The Supabase instances used by TurboApplication are hosted within the European Union to support EU data residency commitments.
• AI Processing Services: OpenAI and Google Vertex AI are used for AI-powered features such as CV analysis and candidate matching. Contractual agreements, including robust data protection clauses, are in place with these providers. The international transfer implications of using these services are detailed in Section 7.
• Payment Processing (Future): Stripe will be engaged for secure payment processing services once billing functionalities are implemented on the Platform.
• Website and Platform Analytics: Google Analytics 4 (GA4) is used to gather analytics on website and Platform usage to help improve services. The use of such analytics tools, particularly those involving cookies, is further detailed in Section 11.
• Other Potential Services: As the Platform evolves, other services such as email delivery providers, customer support platforms, or security service providers may be engaged. Any such new providers handling personal data will be subject to the same due diligence and contractual requirements.

Legal Obligations and Law Enforcement

TurboApplication may be required to disclose personal data if compelled to do so by law, court order, or other legally binding request from a competent public authority or law enforcement agency. Disclosure may also occur if TurboApplication, in good faith, believes such action is necessary to: (a) Comply with a legal obligation or judicial proceeding. (b) Protect and defend the rights, property, or safety of TurboApplication, its users, or the public. (c) Prevent, detect, or investigate possible wrongdoing, fraud, or security incidents in connection with the Platform. (d) Protect against legal liability. Any such disclosure will be made only to the extent legally required or permitted.

Business Transfers

In the event that TurboApplication undergoes a business transition, such as a merger, acquisition by another company, bankruptcy, dissolution, reorganization, sale of all or a portion of its assets, financing, or similar transaction or proceeding, personal data held by TurboApplication may be among the assets transferred. In such circumstances, the data would be transferred subject to appropriate confidentiality arrangements. The acquiring entity would be expected to uphold the commitments made in this Privacy Policy or provide users with clear notice of any material changes to how their personal data will be handled, along with any necessary choices (such as consent, if required by law).

The careful selection and management of third-party vendors, particularly those processing significant amounts of personal data or sensitive data (like AI providers), is a critical responsibility. The existence of DPAs and ongoing due diligence are fundamental to ensuring that these third parties meet GDPR standards.

7. International Data Transfers

Data Residency

TurboApplication's primary technical infrastructure, including its main database hosted via Supabase, is located within the European Union (EU) / European Economic Area (EEA). The core data processing activities related to the Platform's operation are designed to take place within this region, aligning with the commitment to EU data residency.

Transfers to Third Countries

Despite the primary EU hosting, the utilization of certain specialized third-party services, most notably for AI processing (such as OpenAI and Google Vertex AI, which are U.S.-based companies) and potentially for other global services in the future (e.g., certain analytics or communication tools), may involve the transfer of personal data to countries outside of the EU/EEA. This includes transfers to the United States of America. It is important for users to understand that countries outside the EU/EEA may not have data protection laws that are considered equivalent to those within the EU/EEA, meaning they may not offer the same level of protection for personal data.

This acknowledgment is critical because the initial information suggested "No International Transfers," which is often difficult to maintain when using global SaaS providers, especially those headquartered in the U.S. Transparency about actual data flows, even if they involve transfers, is paramount under GDPR.

Safeguards for International Transfers

When personal data is transferred from the EU/EEA to a country outside this region that has not been deemed by the European Commission to provide an adequate level of data protection (an "adequacy decision"), TurboApplication will ensure that appropriate safeguards are implemented to protect that data in accordance with GDPR requirements (Chapter V). These safeguards are designed to provide a level of data protection comparable to that within the EU/EEA and may include one or more of the following mechanisms:

• Standard Contractual Clauses (SCCs): Implementing SCCs that have been approved by the European Commission with the data importer (the third-party service provider located outside the EU/EEA). SCCs contain contractual obligations on both the data exporter (TurboApplication) and the data importer to protect personal data. This is the typical approach for engaging with U.S.-based service providers like OpenAI and Google Vertex AI. These clauses require supplementary measures to be considered in light of the ruling in the Schrems II case by the Court of Justice of the European Union, including a transfer impact assessment.
• Adequacy Decisions: Relying on an adequacy decision adopted by the European Commission, which confirms that a specific third country, territory, sector within a third country, or international organization ensures an adequate level of data protection. If such a decision applies to the recipient's location, data can be transferred without requiring additional specific authorizations.
• Binding Corporate Rules (BCRs): For intra-group transfers within multinational companies, approved BCRs can provide a valid basis for transfers. This might be relevant if a service provider has adopted such rules.
• EU-U.S. Data Privacy Framework (DPF) and Successors: For transfers to U.S. companies, TurboApplication will assess the applicability and adequacy of frameworks like the EU-U.S. DPF (if the provider is certified under it and the framework remains a valid transfer mechanism recognized by the EU). This landscape is subject to change, and TurboApplication will monitor developments.

