Privacy Policy

Last updated: May 2, 2026 · Effective: May 2, 2026

Quick summary: TalentSymbia collects only the data needed to run a marketplace and AI career assistant — your account info, listings, messages, and payments. We don't sell your data, don't run advertising trackers, and you can request deletion of your account at any time by emailing support@talentsymbia.com.

1. Who We Are

TalentSymbia ("we", "us", "the Service") is a marketplace and AI-assisted career platform operated by Atanas Georgiev Markov as a sole proprietor based in Burgas, Bulgaria. The Service is currently in beta.

For privacy questions, data requests, or any other concern, contact us at support@talentsymbia.com.

This policy explains what data we collect, why, and what rights you have under the EU General Data Protection Regulation (GDPR) and Bulgarian data protection law.

2. Data We Collect

Account data

Email address — login identifier and service emails (verification, password reset, notifications)
Full name — displayed on profile and listings
Password — stored as a bcrypt hash, never in plain text (optional if you sign in only with Google)
Google account info — if you sign in with Google: your Google ID, verified email, name, and profile picture URL. We never receive your Google password.

Profile data (optional, you control what you share)

Profile picture (uploaded or imported from Google)
Bio, current role, country, city
Skills (manual entries and AI-detected skills from uploaded materials)
Social links (GitHub, LinkedIn, Twitter, Instagram)
Public/private profile visibility settings
Hirer details (company name, hiring frequency) if you indicate you're hiring

Marketplace activity

Listings you create (services offered or wanted)
Messages you send to other users
Reviews you give and receive
Portfolio items you upload

AI Career Navigator data

Resumes, CVs, or text you submit for AI analysis
Conversations with our AI agent (questions you ask, AI responses)
AI-generated career analyses, skill assessments, and recommendations

Your consent for AI processing. By submitting content to AI features (uploading a resume, asking the AI Navigator a question, or invoking any AI-powered analysis), you explicitly consent to the processing of that content by our third-party AI providers — currently Anthropic (Claude) and Google (Gemini) — for the purpose of generating the requested output. You can withdraw consent at any time by stopping use of AI features and requesting deletion of your AI conversation history. See Section 4.

Payment data

PayPal transaction IDs and status (we don't store your card or PayPal credentials)
Token purchases and subscription status
Withdrawal requests if you sell services

Technical data

IP address — logged for security, anti-spam, and ban enforcement
Browser type and operating system (from User-Agent header)
Pages visited within our Service and timestamps
Authentication tokens (stored in your browser, not in cookies — see Section 5)
Error logs (generic error messages, no personal content)

3. Why We Collect It (Legal Basis Under GDPR)

Under GDPR, we must have a lawful basis for processing your data:

Data	Purpose	Legal basis (GDPR Art. 6)
Email, password, account	Provide the Service	Contract necessity
Profile, listings, messages	Operate the marketplace	Contract necessity
Payment data	Process payments	Contract + Legal obligation
IP address, security logs	Anti-spam, fraud prevention, ban enforcement	Legitimate interest
AI conversation data	AI Career Navigator features	Contract + Explicit consent (Art. 6(1)(a))
Service emails	Account security	Contract necessity

What we do NOT do:

We do not profile you for advertising or sell your data to third parties
We do not use your data to train our own AI models, and we rely on our AI providers' commitments not to use customer-submitted data for training their models. Provider terms may change — we will update this policy if our providers' practices change materially.
We do not run behavioural analytics or build advertising profiles

4. Third-Party Services (Data Processors)

To operate the Service, we use carefully chosen vendors who process some of your data on our behalf:

Vendor	Purpose	Data shared
Railway	Backend hosting & database	All account & service data
Netlify	Frontend hosting	IP address, page requests
Google	Sign-In; AI matching (Gemini)	Email, name, picture; AI prompts
Anthropic	AI Career Navigator (Claude)	AI prompts and conversation context
PayPal	Payment processing	Email, payment amount, transaction info
Resend	Transactional emails	Email address, message content
Cloudinary	Image hosting	Images you upload

Where vendors are located outside the EU, transfers are protected by Standard Contractual Clauses or equivalent safeguards under GDPR Art. 46.

