Privacy Policy

1. Overview and Responsible Body

We take the protection of your personal data very seriously. This Privacy Policy explains how we collect, use, and protect your data when you visit our website www.talentvaults.com.

Responsible Controller (Data Controller) according to Art. 4(7) GDPR:

Note on Jurisdiction: We adhere to the General Data Protection Regulation (GDPR) and all relevant applicable data protection laws.

2. General Data Collection (Server Log Files)

When you visit our website, our hosting provider automatically collects and stores information in "server log files." This processing is strictly necessary for the technical operation and security of the website.

• Provider: Netlify, Inc., 2325 3rd Street, Suite 296, San Francisco, California 94107, USA.
• Data Collected: Full IP addresses, browser type/version, operating system, referrer URL, and time of request.
• Retention: IP addresses are retained by Netlify for a maximum of 30 days to detect and prevent fraud and unauthorized access, after which they are rotated or deleted. According to Netlify's official privacy policy, access logs are retained for "less than 30 days".
• Legal Basis: Art. 6(1)(f) GDPR (Legitimate Interest in website security, fraud prevention, and ensuring service functionality). You have the right to object to this processing under Article 21 GDPR.
• Data Processing Agreement (DPA): We maintain a DPA with Netlify that includes Standard Contractual Clauses (SCCs) to ensure GDPR compliance.
• Netlify Privacy Policy: https://www.netlify.com/privacy/

3. Database Hosting (Supabase)

We use Supabase as our backend database provider for content management and delivery.

• Provider: Supabase, Inc., 970 Toa Payoh North #07-04, Singapore 318992.
• Purpose: Hosting database content and delivering public data to the website. We do not currently use Supabase for user authentication or login sessions.
• Primary Location: AWS Ireland (eu-west-1) — EU-adequate
• Supabase Transfer Safeguards Detail:
  • Primary Database: AWS Ireland (eu-west-1) — EU-adequate, no transfer needed
  • Logs & Monitoring: AWS CloudWatch may process logs in US — requires transfer safeguards
  • Transfer Mechanism: Standard Contractual Clauses (Module Two) + Encryption (AES-256 at rest, TLS 1.2 in transit)
  • Schrems II Assessment:
    • ✓ Essential functions test: Data transfer is essential to service provision
    • ✓ Supplementary measures: AES-256 encryption at rest, TLS encryption in transit
    • ✓ Adequacy assessment: No mass surveillance risks identified specific to Supabase infrastructure
  • Sub-processors: See https://supabase.com/privacy for complete list
• Supabase Privacy Policy: https://supabase.com/privacy

4. Cookies and Prior Blocking

We implement a strict, privacy-by-design cookie architecture that uses separate cookies for different purposes. We implement prior blocking to ensure no non-essential cookies are set before you provide consent.

Our Cookie Architecture

We use three separate cookies with distinct purposes to manage consent and website functionality:

Prior Blocking Implementation

To comply with GDPR Article 5 and ePrivacy Directive requirements:

• Technical Blocking: All cookie-setting scripts are blocked until explicit consent is obtained
• Equal Consent Options: "Accept all" and "Reject all" buttons have equal visual prominence
• No Pre-Consent Cookies: No analytics, tracking, or preference cookies are set before consent
• Event-Driven Consent: We use the library's cc:onConsent event to detect which button was clicked and set the appropriate cookie (cv_cookie or cv_rejection)
• Withdrawal Mechanism: You can withdraw consent at any time by clearing browser cookies

Technical consent logs and local storage

In connection with our cookie banner, we also use minimal technical logs and browser storage (for example, cookies and local storage) to record how the consent interface behaves on your device. These records may include the type of event (for example, that the page loaded or that a cookie was blocked), your current consent status (accepted or rejected), which essential cookies are present, basic device and browser information (such as user‑agent string), and a timestamp of the action.

We use this information solely to (i) ensure that your cookie choices are correctly applied, (ii) prevent the banner from reappearing unnecessarily, and (iii) troubleshoot technical or accessibility issues with the consent interface. The legal basis for this processing is our legitimate interest in providing a secure and compliant website and in being able to demonstrate and technically enforce your choices (Art. 6(1)(f) GDPR). These technical logs are kept only for as long as necessary for these purposes and are not used for marketing, profiling, or cross‑site tracking.

Consent Banner

We display a GDPR-compliant consent banner with equal "Accept all" and "Reject all" options. This banner appears before any non-essential processing occurs. We explicitly avoid dark patterns and ensure our interface design does not manipulate or influence user choice.

