Privacy Policy (United States – CCPA/CPRA)

1. Introduction

This Privacy Policy explains how Talantula LLC, a company registered in North Carolina, USA, and Talantula Ltd., a company registered in the Republic of Bulgaria, collect, use, disclose, and protect personal information of users located in the United States in accordance with:

• California Consumer Privacy Act (CCPA), as amended by the CPRA
• Virginia Consumer Data Protection Act (VCDPA)
• Colorado Privacy Act (CPA)
• Connecticut Data Privacy Act (CTDPA)
• Utah Consumer Privacy Act (UCPA)
• Other applicable U.S. state privacy laws

This Privacy Policy applies only to individuals located in the United States. For users located in the EU/EEA/UK, our separate GDPR Privacy Policy applies.

2. Data Controllers and Processing Roles

We use a dual-controller model based on the origin and purpose of the data.

(a) U.S. Sales & Marketing Leads

Data Controller: Talantula LLC
Talantula LLC determines the purposes and means of processing sales inquiries, business contacts, and marketing interactions from U.S. prospects.

(b) Platform Accounts & Usage Data (All Users)

Data Controller: Talantula Ltd.
Talantula Ltd. develops, hosts, and operates the Talantula platform and determines the purposes and means of processing for account creation, authentication, platform logs, and usage analytics.

(c) Support and Operational Data

Data Processor: Talantula LLC
Talantula LLC processes platform data only under the documented instructions of Talantula Ltd. for customer support, onboarding assistance, and troubleshooting.

(d) Payment Processing

Independent Data Controller: Stripe, Inc.
Stripe processes payment transactions and related financial information in accordance with its own privacy policy and legal obligations.

3. Personal Information We Collect

Depending on how you interact with us, we may collect the following categories of personal information:

Account Information

Name, email address, job title, company name, login credentials, and authentication details.

Usage Data

IP address, activity logs, audit logs, device identifiers, browser type and version, performance data, and platform usage statistics.

Customer-Uploaded Data

Content that you or your organization upload to the platform, such as candidate data, CVs, attachments, comments, and job requisitions.

Payment Information

Billing information and transaction identifiers. Payments are processed by Stripe; we do not store any credit card numbers.

Marketing & Lead Data

Data provided when you submit website forms, request a demo, register for an event, or interact with marketing emails, including your preferences and engagement.

Support Data

Information contained in communications with our support team, such as email threads, chat logs, and troubleshooting notes.

4. How We Use Personal Information

We use personal information for the following purposes:

• To provide, operate, and maintain the Talantula platform and related services.
• To authenticate users, manage accounts, and administer subscriptions.
• To deliver customer support, respond to inquiries, and resolve technical issues.
• To process payments and manage billing (via Stripe).
• To improve the performance, usability, and security of our services.
• To send marketing or promotional communications where permitted by law or with your consent.
• To comply with applicable U.S. laws, legal processes, and regulatory requirements.

5. Sharing and Disclosures of Personal Information

We do not sell personal information or share it for cross-context behavioral advertising as those terms are defined under the CPRA.

We may disclose personal information to the following categories of recipients:

• Service Providers / Contractors: Companies that provide hosting, analytics, communication, support, and other operational services under written agreements.
• Stripe (Independent Controller): For payment processing and financial transactions, in accordance with Stripe’s own privacy policy.
• Affiliates: Talantula Ltd. and Talantula LLC may share information strictly within their defined roles as described in this Policy.
• Government or Regulatory Authorities: When required by law, subpoena, or valid legal process.

6. U.S. Privacy Rights (CCPA/CPRA and Other State Laws)

Depending on your U.S. state of residence, you may have some or all of the following rights regarding your personal information:

• Right to Know / Access: Request access to the personal information we hold about you.
• Right to Deletion: Request deletion of your personal information, subject to legal exceptions.
• Right to Correction: Request correction of inaccurate personal information.
• Right to Opt Out: Opt out of certain types of tracking or targeted advertising (we currently do not use personal information for cross-context behavioral advertising).
• Right to Limit Use of Sensitive Information: If applicable, limit the use of sensitive data (we do not intentionally collect sensitive personal information).

To exercise your rights, please contact us at: privacy@talantula.com. We may need to verify your identity before fulfilling your request.

7. Data Retention

We retain personal information only for the minimum period necessary to fulfill the purposes for which it was collected, as disclosed in this Privacy Policy, or as required by applicable law. We do not retain personal information “just in case” it may be useful in the future. When specific retention periods cannot be precisely defined, we apply clear criteria that ensure compliance with the California Consumer Privacy Act (CCPA/CPRA).

• Account & platform data: Retained for the duration of the customer subscription and for up to 12 months afterward to support account closure, security, fraud prevention, and auditing obligations.
• Customer Data: Customer-uploaded data is retained only for the duration of the subscription. Upon termination, Customer Data is deleted or de-identified within 30 days, unless a longer period is legally required (e.g., legal holds or mandatory recordkeeping).
• Marketing leads: Retained until you opt out or until the information is no longer needed for the marketing purpose for which it was collected, typically 12–24 months of inactivity.
• Support logs & diagnostic data: Retained for 12–24 months, depending on security investigation needs, troubleshooting operations, and system integrity requirements.
• Billing & transaction records (via Stripe): Retained for 7 years to comply with U.S. tax, accounting, and financial reporting obligations.
• Backup data: Personal information may persist in encrypted backups for 30–90 days as part of disaster recovery processes, after which it is securely overwritten.

After the applicable retention period expires, we securely delete, de-identify, or aggregate personal information so that it can no longer be associated with any individual, in accordance with CPRA requirements.

8. Cookies and Tracking Technologies

We use strictly necessary cookies to operate the platform, maintain security, and enable core functionality such as login sessions.

If we use analytics or performance cookies, we will provide appropriate notice and, where required, obtain your consent. Third-party analytics providers may act as independent controllers for their cookie-based processing activities.

We do not use cookies for cross-context behavioral advertising without your explicit consent.

9. Security

We implement industry-standard technical and organizational measures designed to protect personal information, including:

• Encryption of data in transit and at rest where appropriate
• Role-based access controls and least-privilege principles
• Multi-factor authentication for administrative access
• Network and application-level protections
• Regular monitoring, logging, and security reviews

10. Children’s Privacy

Our Services are intended for business use and are not directed to children under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information, we will take steps to delete such information.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (if we have it) or by posting a prominent notice on our website. Your continued use of the Services after any such changes become effective constitutes your acceptance of the updated Privacy Policy.