5. Cookies & Local Storage

What we use

The TalentSymbia website does not set tracking cookies. Authentication is handled via localStorage in your browser, which stores:

ft_token — your login session token (a JWT, expires in 30 days)
ft_user — basic profile info (name, email, subscription status)
ft_pending_warning — temporary flag if your account has a moderator warning

Local storage is used strictly for authentication and essential functionality, not for tracking, profiling, or analytics. These are essential for the Service to work — you cannot log in without them. Under EU ePrivacy rules, essential storage does not require consent.

Third-party cookies (set by external services)

Google Sign-In sets cookies on accounts.google.com when you log in
PayPal sets cookies on paypal.com when you make a payment
Cloudinary's CDN may set short-lived cookies for image delivery

We do not control these cookies. Their cookie policies apply.

What we do NOT use

No Google Analytics
No Facebook Pixel or social media tracking
No advertising or retargeting cookies
No fingerprinting or behavioural profiling

6. Data Retention

Data	Retention period
Active account data (profile, listings, messages)	Until you delete your account
Payment records	5 years (Bulgarian tax law requirement)
IP address & security logs	90 days, then automatically deleted
AI conversation history	Until you delete it or close your account
Email verification & password reset tokens	1 hour (then expired)
Banned accounts (limited data)	Email and IP retained for as long as necessary to enforce bans and prevent abuse; all other personal data deleted upon ban

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

Right to access — request a copy of all data we hold about you
Right to rectification — correct inaccurate or incomplete data
Right to erasure ("right to be forgotten") — request deletion of your account
Right to restriction — ask us to stop processing your data while a dispute is resolved
Right to data portability — receive your data in a machine-readable format
Right to object — object to processing based on legitimate interest (e.g., IP logging)
Right to withdraw consent — for any processing based on consent (e.g., AI features)
Right not to be subject to automated decision-making — including profiling that significantly affects you

How to exercise your rights: Email us at support@talentsymbia.com from the email associated with your account. We'll respond within 30 days as required by GDPR. There is no charge for these requests, except in cases of repeated or excessive demands.

If you believe we've violated your data protection rights, you have the right to lodge a complaint with your local supervisory authority. In Bulgaria:

Commission for Personal Data Protection (CPDP)
Website: www.cpdp.bg
Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria

8. How We Protect Your Data

Passwords are stored as bcrypt hashes — even we cannot read them
All traffic is encrypted via HTTPS (TLS 1.2+)
Authentication uses signed JWT tokens with 30-day expiry
Database connections require credentials and are not publicly exposed
Payment data is handled by PayPal — we never see card details
Server access is restricted to the operator

No system is 100% secure. If a breach occurs that affects your data, we will notify you and the CPDP within 72 hours, as required by GDPR Art. 33–34.

9. International Data Transfers

Some of our vendors (Anthropic, Cloudinary, PayPal, Google) are based in the United States or use global infrastructure. When your data is transferred outside the EU, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission
The vendor's own GDPR compliance commitments
For Google and Anthropic: their respective enterprise data processing agreements

You may request a copy of these safeguards by contacting us at support@talentsymbia.com.

10. Minors

TalentSymbia is not intended for users under 18. We do not knowingly collect data from individuals under 18. If you believe a minor has created an account, please email support@talentsymbia.com and we will delete the account immediately.

11. Changes to This Policy

We may update this Privacy Policy as the Service evolves or as legal requirements change. When we make material changes:

We will update the "Last updated" date at the top of this page
We will notify active users by email at least 14 days before changes take effect
Your continued use of the Service after changes constitutes acceptance

12. Contact & Complaints

For any questions about this policy or your data:

Email: support@talentsymbia.com
Operator: TalentSymbia (operated by Atanas Georgiev Markov, as a sole proprietor)
Location: Burgas, Bulgaria

For complaints about how we handle your data, you may also contact the Bulgarian Commission for Personal Data Protection at www.cpdp.bg.