Managing Your Cookies

You can manage cookies at any time:

• Chrome: Settings → Privacy and security → Cookies and other site data
• Firefox: Preferences → Privacy & Security → Cookies and Site Data
• Safari: Preferences → Privacy → Cookies and website data
• Edge: Settings → Cookies and site permissions → Cookies and site data
• Withdraw Consent: Clear browser cookies or contact info@talentvaults.com

Note: Disabling essential cookies may impair website functionality.

Server-Side Consent Event Logging

When you make a cookie decision, we log the following server-side to demonstrate GDPR compliance:

• Event type: "consent_accepted" or "consent_rejected"
• Button clicked: "Accept all" or "Reject all"
• Timestamp: ISO format date and time of the decision
• Anonymized IP address: We store only the first two octets of your IP address (e.g., 192.168.xxx.xxx) to approximate the country/region without identifying your device or exact location.
• Anonymized User Agent: We store a hashed version of your browser's user agent string to detect patterns in consent behavior without identifying your specific browser configuration.
• Legal basis: We record your consent decision based on your explicit consent (Art. 6(1)(a) GDPR) for the sole purpose of maintaining a secure audit trail to demonstrate our compliance with data protection laws.

Data Minimization: We adhere to the principle of data minimization. Our consent logs are limited to the essential details of the decision (choice, timestamp, legal basis) and an anonymized identifier. We do not store full IP addresses or raw user agent strings in these logs.

Retention: Consent confirmation logs are retained for a period of 90 days from the date of your decision, which is the necessary period for us to respond to any potential data subject requests or regulatory inquiries. After this period, the logs are automatically and permanently deleted.

Access Control: Access to these logs is restricted to authorized compliance and engineering staff on a need-to-know basis for audit and compliance purposes only.

Your Rights: You can request a copy of your consent record or its deletion at any time by contacting us. To exercise these rights, contact info@talentvaults.com. We will respond within 30 days.

5. Affiliate Links and Partner Redirection

Our website features tools and platforms from third-party partners. All affiliate buttons are clearly labeled with a partner identifier. Compensation details for each partner are disclosed below.

Affiliate Link Disclosure

Buttons marked with "Apply Now", "Participate Now", "Visit Website", or similar calls to action are embedded with our unique referral identifiers and are visibly marked as partner links.

• Respondent.io: If you sign up through this button, successfully pass the screener for a survey, and complete the study, Respondent.io pays TalentVaults a commission.
• Mercor: If you apply through this button, successfully pass Mercor's application process, and complete the minimum required paid work, Mercor pays TalentVaults a commission.
• Wise: If you sign up through this button and use or purchase the relevant service, the provider pays TalentVaults a commission.

Tracking Mechanism

When you click one of these buttons, you are redirected to the partner's domain. The URL contains a generic partner ID that identifies TalentVaults as the referrer. This ID allows the partner to attribute the commission to us. We do not generate or pass any unique user-ID, pseudonymized profile data, or personal contact details to these partners during this redirect.

Affiliate Partner ID Tracking - Legal Basis Analysis

Legal Basis: Article 6(1)(f) GDPR (Legitimate Interest)

Conclusion: Legitimate interest is justified. Privacy impact is minimal and proportionate to benefit.

Your Choice & Right to Object

Interaction with these affiliate links is entirely voluntary. If you do not wish for this referral attribution to occur, please visit the partner websites directly without clicking the links on our platform.

Your Right to Object (Art. 21 GDPR): You may object to affiliate partner ID tracking. Submit objections to info@talentvaults.com. We will respond within 30 days.

Partner Privacy Policies:

• Respondent.io: https://www.respondent.io/privacy-policy
• Mercor: https://www.mercor.com/data-privacy-policy
• Wise: https://wise.com/privacy-policy

6. Data Retention Schedule

We retain personal data only as long as necessary for the purposes outlined in this policy, in accordance with GDPR Art. 5(1)(e).

Data subjects can request early deletion of their data by contacting info@talentvaults.com. We will process deletion requests within 30 days.

7. Your Rights (GDPR)

You have the following rights regarding your personal data under the General Data Protection Regulation:

• Right to Access (Art. 15 GDPR): Request a copy of your personal data we process.
• Right to Rectification (Art. 16 GDPR): Correct inaccurate or incomplete personal data.
• Right to Erasure (Art. 17 GDPR): Request deletion of your personal data ("right to be forgotten").
• Right to Restrict Processing (Art. 18 GDPR): Request temporary restriction of processing in certain circumstances.
• Right to Data Portability (Art. 20 GDPR): Receive your data in a structured, machine-readable format.
• Right to Object (Art. 21 GDPR): Object to processing based on legitimate interest, including affiliate tracking and consent event logging. Submit objections to info@talentvaults.com.
• Right to Withdraw Consent (Art. 7(3) GDPR): Withdraw previously given consent at any time, including cookie consent.

