GDPRBelgiumP&P Talent

Privacy Notice

How we handle your personal data when you use P&P Talent, including account creation by email/password or social providers (LinkedIn, Google, Microsoft, GitHub), AI profile builder features, applications, notifications, uploads, and portfolio tools. This notice is designed to meet GDPR, Belgian law, and emerging AI governance expectations.

1) Who is responsible

P&P Consultancy acts as the controller for data processed in P&P Talent. Contact: [email protected]. You may also contact the Belgian Data Protection Authority (GBA/APD) for complaints.

2) What we collect

  • Account: name, email, credentials, plan, notification preferences, and social sign-in identifiers/profile claims when you choose LinkedIn, Google, Microsoft, or GitHub.
  • Talent profile: headline, location, work history, skills, languages, certificates, portfolio links.
  • Portfolio: projects, descriptions, tags, images, embedded content (YouTube, Figma), gallery layouts, custom slugs, and theme colors that you configure to showcase your work publicly.
  • Portfolio analytics: view counts for portfolios and individual projects, tracked only when visitors have accepted performance cookies in compliance with GDPR.
  • Generated profiles: content you provide plus AI-generated text when you ask us to help draft a profile.
  • Applications & pipeline: jobs you apply to, status updates, and notification history.
  • Uploads: profile documents, avatars, and portfolio media you upload or generate; we apply size/type checks and malware/magic-byte validation.
  • Usage and device data: browser and device info, IP address, timestamps, security logs, and rate-limit signals for abuse prevention.
  • Support interactions: messages you send to us, and audit trails for consent and settings.
  • Cookies and local storage: see the Cookie Policy.

3) Why we use your data (legal bases)

  • Provide the service: create your account (email or social), build and store profiles and portfolios, process applications, and show recruiter-facing content (GDPR Art. 6(1)(b)).
  • Public portfolios: when you set your portfolio to public, you explicitly consent to displaying your projects, media, and information on a publicly accessible page (GDPR Art. 6(1)(a)).
  • Security and fraud prevention: protect accounts, detect abuse, prevent spam, and maintain reliability through rate-limiting (GDPR Art. 6(1)(f)).
  • Product analytics: privacy-friendly metrics to improve features, only after consent where required (GDPR Art. 6(1)(a)/(f)).
  • Marketing: optional updates and offers with explicit opt-in and easy opt-out (GDPR Art. 6(1)(a)).
  • Legal obligations: record-keeping, responding to lawful requests, and demonstrating consent/acceptance records for privacy and cookies (GDPR Art. 6(1)(c)).

4) AI profile builder and automation

  • Your inputs (experience, skills, achievements) are processed to generate draft profile text.
  • Models are used to assist you; you remain in control to edit or discard outputs.
  • No solely automated decisions with legal or similarly significant effects are taken without human review.
  • We monitor prompts/outputs to prevent abuse and to improve quality, using role-based access controls.

We align our controls with ISO/IEC 27001 principles and monitor EU AI Act developments; high-risk AI use cases are not deployed without required safeguards.

5) Sharing and sub-processors

  • Cloud hosting, email delivery, observability, and analytics providers under Data Processing Agreements.
  • Identity providers (LinkedIn, Google, Microsoft, GitHub) when you choose social sign-up/login.
  • Public portfolios: when you make your portfolio public, the content (projects, images, descriptions) is accessible to anyone with the link.
  • Recruiter or employer accounts that you explicitly share your profile or profile with.
  • Legal or regulatory bodies when required by law, after assessing scope and necessity.

We do not sell personal data or allow third-party advertising networks to track you on P&P Talent.

6) International transfers & security

  • Where data leaves the EEA, we rely on EU Standard Contractual Clauses and vendor security commitments.
  • Encryption in transit and at rest, least-privilege access, audit logging, and regular backups.
  • Incident response: breaches are assessed and notified per GDPR Articles 33-34 and Belgian requirements.

7) Retention and deletion

  • Account and profile data: kept while your account is active; deleted or anonymized on request unless retention is legally required.
  • Portfolio content: projects, images, and media are retained as long as your portfolio is active; deleted when you remove projects or delete your account.
  • Portfolio view statistics: aggregated view counts are kept to provide analytics; can be reset or deleted on request.
  • Generated profiles and versions: retained while you keep them; unused versions older than 180 days that are not tied to an application may be deleted automatically. Uploads copied to recruiter workspaces expire per recruiter retention.
  • Stored profile files in recruiter workspace (software.profiles): scheduled for deletion after the configured window (typically 180 days) and removed from disk.
  • Notifications: cleared after 180 days to reduce footprint.
  • Security and audit logs: typically retained up to 12 months, longer only for investigations or legal duties.
  • Consent records (privacy and cookies): retained up to 12 months to demonstrate compliance, including automatic policy acceptance recorded at account creation.
  • Account deletion: when you delete your account, it is immediately deactivated; we retain minimal data for up to 30 days for security/audit, then purge it unless law requires longer retention.

7.1) Portfolio visibility and privacy controls

You have full control over your portfolio visibility:

  • Private: Your portfolio is not accessible to anyone except you.
  • Public: Your portfolio is accessible via a public URL to anyone with the link. You choose to make it public.
  • Portfolio view tracking respects cookie consent: visitors' views are only counted if they have accepted performance cookies.
  • You can switch between private and public at any time from your settings.
  • Public portfolios are crawlable by search engines if you share the link publicly.
  • Embedded content (YouTube, Figma) is loaded from third-party domains; those providers may set their own cookies subject to their policies.
  • Rate limiting: to prevent abuse, we limit the number of view tracking requests from the same IP address.

When you set your portfolio to public, you explicitly consent to making that content accessible to anyone who has the URL. You can revoke this at any time by setting your portfolio back to private.

8) Your rights

  • Access, rectification, deletion, restriction, portability, and objection (GDPR Arts. 15-21).
  • Withdraw consent at any time (marketing, analytics, cookies) without affecting prior processing.
  • Lodge a complaint with the Belgian Data Protection Authority (GBA/APD).

To exercise rights, contact [email protected]. We may request information to verify your identity.

9) Cookies and tracking

Essential cookies are always on to keep the service secure. Performance and marketing cookies only load after consent. See the full Cookie Policy for details and controls.

10) Updates

We may update this notice to reflect changes in our services or law. Material changes will be communicated in-app or on this page with an updated effective date.

Effective date: 2026-03-31

We use cookies

We use essential cookies for security and functionality. Performance and marketing cookies load only with your consent. You can change your choice anytime.

Read the cookie policy