GDPR Compliance Notice

1.1 GDPR Application

This notice applies to individuals in the European Union (EU) and European Economic Area (EEA) whose personal data we process. The General Data Protection Regulation (EU) 2016/679 governs how we collect, use, and protect your personal information.

1.2 Our Role

New Indigo Solutions acts as a data controller when we determine the purposes and means of processing your personal data through the CandidateHub platform. In some cases, we may act as a data processor when processing data on your behalf (such as when you use our services to manage your professional profile).

1.3 Territorial Scope

This notice covers processing activities that fall within GDPR's territorial scope, including:

• •Processing by our establishment in the EU
• •Processing related to offering services to EU/EEA data subjects
• •Processing related to monitoring behavior within the EU/EEA

2.1 Lawful Bases Under GDPR

We process your personal data based on the following legal grounds:

2.2 Special Categories of Data

We do not intentionally collect special categories of personal data (sensitive data) such as:

• •Racial or ethnic origin
• •Political opinions or religious beliefs
• •Health or biometric data
• •Sexual orientation

If such data is inadvertently provided, please contact us immediately for removal.

3.1 Right of Access (Article 15)

You have the right to obtain:

• •Confirmation of whether we process your personal data
• •A copy of your personal data in our possession
• •Information about processing purposes, categories, and recipients
• •Details about retention periods and your other rights
• •Information about automated decision-making, if applicable

3.2 Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data, including:

• •Updating your profile information
• •Correcting contact details
• •Amending professional experience data
• •Adding supplementary information

3.3 Right to Erasure - "Right to be Forgotten" (Article 17)

You may request deletion of your personal data when:

• •The data is no longer necessary for original purposes
• •You withdraw consent and no other legal basis exists
• •You object to processing and no overriding legitimate grounds exist
• •Data has been unlawfully processed
• •Erasure is required for legal compliance

3.4 Right to Restrict Processing (Article 18)

You can request processing restrictions when:

• •You contest the accuracy of personal data (during verification)
• •Processing is unlawful but you prefer restriction over erasure
• •We no longer need the data but you need it for legal claims
• •You object to processing (pending verification of legitimate grounds)

3.5 Right to Data Portability (Article 20)

You can obtain your data in a structured, machine-readable format and transmit it to another service when:

• •Processing is based on consent or contract
• •Processing is automated
• •It's technically feasible

3.6 Right to Object (Article 21)

You have the right to object to processing based on:

3.7 Rights Related to Automated Decision-Making (Article 22)

You have rights regarding automated processing that produces legal or significant effects:

• •Right not to be subject to purely automated decisions
• •Right to human intervention in automated processes
• •Right to contest automated decisions
• •Right to obtain explanations of automated processing logic

4.1 Self-Service Options

Many rights can be exercised directly through your account:

• •Profile Management: Update, correct, or delete profile information
• •Privacy Settings: Control data sharing and visibility preferences
• •Communication Preferences: Manage email and notification settings
• •Data Export: Download your data in machine-readable formats
• •Account Deletion: Permanently delete your account and associated data

4.2 Contacting Our Data Protection Officer

For rights that require assistance or have complex requirements:

4.3 Identity Verification

To protect your privacy, we may request verification of your identity before processing rights requests:

• •Account credentials verification
• •Security questions or two-factor authentication
• •Copy of identification document (in exceptional cases)
• •Additional information to confirm data ownership

5.1 International Transfers

Your personal data may be transferred outside the EU/EEA to:

• •United States: For cloud hosting (Vercel, Render, Supabase) and AI processing (Google Gemini)
• •Singapore: Our primary business operations

5.2 Transfer Safeguards

We ensure adequate protection through:

• •Adequacy Decisions: Transfers to countries deemed adequate by the European Commission
• •Standard Contractual Clauses (SCCs): EU-approved contract terms with data importers
• •Binding Corporate Rules: Internal policies for multinational group transfers
• •Certification and Codes: Participation in approved certification schemes

5.3 Google Gemini AI Processing

Our use of Google's Gemini AI for content processing includes:

• •Standard Contractual Clauses with Google as data processor
• •Google's compliance with EU-US Data Privacy Framework
• •Technical and organizational measures for data protection
• •Limited processing scope for specific AI enhancement purposes

