Privacy Policy (EU/EEA – GDPR)

1. Introduction

This Privacy Policy describes how Talantula Ltd., a company registered in the Republic of Bulgaria, processes personal data in accordance with:

• the EU General Data Protection Regulation (GDPR);
• the Bulgarian Personal Data Protection Act; and
• all other applicable EU privacy laws.

This policy applies to:

• EU/EEA users of the Talantula platform,
• visitors of our website, and
• individuals whose data is processed within the Services.

For users located in the United States, our separate U.S. Privacy Policy applies.

2. Data Controller and Processor Roles

Talantula uses a clear controller/processor structure:

2.1. Data Controller (Platform & Customer Support Data)

Talantula Ltd.
Sofia, 11 Krum Kyulyavkov str
Email: privacy@talantula.com
Talantula Ltd. determines the purposes and means of processing all personal data stored or generated within the Talantula platform.

2.2. Data Processor (Support, Onboarding & CRM Assistance)

Talantula LLC, North Carolina, USA
Processes personal data only on behalf and under the documented instructions of Talantula Ltd., as required by GDPR Article 28.

2.3. Independent Controller (Payments)

Stripe, Inc.
Stripe acts as an independent controller for processing payment information and financial transactions.

3. Personal Information We Collect

We may collect the following categories of personal information:

Account Information

Name, email, job title, company name, login credentials, authentication details.

Usage Data

IP address, activity logs, audit logs, device identifiers, browser information, performance data, platform usage statistics.

Customer-Uploaded Data

Content you or your organization upload to the platform (candidate data, CVs, attachments, comments, job requisitions).

Payment Information

Billing details and transaction identifiers (handled exclusively by Stripe; we do not store any credit card numbers).

Marketing & Lead Data

Website form submissions, demo requests, event sign-ups, marketing preferences, email engagement data.

Support Data

Communications with our support team, including email, chat logs, and troubleshooting notes.

4. Legal Bases for Processing

We process personal data based on:

• Contract Performance (Art. 6(1)(b)) – to provide, maintain, and support the Services.
• Legitimate Interests (Art. 6(1)(f)) – including fraud prevention, platform security, service optimization, and customer communication.
• Consent (Art. 6(1)(a)) – for optional marketing communications or non-essential cookies.
• Legal Obligations (Art. 6(1)(c)) – where required by EU or Member State law.

5. How We Use Personal Information

We use personal data to:

• Operate and provide the Talantula platform
• Authenticate users and manage accounts
• Provide customer support and assistance
• Improve security, performance, and user experience
• Send product updates or marketing communications (with consent)
• Comply with tax, accounting, and regulatory requirements
• Process payments via Stripe

6. Sharing and Disclosures of Personal Information

We may share personal data with:

• Service Providers / Sub-Processors: Hosting providers, analytics services, communication tools, and operational vendors. All are bound by GDPR-compliant agreements.
• Affiliates: Talantula LLC (processor) for support and operational tasks.
• Stripe: Acts as an independent controller for payment processing.
• Authorities: Where required by law, regulation, or a valid court order.

If personal data is transferred outside the EEA, we apply adequate safeguards such as Standard Contractual Clauses (SCCs).

7. International Transfers

When transferring personal data to countries outside the EEA, including the United States, we rely on:

• Standard Contractual Clauses (SCCs)
• Adequacy decisions (if applicable)
• Appropriate technical and organizational safeguards

Talantula LLC acts exclusively as a GDPR Article 28 Processor for EU/EEA personal data.

8. Data Retention

We retain personal data only as long as necessary for the purposes described in this Policy or as required by law.

• Account & platform data: kept for the duration of the customer subscription.
• Customer Data: deleted within 30 days of contract termination unless legally required.
• Logs: retained up to 12 months for security and auditing.
• Marketing data: retained until consent is withdrawn or no longer necessary.

9. Your Rights (GDPR)

EU/EEA individuals have the right to:

• Access their personal data
• Correct inaccurate information
• Request deletion (“right to be forgotten”)
• Restrict processing
• Object to processing
• Request portability
• Withdraw consent (at any time, where applicable)
• File a complaint with a supervisory authority, including:
  • the Bulgarian Commission for Personal Data Protection (CPDP), or
  • their local EU data protection authority.

To exercise your rights, contact: privacy@talantula.com.

10. Cookies

We use only strictly necessary cookies required for the proper operation, security, and functionality of our website and Services. These cookies do not track users, do not collect analytics data, and do not support advertising or personalization.

We may use third-party providers (e.g., for analytics, performance monitoring, or advertising). These providers may set their own cookies and act as independent controllers for certain processing operations.

11. Google Analytics

We use Google Analytics and Google Tag Manager, web analytics services provided by Google LLC (“Google”), to understand how visitors interact with our website and to improve the performance, usability, and security of our Services.

What Information Is Collected

Google Analytics may collect information such as:

• IP address (which may be truncated or anonymized where required by law)
• Device type, operating system, and browser information
• Pages visited and time spent on pages
• Referral sources (e.g., how you arrived at our website)
• Interaction data (clicks, navigation behavior, session duration)

This information is collected through cookies and similar technologies.

Purpose of Processing

We use Google Analytics to:

• Analyze website traffic and usage trends
• Improve user experience and platform performance
• Monitor system functionality and security
• Measure the effectiveness of marketing campaigns

U.S. Users (CCPA/CPRA)

For U.S. users, Google Analytics may constitute “sharing” for cross-context behavioral advertising depending on configuration. We do not sell personal information. You may opt out of tracking technologies through our cookie preference center or by enabling browser-based privacy controls where supported.

Data Sharing & International Transfers

Information collected through Google Analytics may be transferred to and processed on servers located outside your state or country, including in the United States. We rely on appropriate contractual safeguards where required by law.

How to Control Google Analytics

You may:

• Manage cookies through our cookie banner/settings tool
• Adjust your browser settings to block cookies
• Use the Google Analytics Opt-Out Browser Add-On (available from Google)

For more information on the privacy practices of Google, please visit the Google Privacy Terms web page. We also encourage you to review Google’s policy for safeguarding your data: https://support.google.com/analytics/answer/6004245.

12. Security

We implement the following technical and organizational measures:

• Encryption (in transit and at rest)
• Role-based access controls
• Multi-factor authentication for administrators
• Continuous monitoring and logging
• Regular audits and security assessments

13. Children’s Data

The Services are intended for business users aged 18 and older. We do not knowingly collect personal data from children.

14. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or via a prominent notice on our website. Continued use of the Services after such updates constitutes acceptance of the revised Policy.