In addition to these formal transfer mechanisms, TurboApplication conducts due diligence on its third-party service providers to assess their data protection practices and their ability to provide an adequate level of security and confidentiality for the personal data they process on its behalf. This includes reviewing their security certifications, data processing agreements, and policies regarding government access requests.

The accurate representation of international data transfers and the safeguards employed is a significant compliance point under GDPR and an area of increasing scrutiny by data protection authorities. TurboApplication must ensure that its contractual arrangements with non-EU/EEA service providers, particularly AI vendors, incorporate valid transfer mechanisms and that transfer impact assessments are conducted and documented where necessary. This commitment to managing international transfers responsibly is crucial for maintaining user trust.

8. Data Retention: How Long We Keep Your Personal Data

Our Data Retention Principles

TurboApplication will retain personal data only for as long as it is necessary to fulfill the specific purposes for which it was collected. This includes retention to satisfy any legal, accounting, or reporting requirements, and for the establishment, exercise, or defense of legal claims. The determination of appropriate retention periods for different categories of personal data is based on several factors:

• The nature, sensitivity, and volume of the personal data.
• The purpose(s) for which the data is processed.
• The legitimate business needs of TurboApplication.
• Applicable statutory or regulatory retention obligations (e.g., for financial records, employment-related data in some jurisdictions).
• The potential risk of harm from unauthorized use or disclosure.

Adherence to the principle of storage limitation (Article 5(1)(e) GDPR) is a key commitment. This means that data is not kept indefinitely by default.

Specific Retention Periods

TurboApplication is in the process of formalizing and implementing a detailed data retention schedule across all categories of personal data it processes. The following outlines the current approach to retention periods, which will be subject to ongoing review and refinement to ensure compliance and appropriateness:

• Job Candidate Data:
  • Active Accounts & Associated Application Data: Personal data associated with an active Job Candidate account (including profile information, CVs/Resumes, and application history) will be retained as long as the account remains active. If an account becomes inactive (e.g., no logins or application activity for a defined period), the data may be retained for a further period of 18 months after the last activity. This allows candidates to easily reactivate their profiles or access past application information and enables employers to access historical applications for roles they managed. This period balances platform utility with data minimization principles.
  • CVs/Resumes: These are treated as integral parts of a Job Candidate's profile and application data and are subject to the same retention rules. If a candidate deletes their account or a specific application, the associated CV/Resume will be removed from active systems according to the deletion processes.
• Company/Employer Data:
  • Active Accounts & Associated Recruitment Data: Information related to an active Company/Employer account (including company profile, contact details of representatives, job postings, and notes on candidates specific to their recruitment activities) will be retained as long as the account is active and for a period thereafter as required for contractual close-out and potential legal or financial record-keeping. For instance, data relevant to service agreements and billing might be kept for up to 6 years after contract termination, aligning with common statutory limitation periods for contractual claims or financial audits.
  • Archived Job Postings: Job postings created by a Company/Employer may be archived and retained for a period of 18 months for their historical reference, unless they choose to delete them earlier via platform functionalities.
• Team Member Data (of Companies/Employers):
  • Data specifically identifying a Team Member (e.g., their login credentials, profile) will be retained as long as the parent Company/Employer account is active and that Team Member remains an authorized user. If a Team Member is removed by their employer or if the Company/Employer account is terminated, their direct account data will be deleted or anonymized. However, activity logs or contributions made by that Team Member (e.g., notes on a candidate) may be retained as part of the Company/Employer's overall recruitment record for the periods applicable to Company/Employer data.
• Financial/Billing Data (Future Implementation):
  • Once payment processing is implemented, financial records, invoices, and transaction data will be retained for periods mandated by applicable tax and company laws, typically 6 to 7 years.
• Technical Log Data and Analytics Data:
  • Server logs, security logs, and other technical operational logs are typically retained for shorter periods necessary for security, troubleshooting, and system integrity, 12 months.
  • Analytics data, such as that collected by Google Analytics 4 (GA4), is subject to configurable retention settings within the analytics platform. TurboApplication will aim for periods of 26 months for user-level and event-level data, after which it may be aggregated or anonymized.
• Communication Records:
  • Records of communications with users (e.g., support requests, feedback submissions) may be retained for a period of 3 years after the query is resolved, to manage ongoing inquiries, for quality assurance, and for service improvement purposes.