To exercise these rights, please contact us at: info@talentvaults.com

We will respond to all legitimate requests within 30 days. We may request specific information to verify your identity before processing your request.

We do not use automated decision-making or profiling (Art. 22 GDPR) that has legal effects on you.

8. Sub-Processors & Change Notifications

Current Sub-Processors

We use the following service providers who may process personal data on our behalf:

Sub-Processor Change Notification Process

When our service providers add or change sub-processors, they notify us in advance.

Material vs Non-Material Changes

• Material (notified via email): Location changes, new data types, security downgrades
• Non-Material (policy update only): Sub-processor name changes, address updates

Notification Method

1. Review the change for data protection compliance
2. Update this privacy policy within 30 days (published on website, highlighted as "UPDATED [DATE]")
3. Notify registered users via email for material changes (if applicable)
4. Allow objections by request to info@talentvaults.com (object within 30 days; we respond within 30 days)

Current Sub-Processor Lists:

• Netlify: https://www.netlify.com/gdpr/subprocessors/
• Supabase: https://supabase.com/privacy

Users can request the full current sub-processor list by emailing info@talentvaults.com.

9. Data Breach Notification Procedure

In accordance with GDPR Articles 33-34, we have established procedures for data breach notification.

Our Commitment

If a personal data breach occurs that is likely to result in a risk to individuals' rights and freedoms, we will:

1. Notify the Estonian Data Protection Inspectorate (DPA) within 72 hours of becoming aware of the breach (Art. 33 GDPR)
2. Notify affected data subjects without undue delay if the breach poses a high risk to their rights and freedoms (Art. 34 GDPR)

Notification Contents

Breach notifications will include:

• Nature and scope of the personal data breach
• Likely consequences for data subjects
• Measures taken or proposed to address the breach
• Contact details for further information

Reporting Security Incidents

If you suspect a security incident or data breach involving our services, please report it immediately to: info@talentvaults.com

10. Right to Complain

If you believe our processing of your personal data violates data protection law, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement (Art. 77 GDPR).

Lead Supervisory Authority

For iKreate Innovations OÜ, the lead supervisory authority is:

We encourage you to contact us first at info@talentvaults.com to resolve any concerns before approaching a supervisory authority.

11. International Residents

California Residents (CCPA/CPRA 2025 Updates)

Effective September 23, 2025, the California Privacy Protection Agency has updated CCPA/CPRA regulations:

2025 CPPA Updates and Compliance

• Automated Decision-Making Technology (ADMT): TalentVaults does not currently use any ADMT that produces legal or similarly significant effects. If we implement ADMT in the future, we will update this policy and provide the required disclosures and opt-out mechanisms as required by CPRA effective January 1, 2027.
• Risk Assessments: We conduct risk assessments for high-risk processing activities as required by CPRA and GDPR, and maintain documentation of significant risk processing as required by California regulations.
• Cybersecurity Audits: We are committed to maintaining the security of your personal information. We undergo regular security assessments and will comply with the CPRA cybersecurity audit requirements according to the phased timeline (by revenue) set by the California Privacy Protection Agency (April 2028-2030).
• Neural Data: We do not collect neural data from biometric sensors.
• Enhanced Right to Know: Upon request, we will provide the categories and specific pieces of personal information we have collected about you, going back to January 1, 2022.
• Dark Patterns Prohibition: Our cookie consent banner and privacy choices are designed to be compliant and do not use dark patterns. We provide clear and easy options to accept or reject non-essential cookies with equal visual prominence.

Your California Privacy Rights

You have the right to:

• Know/Access: Request categories of personal information collected (CCPA §1798.110)
• Delete: Request deletion of personal information (CCPA §1798.105)
• Correct: Request correction of inaccurate information (CPRA §1798.106)
• Opt-Out of Sale/Sharing: We do NOT sell or share personal information
• Limit Use of SPI: Limit use of sensitive personal information (CPRA §1798.121)
• Non-Discrimination: Not receive discriminatory treatment for exercising rights
• Right to Opt-Out of Automated Decision-Making: You have the right to opt-out of automated decision-making technology (ADMT) for significant decisions. However, TalentVaults does not currently use ADMT for any processing that produces legal or similarly significant effects.

How to Exercise Your Rights

UK Residents

The UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 apply to our processing of UK residents' personal data. Your rights are as described in Section 7 (Your Rights) above.

Switzerland Residents

The Swiss Federal Act on Data Protection (FADP) applies. We process Swiss residents' data with equivalent protections to GDPR.

Other International Users

By using our website, you consent to the processing of your personal data in Estonia and other locations where our service providers operate, with appropriate safeguards as described in this policy.