6.1 AI-Assisted Processing

We use automated processing for:

• •Profile Optimization: AI suggestions for improving professional profiles
• •Job Matching: Analysis of job descriptions for compatibility scoring
• •Content Generation: AI-assisted creation of CVs and cover letters
• •Skill Analysis: Automated assessment of professional competencies

6.2 Human Oversight

All automated processing maintains human oversight through:

• •User control over accepting or rejecting AI suggestions
• •Manual review capabilities for all generated content
• •Option to request human intervention in processing decisions
• •Ability to provide feedback on automated assessments

6.3 Profiling Transparency

When we create profiles of your preferences or characteristics:

• •Clear information about profiling purposes and consequences
• •Explanation of logic involved in automated processing
• •Your right to object to profiling
• •Options to opt-out of specific profiling activities

7.1 Valid Consent Requirements

When we rely on consent, we ensure it is:

• •Freely Given: No coercion or negative consequences for refusal
• •Specific: Clear about particular processing purposes
• •Informed: Provided with all necessary information
• •Unambiguous: Clear affirmative action required

7.2 Consent Withdrawal

You can withdraw consent at any time:

• •Withdrawal is as easy as giving consent initially
• •Withdrawal doesn't affect lawfulness of prior processing
• •Alternative legal bases may still apply for continued processing
• •Clear information provided about consequences of withdrawal

7.3 Consent Management Tools

We provide user-friendly tools for consent management:

• •Granular consent options for different processing purposes
• •Easy access to consent preferences in account settings
• •Regular consent renewal requests for ongoing processing
• •Clear records of consent decisions and changes

8.1 Age Restrictions

Our services are not intended for children under 16 years of age (or the applicable age of digital consent in your EU member state):

• •We do not knowingly collect data from children under the applicable age
• •Parental consent required for children between 13-16 (where legally permitted)
• •Immediate deletion of data if we discover collection from underage users
• •Age verification mechanisms implemented where appropriate

8.2 Parental Rights

Where parental consent is obtained, parents have:

• •Right to access their child's personal data
• •Right to request rectification or erasure
• •Right to withdraw consent at any time
• •Right to object to processing

9.1 High-Risk Processing

We conduct Data Protection Impact Assessments (DPIAs) for processing that may result in high risk to your rights and freedoms, including:

• •Systematic monitoring of publicly accessible areas
• •Large-scale processing of special categories of data
• •Innovative use of new technologies
• •Processing that may prevent you from exercising rights or accessing services

9.2 DPIA Consultation

When DPIAs indicate high risks that cannot be mitigated:

• •Prior consultation with relevant supervisory authority
• •Implementation of additional safeguards as recommended
• •Ongoing monitoring of risk mitigation effectiveness
• •Regular review and updates of risk assessments

10.1 Right to Lodge Complaints

You have the right to lodge a complaint with a supervisory authority if you believe we have violated GDPR:

• •No requirement to contact us first (though we welcome direct communication)
• •Can file complaints in your country of residence, work, or where the violation occurred
• •Complaint filing doesn't affect your right to judicial remedies

10.2 EU Supervisory Authorities

Key supervisory authorities include:

• •Your Local Authority: Contact your national data protection authority
• •European Data Protection Board: Coordination between EU authorities

10.3 Judicial Remedies

You also have the right to effective judicial remedy:

• •Against supervisory authority decisions
• •Against us for GDPR violations
• •Compensation for material and non-material damages
• •Right to representation by non-profit organizations

11.1 DPO Responsibilities

Our Data Protection Officer:

• •Monitors internal compliance with GDPR
• •Serves as contact point for supervisory authorities
• •Conducts staff training on data protection
• •Provides advice on Data Protection Impact Assessments
• •Acts independently without receiving instructions on processing matters

11.2 Contacting Our DPO

12.1 Policy Updates

We may update this GDPR Compliance Notice to reflect:

• •Changes in data processing activities
• •Updates to GDPR or other applicable laws
• •Improvements to our data protection practices
• •Feedback from supervisory authorities or data subjects

12.2 Notification of Changes

For material changes affecting your rights, we will:

• •Provide prominent notice on our website
• •Send email notifications to registered users
• •Provide reasonable time to review changes before they take effect
• •Obtain new consent where required by law