Account Deletion and Data Erasure

Upon a verified request from a user for account deletion, or when personal data is no longer deemed necessary for the purposes for which it was collected and no overriding legal or legitimate reason for its continued retention exists, TurboApplication will take steps to securely delete or irreversibly anonymize the relevant personal data from its active production systems. It is important to note that some data may persist in backup archives for a limited, defined period. These backups are isolated from further processing and are overwritten in accordance with a defined backup rotation schedule. Anonymized data, which no longer identifies an individual, may be retained for longer periods for statistical analysis, research, or platform improvement purposes.

The establishment and enforcement of a clear data retention schedule is a critical component of GDPR compliance. TurboApplication is committed to implementing technical and procedural measures to ensure these retention periods are adhered to, thereby respecting the principle of storage limitation.

The following table provides a high-level summary of intended retention approaches:

Category of Personal Data	Retention Period	Justification / Primary Reason
Job Candidate Account Data (Active)	Duration of active account	Platform functionality, service provision
Job Candidate Account Data (Inactive) & Application History	Active + 18 months post-last activity	User convenience, platform utility, potential re-engagement
Company/Employer Account Data (Active)	Duration of active contract/account	Service provision, contractual obligations
Company/Employer Account Data (Post-Termination)	Up to 6 years post-contract end	Legal/financial record-keeping, contractual claims
Financial Records (Future)	6-7 years (or as per local law)	Legal obligation (tax, accounting)
AI Model Training Data (if distinct and retained)	As long as necessary for model efficacy, subject to minimization and anonymization where feasible	Legitimate interest (service improvement); Consent if based on identifiable data not otherwise processed
Server Logs / Security Logs	12 months	Security, troubleshooting, system integrity
Analytics Data (e.g., GA4 user-level)	26 months	Legitimate interest (platform improvement); Consent

This table serves as a guide and specific retention periods will be finalized in TurboApplication's internal data retention policy.

9. Your Data Protection Rights (Under GDPR)

As a data subject whose personal data is processed by TurboApplication, individuals located within the European Union or otherwise covered by the GDPR have specific, legally enshrined rights concerning their personal data. TurboApplication is fully committed to facilitating the exercise of these rights. These rights include:

• The Right of Access (Article 15 GDPR): Individuals have the right to request and obtain confirmation from TurboApplication as to whether or not personal data concerning them is being processed. If so, they have the right to access that personal data and receive supplementary information, including: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data has been or will be disclosed (especially recipients in third countries); the envisaged retention period for the personal data; and information about their other rights.
• The Right to Rectification (Article 16 GDPR): Individuals have the right to obtain from TurboApplication, without undue delay, the rectification of any inaccurate personal data concerning them. Taking into account the purposes of the processing, they also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
• The Right to Erasure ('Right to be Forgotten') (Article 17 GDPR): Individuals have the right to obtain the erasure of their personal data without undue delay under certain specific conditions. These conditions include situations where: the personal data is no longer necessary in relation to the purposes for which it was collected; the individual withdraws consent on which the processing is based and there is no other legal ground for the processing; the individual objects to the processing and there are no overriding legitimate grounds for the processing (or they object to processing for direct marketing); the personal data has been unlawfully processed; or the personal data has to be erased for compliance with a legal obligation.
• The Right to Restrict Processing (Article 18 GDPR): Individuals have the right to obtain restriction of processing of their personal data under certain circumstances. These include: when the accuracy of the personal data is contested by the individual (for a period enabling TurboApplication to verify accuracy); the processing is unlawful and the individual opposes erasure and requests restriction instead; TurboApplication no longer needs the personal data for the purposes of processing, but it is required by the individual for the establishment, exercise, or defense of legal claims; or the individual has objected to processing pending verification of whether TurboApplication's legitimate grounds override theirs.
• The Right to Data Portability (Article 20 GDPR): Where the processing is based on consent or on a contract, and the processing is carried out by automated means, individuals have the right to receive the personal data concerning them, which they have provided to TurboApplication, in a structured, commonly used, and machine-readable format. They also have the right to transmit that data to another data controller without hindrance from TurboApplication.
• The Right to Object to Processing (Article 21 GDPR): Individuals have the right to object, on grounds relating to their particular situation, at any time to the processing of personal data concerning them which is based on legitimate interests (Article 6(1)(f) GDPR). TurboApplication shall no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the individual, or for the establishment, exercise, or defense of legal claims. Where personal data is processed for direct marketing purposes, individuals have the absolute right to object to such processing at any time.
• Rights Related to Automated Decision-Making and Profiling (Article 22 GDPR): Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, unless certain exceptions apply (e.g., explicit consent, necessary for contract, authorized by law with safeguards). As detailed in Section 4, TurboApplication emphasizes human oversight in final hiring decisions. Nevertheless, individuals have the right to obtain human intervention, to express their point of view, and to contest decisions that have been significantly influenced by automated means.
• The Right to Withdraw Consent (Article 7(3) GDPR): Where the processing of personal data is based on consent, individuals have the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Withdrawal is typically as easy as giving consent.

