GDPR Compliance
Last updated: 7/16/2025
Your Data Rights Under GDPR
The General Data Protection Regulation (GDPR) gives you specific rights regarding your personal data. At Maria, we are fully committed to respecting these rights and maintaining the highest standards of data protection.
1. Legal Basis for Processing
We process your personal data under the following legal bases as defined by GDPR Article 6. Each processing activity relies on a single, appropriate legal basis:
Consent (Article 6(1)(a))
- Marketing communications
- Optional analytics cookies
- Newsletter subscriptions
Contract Performance (Article 6(1)(b))
- CV analysis and job matching
- Account management
- Payment processing
- Service delivery
Legitimate Interest (Article 6(1)(f))
- Platform security and fraud prevention
- Service improvement analytics
- Customer support optimization
Legal Obligation (Article 6(1)(c))
- Tax and accounting records
- Regulatory compliance
- Legal proceedings
Legitimate Interest Balancing Test
For processing based on legitimate interest, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms. You can request details of these assessments by contacting our DPO.
2. Your GDPR Rights
Right to Information (Articles 13-14)
You have the right to know how we collect, use, and protect your personal data.
How we comply: This page and our Privacy Policy provide comprehensive information about our data practices.
Right of Access (Article 15)
You can request a copy of all personal data we hold about you.
How to exercise: Email us at equipa@okemprego.com with "Data Access Request" in the subject line.
Right to Rectification (Article 16)
You can correct any inaccurate or incomplete personal data.
How to exercise: Update your profile directly in your account or contact us for assistance.
Right to Erasure - "Right to be Forgotten" (Article 17)
You can request deletion of your personal data in certain circumstances.
How to exercise: Delete your account directly or email us. We will delete your data immediately unless legally required to retain it.
Right to Restrict Processing (Article 18)
You can limit how we process your personal data in specific situations.
How to exercise: Contact us to discuss your specific requirements for data processing restrictions.
Right to Data Portability (Article 20)
You can receive your personal data in a machine-readable format to transfer to another service.
How to exercise: Request a data export through your account settings or contact us for assistance.
Right to Object (Article 21)
You can object to processing based on legitimate interests or for direct marketing.
How to exercise: Opt out of marketing emails directly or contact us to object to other processing activities.
Rights Related to Automated Decision-Making (Article 22)
You have rights regarding automated decision-making and profiling that significantly affects you.
Our approach: Our AI matching includes meaningful human oversight for significant decisions. You can request manual review of any automated decisions that significantly affect you.
3. Data Processing Activities
| Processing Activity | Data Categories | Legal Basis | Retention Period |
|---|---|---|---|
| CV Analysis & Job Matching | Professional data, skills, experience | Contract Performance | Until account deletion + 30 days |
| Account Management | Email, preferences, settings | Contract Performance | Until account deletion + 30 days |
| Payment Processing | Billing information, transaction data | Contract Performance | 7 years (UK tax law) |
| Analytics & Improvement | Usage patterns, performance data | Legitimate Interest | 26 months, then anonymized |
| Marketing Communications | Email, communication preferences | Consent | Until consent withdrawn |
| Support Communications | Support requests, feedback | Legitimate Interest | 3 years for quality assurance |
4. Data Transfers & Safeguards
International Transfers
As we operate globally and use international service providers, your data may be transferred outside the EU/EEA. We ensure adequate protection through:
Adequacy Decisions
We prioritize transfers to countries with EU adequacy decisions where possible.
Standard Contractual Clauses
All third-party processors are bound by EU-approved Standard Contractual Clauses (SCCs).
Additional Safeguards
Technical and organizational measures including encryption and access controls.
Regular Assessments
Ongoing monitoring of transfer mechanisms and legal developments.
Third-Party Processors
| Service Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| OpenAI | AI processing | USA | SCCs + Technical safeguards |
| Cloudflare | CDN & Security | Global | SCCs + EU Data Localization |
| Vercel | Hosting | USA/EU | SCCs + Regional deployment |
| Stripe | Payments | USA/EU | Adequacy decision + SCCs |
5. Data Protection Impact Assessment (DPIA)
We have conducted comprehensive Data Protection Impact Assessments for our high-risk processing activities:
AI-Powered CV Analysis
Risk Assessment: Automated processing of personal data for profiling and decision-making.
Mitigation Measures: Human oversight, transparent algorithms, user control over decisions, opt-out mechanisms.
Large-Scale Personal Data Processing
Risk Assessment: Processing personal data of numerous individuals across multiple jurisdictions.
Mitigation Measures: Strong encryption, access controls, data minimization, regular security audits.
6. Exercising Your Rights
How to Contact Us
Response Timeline
- • Acknowledgment: Within 72 hours
- • Full response: Within 30 days
- • Complex requests: Up to 90 days (with explanation)
Identity Verification Process
To protect your privacy, we verify your identity before processing data requests. This involves confirming details from your account or requesting government-issued identification. We may ask for additional verification for sensitive requests.
7. Complaints & Supervisory Authorities
If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with:
Lead Supervisory Authority
UK Information Commissioner's Office (ICO)
Website: ico.org.uk
Phone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Your Local Data Protection Authority
You can also file a complaint with the supervisory authority in your country of residence, place of work, or where the alleged infringement occurred.
European Data Protection Board
For cross-border issues or if you're unsure which authority to contact, visit: edpb.europa.eu
We encourage you to contact us first: We're committed to resolving any concerns directly and promptly. Many issues can be resolved faster through direct communication with our DPO.
8. Updates to GDPR Compliance
We regularly review and update our GDPR compliance measures to ensure they remain current with:
- Changes in data protection law and regulations
- Guidance from supervisory authorities
- Best practices in data protection
- Technological developments affecting data security
Significant updates to our GDPR compliance approach will be communicated through our Privacy Policy updates and direct notifications where required.