Privacy Policy

Effective date: 1 March 2026
Last updated: 1 March 2026

This Privacy Policy explains how APPFAB UYGULAMA FABRİKASI YAZILIM A.Ş. ("we", "us", "our"), operating the duyu.ai platform, collects, uses, stores, and protects personal data when you use our services.

1. Data Controller

APPFAB UYGULAMA FABRİKASI YAZILIM A.Ş.
Mustafa Kemal Mah. Dumlupınar Blv. A Blok No: 266 A İç Kapı No: 85 Çankaya / Ankara 06310, Turkey
Contact: info@app-fab.com

2. Data We Collect

2.1 Account Data

When you sign up via Google or GitHub OAuth, we receive and store your name, email address, and profile picture URL. We do not receive or store your OAuth provider password.

2.2 Organization Data

Organization name and team member details (email, role) you provide during onboarding.

2.3 Email Data

When you connect a mailbox — via Google OAuth (Gmail API), Microsoft OAuth (Graph API), or IMAP credentials — we access incoming email content to identify job applications. We store:

• Email sender, subject, and body text
• Attachments identified as CVs or resumes (stored in encrypted S3-compatible storage)
• AI-extracted structured data (applicant name, email, detected position)
• OAuth tokens (encrypted at rest with Fernet symmetric encryption) for Google and Microsoft connections
• IMAP credentials (encrypted at rest) for manual IMAP connections

2.4 Usage Data

Browser type, IP address, pages visited, and timestamps — collected automatically via server logs.

3. How We Use Your Data

4. Third-Party Services

We share data with the following processors, solely to provide the service:

• OpenAI (San Francisco, USA) — Email content is sent to GPT-4o for job application detection and data extraction. OpenAI does not use this data for model training under our API agreement.
• Google (USA) — OAuth authentication and Gmail API access for mailbox connections.
• Microsoft (USA) — OAuth authentication and Microsoft Graph API access for mailbox connections.
• Resend (USA) — Transactional email delivery (invitations, notifications).
• DigitalOcean (USA) — Cloud hosting infrastructure.

5. International Data Transfers

Your data may be transferred to and processed in the United States by the third-party services listed above. We ensure appropriate safeguards are in place, including standard contractual clauses where applicable.

6. Data Retention

We retain your account data and organization data for the duration of your subscription. Email data and applicant records are retained for up to 24 months after processing, unless you request earlier deletion. Upon account termination, all data is deleted within 30 days.

7. Cookies and Authentication

We use a single HttpOnly, Secure, SameSite=Lax cookie named access_token for session authentication. This cookie contains a signed JWT and is not used for tracking or advertising. We do not use third-party tracking cookies.

8. Data Security

All data is encrypted in transit (TLS 1.2+). Sensitive credentials (OAuth tokens, IMAP passwords) are encrypted at rest using Fernet symmetric encryption. Access to production systems is restricted to authorized personnel only.

9. Your Rights

Under applicable data protection law, you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate data
• Request erasure of your data
• Restrict or object to processing
• Data portability
• Withdraw consent at any time (where processing is based on consent)

To exercise any of these rights, contact us at info@app-fab.com.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on our website. Continued use of the service after changes constitutes acceptance.

11. Contact

For any privacy-related questions or requests:
APPFAB UYGULAMA FABRİKASI YAZILIM A.Ş.
Mustafa Kemal Mah. Dumlupınar Blv. A Blok No: 266 A İç Kapı No: 85 Çankaya / Ankara 06310, Turkey
Email: info@app-fab.com