How to Exercise Your Rights

To exercise any of these data protection rights, or if there are any questions about them, individuals should contact TurboApplication using the designated contact details: Email: info@turboapplication.com

When a request is made, TurboApplication may need to request specific information from the individual to help confirm their identity. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. This identity verification process is crucial for protecting personal data.

TurboApplication will endeavor to respond to all legitimate requests within one month of receipt, as mandated by the GDPR. This period may be extended by two further months where necessary, taking into account the complexity and number of requests. If such an extension is needed, TurboApplication will inform the individual within one month of receiving the request, providing the reasons for the delay. There is generally no fee to exercise these rights, but a reasonable fee may be charged if a request is manifestly unfounded, repetitive, or excessive.

Right to Lodge a Complaint with a Supervisory Authority (Article 77 GDPR)

Individuals have the right to lodge a complaint with a data protection supervisory authority if they believe that the processing of their personal data by TurboApplication infringes the GDPR. This complaint can typically be lodged in the EU Member State of their habitual residence, their place of work, or the place of the alleged infringement.

While individuals have this right, TurboApplication would appreciate the opportunity to address any concerns directly in the first instance. Therefore, individuals are encouraged to contact TurboApplication with any complaints or issues before approaching a supervisory authority.

The ability for users to exercise their rights is a fundamental tenet of GDPR. TurboApplication must have internal procedures in place to receive, log, assess, and respond to Data Subject Requests (DSRs) in a timely and compliant manner. This operational preparedness is as important as the policy statements themselves.

10. Data Security

Our Security Commitment

TurboApplication is deeply committed to protecting the security and confidentiality of the personal data entrusted to it. Appropriate technical and organizational measures (TOMs) are implemented and maintained to safeguard personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, and against all other unlawful forms of processing. The selection of these measures takes into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, as required by GDPR Article 32.

Technical and Organizational Measures

The security measures implemented by TurboApplication include, but are not limited to, the following, reflecting the information provided regarding its technical infrastructure:

• Data Access Controls:
  • Row Level Security (RLS) Policies: Implemented at the database level (e.g., within Supabase) to ensure that users and applications can only access data rows that they are authorized to see, providing granular data segregation.
  • Role-Based Access Control (RBAC): Access to personal data within the Platform and its underlying systems is granted based on predefined user roles and responsibilities, ensuring that individuals only have access to the data necessary to perform their designated functions.
• Data Segregation:
  • Multi-Tenant Architecture: The Platform is designed with a multi-tenant architecture to logically isolate the data of different Companies/Employers, preventing unauthorized cross-tenant data access.
  • Account-Based Data Segregation: Data is segregated based on individual user accounts and company accounts, further reinforcing isolation.
• Credential Security:
  • Password Security Requirements: The Platform enforces requirements for strong passwords for user accounts.
  • Secure Storage of Credentials: Passwords, particularly for Job Candidate accounts, are stored in a hashed format using strong, industry-standard hashing algorithms to protect them from being compromised even if the underlying database were accessed.
• Encryption:
  • Data in Transit: Encryption protocols such as HTTPS/TLS (Transport Layer Security) are used to protect personal data transmitted between users' devices and the TurboApplication Platform, and between different system components.
  • Data at Rest: Encryption is applied to data stored at rest where appropriate, particularly for sensitive information such as uploaded CV/document files and database backups.
• Infrastructure Security:
  • Secure Hosting: Utilizing reputable and secure cloud hosting providers (e.g., Supabase with EU-based hosting facilities) that offer robust physical and network security measures.
• Operational Security:
  • Regular Security Assessments: Conducting periodic reviews, vulnerability scanning, and potentially penetration testing of security practices and infrastructure to identify and address potential weaknesses.
  • Employee Training and Awareness: Ensuring that all personnel with access to personal data are trained on data protection principles, security policies, and their responsibilities in safeguarding data.
  • Data Processing Agreements with Third Parties: Requiring third-party service providers who process personal data on behalf of TurboApplication to implement appropriate security measures, as stipulated in DPAs.

