Privacy Policy

This Privacy Policy explains how personal data collected under the services offered by DELWORK BİLİŞİM LTD. ŞTİ. via cv4sap.com ("Platform", "CV4SAP") is processed in accordance with Turkish Law No. 6698 on the Protection of Personal Data (KVKK) and, where applicable, the EU General Data Protection Regulation (GDPR). By using the Platform, you declare that you have read and accept this Policy.

1. Data Controller

2. Categories of Personal Data Processed

• Identity & contact data: first and last name, email, phone, country/city
• Professional data: CV content, work experience, education, certifications, projects, SAP module information, skills
• Customer transaction data: credit package order, invoice, order number, payment status, credit top-up/consumption history
• Payment data: collected via our payment provider PayTR; card information is not stored in CV4SAP systems — only the approval/rejection status is processed
• Technical & usage data: session data, IP address, browser type and version, operating system, referrer URL, CV link view statistics
• Legal transaction data: invoice/contract records, legal applications
• Communication records: support requests, email correspondence

3. Purposes of Processing

• Membership and account management, identity verification and authorization
• Execution of credit (token) package sales, payment, and billing processes
• CV creation, sharing link generation, and view analytics
• Consultant search, job matching and solution listing services
• Platform security, fraud detection, prevention of unauthorized access
• Fulfillment of legal obligations (tax, distance sales, consumer law)
• Marketing communications and product notifications with explicit consent

4. Legal Bases

Your personal data is processed within the scope of the following legal bases under KVKK Articles 5-6 and GDPR Article 6:

• Performance of a contract (credit package sale, service provision)
• Compliance with legal obligations (Turkish Commercial Code, Consumer Law, tax legislation)
• Legitimate interest (security, fraud prevention, platform improvement)
• Explicit consent (marketing communications, optional cookies)

5. Data Sharing & Transfers

For service provision and legal compliance, your data is transferred to the following categories of recipients to the minimum extent necessary:

• PayTR — for payment processing (PCI-DSS compliant payment provider, Turkey)
• Hosting & infrastructure providers — server, storage, email delivery (as data processors under confidentiality agreements)
• AI service providers — OpenAI / Google (Gemini) — for AI-assisted CV building/translation features, only on user-triggered requests
• Accountants and tax authorities — management of invoices and financial records
• Competent authorities — formal requests pursuant to court orders or legislation

Your data is under no circumstances sold to third-party advertising networks or data brokers. In cases of cross-border transfer, KVKK Article 9 and appropriate GDPR safeguards (such as EU Standard Contractual Clauses) are observed.

6. Data Retention Periods and Destruction Methods

Your personal data is deleted, destroyed or anonymized — ex officio or upon your request — when the processing purpose ceases or the statutory retention period expires, in accordance with Article 7 of KVKK and the Regulation on Deletion, Destruction or Anonymization of Personal Data. Retention periods by data category are as follows:

• Account and profile data (identity, contact, CV content): while the account remains active. Upon a deletion request, the account is anonymized after a 30-day statutory grace period pursuant to KVKK Art.7; profile/CV content and session records are deleted.
• Invoice and financial records: retained for 5 years pursuant to Tax Procedure Law Art.253 and 10 years pursuant to Turkish Commercial Code Art.82. Anonymized or destroyed at the end of the period. During retention, data is processed solely for the legal obligation's purpose.
• Contract and consumer transaction records: 10 years pursuant to Consumer Protection Law No. 6502 and the Turkish Code of Obligations
• Security and access logs (session, IP, error records): 1 year on legitimate interest basis
• Support requests and communication correspondence: 3 years
• Marketing data and optional cookie records: until consent is withdrawn or after 1 year of inactivity

Destruction Method: Where statutory retention obligations conflict with KVKK, the legal obligation prevails; in such cases identifying PII fields (name, email, phone, etc.) are anonymized, while financial records subject to mandatory retention are kept until the period expires and destroyed thereafter. The anonymization performed to preserve statistical integrity replaces identifiers (name, email, etc.) irreversibly so that the remaining record can no longer be linked to any natural person.

7. Data Security

To secure your data we apply TLS/SSL encryption, secure session management, access controls, regular security updates, and authorization layers. Passwords are one-way hashed with bcrypt. Payment information is never stored in CV4SAP systems; all financial transactions are processed via the PCI-DSS compliant PayTR infrastructure.

8. Your Rights Under KVKK

Pursuant to Article 11 of KVKK, you have the following rights:

• To learn whether your personal data is being processed
• To request information about your processed data
• To learn the purpose of processing and whether it is used accordingly
• To learn the third parties to whom data is transferred domestically or abroad
• To request correction of incomplete or incorrectly processed data
• To request deletion or destruction (except for legally required retention)
• To object to adverse results arising via automated systems
• To claim compensation for damages arising from unlawful processing

9. Your Rights Under GDPR (EEA Users)

For users residing in the European Economic Area (EEA), in addition to the rights under KVKK, you have the following rights under GDPR Articles 15-22: access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and objection to processing. You may contact the Data Controller or lodge a complaint with the competent supervisory authority.

10. Cookies

The Platform uses cookies for session management, security, remembering preferences, and anonymous usage analytics. Essential cookies are required for operation and do not require consent; analytics and marketing cookies are used only with your explicit consent. You may manage or block cookies via your browser settings.

11. Children's Privacy

The Platform is not intended for persons under 18, and personal data is not knowingly collected from such persons. If you become aware that data of a person under 18 has been submitted, please contact us immediately so the data can be deleted.

12. Policy Changes

This Policy may be revised in the event of regulatory changes or updates to the service scope. Material changes will be notified via your registered email before taking effect. The latest version is always published on this page.

13. Contact & Applications

To exercise your rights under KVKK/GDPR or to obtain information about data processing activities, please submit your requests through the channels below in a form that allows identity verification. Applications are responded to free of charge within a maximum of 30 days from proper receipt.

• Email: info@cv4sap.com
• Phone: +90 546 842 26 37
• Postal address: 15 Temmuz Mah. Gülbahar Cad. Nurol Park H Blok No: 45/5 İç Kapı No: 42 Bağcılar / İstanbul