1. Introduction
This document outlines the commitment of GeoHunter Inc. to data protection and provides an overview of our compliance framework with key global regulations, including the EU General Data Protection Regulation (GDPR), Turkey's Law on the Protection of Personal Data (KVKK), and the California Consumer Privacy Act (CCPA).
2. Data Controller & Data Protection Officer (DPO)
- Data Controller: GeoHunter Inc.
- Contact Email: privacy@geohunter.ai
- Data Protection Officer (DPO): We have appointed a DPO to oversee our data protection strategy. They can be reached at dpo@geohunter.ai.
3. Record of Processing Activities (ROPA) Summary
In accordance with Article 30 of the GDPR, we maintain a comprehensive record of our data processing activities. A summary is provided below:
| Processing Activity | Data Subjects | Personal Data | Purpose | Legal Basis | Transfers |
|---|---|---|---|---|---|
| User Account Management & Authentication | Registered Users | Name, email, hashed password, IP address, auth tokens | Provide, manage, and secure user accounts | Art. 6(1)(b) - Contract | Based on server location |
| Core Service Provision (AI Analysis) | Registered Users | User-uploaded images | Perform AI-powered geolocation analysis | Art. 6(1)(b) - Contract | Yes (USA) - SCCs |
| Payment & Subscription Management | Subscribers | Name, email, subscription data (payments via Stripe) | Process payments and manage subscriptions | Art. 6(1)(b) - Contract | Yes (USA) - SCCs, DPF |
| Platform Security & Monitoring | All Users | IP addresses, access logs, device identifiers | Prevent fraud, protect against attacks | Art. 6(1)(f) - Legitimate Interest | Based on server location |
4. Data Protection Impact Assessment (DPIA) Summary
Due to the use of new technologies (AI APIs) for processing personal data (user-uploaded images) on a potentially large scale, we have conducted a Data Protection Impact Assessment (DPIA).
Identified Risks
- Data breach at a third-party AI provider leading to unauthorized access to images.
- Misuse of data by sub-processors.
- Potential for re-identification from analyzed images if shared improperly.
Mitigation Measures Implemented
- Contractual Safeguards: We have entered into robust Data Processing Addendums (DPAs) with all AI providers, which include the latest Standard Contractual Clauses (SCCs).
- Data Minimization: We only send the image data required for the analysis and do not transmit other user-identifying information in the API call.
- User Control: Users have the right and ability to delete their images and search history from our Platform.
- Security: We enforce strict access controls and encryption for all data in transit and at rest.
The DPIA concludes that with these measures in place, the residual risk is acceptable.
5. Data Breach Notification Procedure
In the event of a personal data breach, GeoHunter will follow a strict incident response plan:
- Identification and Assessment: Immediately upon discovery, our security team will assess the scope and impact of the breach.
- Containment: We will take immediate steps to contain the breach and mitigate any ongoing risk.
- Notification to Supervisory Authority: If the breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant Data Protection Authority without undue delay, and where feasible, not later than 72 hours after having become aware of it.
- Notification to Data Subjects: If the breach is likely to result in a high risk to the rights and freedoms of individuals, we will communicate the breach to the affected data subjects without undue delay.
6. International Transfer Mechanisms
GeoHunter provides a global service, which requires the international transfer of data. Our primary transfer mechanism for data sent from the EEA, UK, or Switzerland to countries without an adequacy decision (such as the United States) is the Standard Contractual Clauses (SCCs) as approved by the European Commission. We conduct Transfer Impact Assessments (TIAs) to ensure that the data remains adequately protected in the destination country and supplement these transfers with additional technical and organizational measures where necessary.
7. Specific Compliance Notes
7.1. KVKK Compliance (Turkey)
GeoHunter is committed to complying with Turkey's Law on Protection of Personal Data No. 6698 (KVKK).
- Our legal bases for processing align with the conditions outlined in Articles 5 and 6 of the KVKK.
- We fully support the rights of data subjects as detailed in Article 11 and provide clear channels for exercising these rights.
- For data transfers abroad, we rely on explicit consent or other mechanisms permitted under KVKK where applicable.
- We will fulfill our obligation to register with the Data Controllers' Registry (VERBIS) if and when we meet the required thresholds.
7.2. CCPA / CPRA Compliance (California)
GeoHunter respects the privacy rights of California residents under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).
- No Sale or Sharing: We confirm that we do not “sell” or “share” personal information as those terms are defined under the CCPA/CPRA. Therefore, an “opt-out” mechanism is not required.
- Notice at Collection: Our Privacy Policy serves as our notice at collection, detailing the categories of personal information collected and the purposes for which they are used.
- Honoring User Rights: We have established procedures to efficiently respond to verifiable consumer requests to know, delete, and correct personal information.
- Data Processing Agreements: Our contracts with our service providers prohibit them from retaining, using, or disclosing personal information for any purpose other than for the specific business purpose specified in the contract.
8. Contact Us
For any questions or concerns about our data protection practices, please contact our Data Protection Officer at: dpo@geohunter.ai or privacy@geohunter.ai.