User Responsibilities

While TurboApplication implements comprehensive security measures, the security of personal data also depends on the actions of users. Users are responsible for maintaining the confidentiality of their account credentials, particularly their passwords. Passwords should be strong, unique, and not shared with anyone. Users should also be cautious about the information they share publicly or through unsecure channels.

Disclaimer

Despite the extensive efforts and measures taken to protect personal data, it is important to acknowledge that no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, while TurboApplication strives to use commercially acceptable and robust means to protect personal data, its absolute security cannot be unconditionally guaranteed. Users provide their personal data at their own discretion, understanding these inherent risks.

Security is not a static state but an ongoing process of vigilance, adaptation, and improvement. TurboApplication is committed to continuously reviewing and enhancing its security measures in response to evolving threats and technological advancements. The measures listed reflect the current security posture and a commitment to maintaining a secure environment for user data.

11. Cookies and Tracking Technologies

What Cookies Are

Cookies are small text files containing a string of characters that are placed on a user's computer, smartphone, tablet, or other internet-enabled device when they visit a website or use an online platform. Cookies are widely used to make websites and online services work, or work more efficiently, as well as to provide information to the owners of the site or service about user interaction and preferences.

Types of Cookies We Use and Purpose

TurboApplication uses different types of cookies for various purposes, as outlined below:

• Strictly Necessary Cookies (Essential Cookies):
  • Purpose: These cookies are essential for the basic operation of the TurboApplication Platform. They enable core functionalities such as user login, session management, account access, and security features. Without these cookies, the services requested by users (like accessing their accounts or applying for jobs) cannot be provided.
  • Examples: Session cookies that maintain a user's logged-in state as they navigate the Platform, cookies that remember security settings, or cookies that manage load balancing. These cookies are typically exempt from consent requirements as they are indispensable for the service.
• Preference Cookies (Functionality Cookies):
  • Purpose: These cookies allow the TurboApplication Platform to remember choices made by users (such as username, language preference, region, or display settings) and to provide enhanced, more personalized features. They aim to improve the user experience by tailoring the Platform to individual preferences.
  • Examples: Cookies that remember a user's preferred language or theme, or that store user interface customizations.
• Analytics Cookies (Performance Cookies):
  • Purpose: TurboApplication uses analytics cookies, such as those provided by Google Analytics 4 (GA4), to collect information about how visitors and registered users interact with the Platform. This data includes which pages are visited most often, how users navigate through the site, the time spent on pages, error messages encountered, and the effectiveness of certain features or content. This information is used in an aggregated or pseudonymized form to understand user behavior, identify areas for improvement, and enhance the overall performance and usability of the Platform.
  • Consent: The use of analytics cookies that are not strictly necessary for the provision of the service typically requires user consent under applicable laws (such as the ePrivacy Directive and GDPR). TurboApplication will seek such consent via a cookie consent mechanism.
• No Third-Party Advertising Cookies Currently:
  • Statement: At present, TurboApplication does not use third-party advertising cookies on its Platform. These are cookies placed by advertising networks to track a user's browsing habits across different websites for the purpose of serving targeted advertisements. Should this practice change in the future, this Privacy Policy and the Cookie Policy will be updated, and appropriate consent mechanisms will be implemented.

Managing Your Cookie Preferences

Users have control over their cookie preferences. TurboApplication provides mechanisms for users to manage their consent for non-essential cookies:

• Cookie Consent Banner/Tool: When a user first visits the TurboApplication Platform, a cookie consent banner or management tool will typically be displayed. This tool provides information about the types of cookies used and allows users to give or withhold consent for different categories of non-essential cookies.
• Browser Settings: Most web browsers offer settings that allow users to control cookies. Users can usually configure their browser to accept or reject all cookies, accept only certain types of cookies, or to notify them when a cookie is being set. Browser settings can also typically be used to delete cookies that have already been stored. For more detailed information on managing cookies through browser settings, users can consult the help documentation for their specific browser or visit websites such as www.allaboutcookies.org or www.youronlinechoices.eu.
• Impact of Blocking Cookies: Users should be aware that if they choose to block or delete cookies, particularly strictly necessary cookies, some functionalities of the TurboApplication Platform may be impaired or may not work as intended.

Separate Cookie Policy

For more detailed and specific information about each cookie used by TurboApplication, including its name, provider, purpose, type (e.g., session, persistent), and expiry, users are encouraged to refer to our dedicated Cookie Policy available on our website. TurboApplication maintains a separate, comprehensive Cookie Policy that is easily accessible to users. This aligns with best practices for transparency and compliance with cookie regulations.

The legal framework for cookies, primarily stemming from the ePrivacy Directive (often referred to as the "cookie law") and complemented by the GDPR for aspects involving personal data, mandates transparency and, for most cookies, prior informed consent. Implementing a compliant cookie consent solution and maintaining a detailed Cookie Policy are therefore essential operational requirements for TurboApplication. The statement regarding the current absence of third-party advertising cookies provides clarity while allowing for future evolution, provided such changes are managed compliantly.

12. Communications and Marketing

TurboApplication communicates with its users for various purposes, distinguishing between essential service-related (transactional) communications and optional marketing communications.

Transactional Communications

These are communications that are integral to the provision and use of the TurboApplication Platform and services. They include, but are not limited to:

• Account-Related Notifications: Emails confirming account registration, password reset instructions, security alerts (e.g., suspicious login attempts), notifications of changes to terms of service or this Privacy Policy.
• Application-Related Updates: Confirmations of job application submissions, notifications regarding the status of an application (e.g., when viewed by an employer, if such a feature is implemented and active), and other direct communications related to a specific job application process initiated by the user.

These transactional communications are considered a fundamental part of the service provided by TurboApplication. As such, users generally cannot opt-out of receiving them as long as they maintain an active account or are engaged in an active process (like an ongoing job application), because these communications are necessary for TurboApplication to perform its contract with the user or to convey critical service or security information. The legal basis for these communications is typically performance of contract or legitimate interest.

Marketing Communications

TurboApplication may also wish to send users marketing communications. These are optional and may include:

• Newsletters: Periodic newsletters containing industry insights, career advice, or platform news.
• Product Updates: Information about new features, enhancements to existing services, or special offers related to the TurboApplication Platform.
• Promotional Content: Other communications intended to promote TurboApplication's services or related offerings.

TurboApplication will only send such marketing communications to users if they have explicitly consented to receive them (i.e., through an "opt-in" mechanism). Consent for marketing communications will be sought separately from the agreement to the terms of service or this Privacy Policy.

Opt-Out Mechanisms

Users who have consented to receive marketing communications have the right to withdraw their consent and opt-out at any time, easily and free of charge. TurboApplication provides several mechanisms for unsubscribing from marketing communications:

• Unsubscribe Link: Every marketing email sent by TurboApplication will contain a clear and conspicuous "unsubscribe" link, typically located at the bottom of the email. Clicking this link will allow the user to opt-out of future marketing messages of that type.
• Account Settings: Where feasible, users may be able to manage their communication preferences, including opting out of marketing communications, directly within their account settings on the TurboApplication Platform.
• Direct Contact: Users can also opt-out by contacting TurboApplication directly at the email address provided for privacy inquiries: info@turboapplication.com, stating their request to be unsubscribed from marketing communications.

Opt-out requests will be processed promptly. It is important to note that opting out of marketing communications will not affect the receipt of essential transactional or service-related communications.

The clear distinction between service communications (often based on contract or legitimate interest) and marketing communications (requiring consent) is crucial under GDPR and ePrivacy regulations. TurboApplication must ensure its systems accurately track user consent for marketing and that opt-out mechanisms are robust and user-friendly.

13. Data Breach Procedures

TurboApplication takes the security of personal data very seriously and has implemented procedures to identify, manage, and respond to any suspected personal data breach. A personal data breach is defined under GDPR as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Incident Response Plan Overview

TurboApplication has established or is in the process of establishing a formal incident response plan designed to effectively address data breaches. This plan includes procedures for:

• Detection and Assessment: Identifying a potential breach and quickly assessing its nature, scope, and potential impact on individuals.
• Containment: Taking immediate steps to contain the breach and prevent further unauthorized access or data loss.
• Eradication: Identifying and eliminating the root cause of the breach.
• Recovery: Restoring affected systems and data to normal operation in a secure manner.
• Post-Incident Analysis (Lessons Learned): Reviewing the incident to identify lessons learned and implement improvements to security measures and procedures to prevent future occurrences.

Notification to Supervisory Authority

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, TurboApplication will notify the relevant data protection supervisory authority without undue delay. Where feasible, this notification will be made not later than 72 hours after TurboApplication has become aware of the breach, as required by Article 33 of the GDPR. The notification will describe the nature of the breach, the categories and approximate number of data subjects and personal data records concerned, the likely consequences, and the measures taken or proposed to be taken to address the breach and mitigate its possible adverse effects.

Notification to Data Subjects

If a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, TurboApplication will communicate the personal data breach to the affected data subjects without undue delay, as required by Article 34 of the GDPR. This communication will describe in clear and plain language the nature of the breach and contain at least:

• The name and contact details of the data protection contact point where more information can be obtained.
• A description of the likely consequences of the personal data breach.
• A description of the measures taken or proposed to be taken by TurboApplication to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Notification to data subjects may not be required if certain conditions are met, for example, if appropriate technical and organizational protection measures were applied to the data, if subsequent measures ensure the high risk is no longer likely to materialize, or if it would involve disproportionate effort (in which case a public communication may be made).

Documentation

TurboApplication will maintain an internal register of all data breaches, regardless of whether they required notification to a supervisory authority or data subjects. This register will include the facts relating to the breach, its effects, and the remedial action taken. This documentation supports accountability and helps in analyzing trends and improving security posture over time.

Having a documented and tested incident response plan is a key requirement of GDPR's security principle (Article 32) and accountability principle (Article 5(2)). The policy statements regarding breach notification reflect legal obligations and a commitment to transparency with both regulators and affected individuals in the unfortunate event of a breach.

14. Children's Privacy (Age Restrictions)

Minimum Age Requirement

The TurboApplication Platform and its services are not intended for or directed at individuals under the age of 18 years. To create an account, use the Platform, or submit any personal data to TurboApplication, users must be at least 18 years old. This age restriction is set above the typical GDPR threshold for requiring parental consent for information society services offered directly to a child (which is 16, or as low as 13 if set by an EU Member State).

How We Address This

TurboApplication relies on users to provide accurate information regarding their age during the registration process. Users are required to declare that they meet the minimum age requirement of 18 years to complete registration and access the Platform's services.

TurboApplication does not knowingly collect personal data from children under the age of 18. If the Platform Operator becomes aware that it has inadvertently collected personal data from an individual under 18 years of age without verification of parental consent (although, as stated, parental consent mechanisms are not implemented due to the 18+ age limit), steps will be taken to delete that information from its systems as quickly as possible.

Parental Consent

Given that the services provided by TurboApplication require all users to be 18 years of age or older, specific mechanisms for obtaining and verifying parental consent are not applicable and are therefore not implemented on the Platform.

Establishing a clear minimum age for service use, particularly one that is 18 years or older, simplifies compliance with GDPR provisions related to children's data. While "user declaration" is a common method for age affirmation, TurboApplication should remain vigilant and consider if additional age verification measures might become necessary in the future, depending on the Platform's evolution and user demographics, or if issues related to underage use arise. The current policy accurately reflects the stated approach.

15. Employment Law Considerations (Brief mention)

While TurboApplication operates as a technology platform facilitating connections between Job Candidates and Companies/Employers, and is not an employer itself in relation to the candidates using the platform to seek jobs from other companies, it acknowledges the broader context of employment law and strives to promote fair practices.

Commitment to Fair Practices

TurboApplication is committed to designing and operating its Platform in a manner that supports principles of fairness and equal opportunity in the recruitment process. The tools and features provided are intended to be used by Companies/Employers in compliance with all applicable laws.

Non-discrimination and AI Bias Mitigation

The use of Artificial Intelligence (AI) in recruitment carries inherent risks, including the potential for AI models to perpetuate or even introduce biases based on historical data or algorithmic design. TurboApplication recognizes these risks and is committed to taking reasonable steps to monitor the performance of its AI tools and to mitigate potential AI bias where identified. This is an ongoing effort.

It is crucial to understand that Companies/Employers using TurboApplication's AI features remain responsible for ensuring their overall hiring processes are fair, non-discriminatory, and compliant with all relevant anti-discrimination and employment laws. The AI tools are assistive, and human oversight and judgment by the employer are paramount in making final hiring decisions.

Equal Opportunities

The TurboApplication Platform is intended to be used in a manner that promotes equal opportunities in recruitment. Companies/Employers utilizing the Platform are solely responsible for complying with all applicable employment laws, including those related to equal opportunity, non-discrimination, and fair hiring practices, when they source, screen, assess, and select candidates.

Candidate Rights (in employment context)

Job Candidates may have specific rights under applicable employment laws regarding hiring decisions made by Companies/Employers. These rights might include, for example, the right to an explanation for a hiring decision in certain circumstances, or rights related to non-discrimination. While TurboApplication provides the platform technology, the Company/Employer is the entity making the actual hiring decision. Therefore, Job Candidates should direct employment law-related inquiries or requests concerning specific hiring decisions or processes to the relevant Company/Employer that made the decision.

TurboApplication's role is that of a technology provider. While it endeavors to design its tools responsibly (e.g., through efforts in AI bias mitigation), the ultimate responsibility for conducting lawful and fair hiring practices rests with the Companies/Employers who use the Platform. This section aims to clarify these distinct roles and responsibilities.

16. Future Developments & Changes to This Privacy Policy

Future Developments

TurboApplication is committed to the continuous improvement and expansion of its Platform and services. Planned future developments that may have implications for data processing include, but are not limited to:

• Payment Processing: Implementation of subscription billing for Companies/Employers and other payment-related features.
• Enhanced AI Capabilities: Introduction of additional AI-driven features for CV analysis, candidate matching, or other recruitment support functions.
• Mobile Application: Potential development of a dedicated mobile application for accessing the TurboApplication Platform.
• Third-Party Integrations: Facilitating connections with third-party HR systems or other relevant software used by Companies/Employers or Job Candidates.

This Privacy Policy will be reviewed and updated as necessary to reflect how any new features, services, or technologies may affect the collection, use, and protection of personal data.

Changes to This Privacy Policy

TurboApplication reserves the right to update or modify this Privacy Policy from time to time. This may be necessary to reflect changes in its data processing practices, the services offered, evolving legal or regulatory requirements, or for other operational reasons.

When this Privacy Policy is updated, the "Last Updated" date at the top of this Policy will be revised. All changes will be posted on this page (or a successor page) on the TurboApplication website.

If TurboApplication makes material changes to this Privacy Policy – that is, changes that significantly alter the way personal data is handled (e.g., processing for new purposes, sharing with new categories of third parties, significant changes to retention periods) – users will be provided with prior notice. This notice may be given by posting a prominent announcement on the Platform, by sending a direct notification to registered users via email, or by other appropriate means. Where required by applicable data protection law, TurboApplication will obtain explicit consent from users for any new uses of their personal data that are incompatible with the purposes for which it was originally collected and for which consent was previously obtained.

Users are encouraged to review this Privacy Policy periodically to stay informed about how TurboApplication is protecting their personal data. Continued use of the Platform after any changes to this Privacy Policy have been posted (and, where applicable, after notice or consent has been provided) will constitute acceptance of those changes.

Privacy is not a static concept, and a privacy policy must be a living document that evolves alongside the platform it describes and the legal landscape in which it operates. TurboApplication is committed to this ongoing process of review and adaptation.

17. Contact Us

If you have any questions, concerns, comments, or complaints regarding this Privacy Policy, TurboApplication's data handling practices, or if you wish to exercise any of your data protection rights as outlined in this Policy, please do not hesitate to contact us.

The designated point of contact for all privacy-related inquiries is:

• Email: info@turboapplication.com
• Business Address: Turin, Italy (Full address will be updated upon completion of company registration process)

If and when a Data Protection Officer (DPO) is formally appointed, their specific contact details will also be provided in this section of the Privacy Policy.

TurboApplication is committed to addressing all privacy-related inquiries and concerns in a timely and effective manner. Providing clear and accessible contact points is fundamental to transparency and accountability in data protection.