Security & privacy
Conversation, not surveillance.
Konvenable is GDPR-compliant by default. This page lays out plainly where your data lives, how long we keep it, who processes it on our behalf, what we refuse to do with it, and how you can exercise your rights.
Last updated: May 2026
Maintained by Konvenable's DPO
01 — Hosting and infrastructure
Your data stays in Europe.
The platform is hosted in France, and candidate files in Ireland: your data never leaves the European Union. Traffic is protected by a CDN with dedicated TLS certificates and encryption in transit. Data is encrypted at rest; application secrets are encrypted with keys managed in-house, never shared with cloud providers. Backups are encrypted and stored in the same geographic zone. Production access is restricted, logged and protected by strong authentication.
02 — Retention policy
How long we keep your data.
These are Konvenable's default durations, aligned with CNIL deliberation No. 2002-017. A client organisation can configure shorter durations for its own data; it cannot extend these caps.
Inactive candidate account
{{n}} months
Rejected application
{{n}} months
Talent pool (with explicit opt-in)
{{n}} months
Session transcript and audio
{{n}} months
Signed hire (French legal requirement)
{{n}} years
GDPR export link
{{n}} days
Cancellation window after confirmation
{{n}} days
03 — Sub-processors
The categories of providers that process your data on our behalf.
Each sub-processor is bound by a Data Processing Agreement (DPA) or by Standard Contractual Clauses when located outside the EU. The current named list, with contact details and jurisdiction, is provided on request at [email protected].
Application hosting and database
European Union (France)
All operational platform data
CDN and DDoS protection
Europe (encrypted transit)
HTTP request metadata
Object storage (CVs, GDPR exports, candidate files)
European Union (Ireland)
Candidate files and DSAR exports
Transactional email
Outside EU — Standard Contractual Clauses
Recipient email address and message content
Third-party AI models (Hiring Decision, matching, embeddings)
Mixed EU / outside EU — Standard Contractual Clauses
Session transcripts and application metadata
Real-time voice inference
Outside EU — Standard Contractual Clauses
Session audio, deleted after transcription
Client organisation billing
European Union
Recruiter billing details (no candidate data)
Product analytics
European Union (Germany)
Usage events with pseudonymous identifiers
04 — Your GDPR rights
Five rights, exercisable without an intermediary.
Full export of your data
ZIP archive containing your profile, applications, messages, session transcripts and GDPR history. Available self-service.
Anonymisation
Your identifying data is erased while preserving an anonymised history for recruiters. Cancellable for 7 days after email confirmation.
Permanent deletion
Irreversible deletion of all your data. Signed contracts are retained for 7 years for tax and legal reasons.
Rectification
Your profile information is editable at any time from your candidate account.
Objection to profiling
No automated decision is made on your application. AI matching prepares the recruiter's reading; the recruiter decides.
To exercise these rights, sign in to your account or email [email protected]. We respond within one month, in line with GDPR article 12.
05 — AI Act compliance
Explicit AI, with a human in the loop.
The European AI Act classifies recruitment as a high-risk system. Konvenable strictly applies the transparency obligations (art. 50) and human oversight requirements (art. 14). You are interacting with AI, clearly announced before each step; the hiring decision belongs to the recruiter, never to the algorithm.
Human oversight (art. 14)
No adverse decision is taken without explicit validation by an identified recruiter. AI prepares the reading, the human decides and signs.
EU registry (art. 49)
Registration in the EU registry of high-risk AI systems is in progress, due by 2 August 2026. The identifier will be published here once assigned.
Beyond legal obligations, we publish below the manifesto of features Konvenable commits not to develop, even if they become legally permitted. Three items are strictly required by EU regulation; the others are positive commitments aligned with our product thesis.
No facial analysis
No emotion analysis
AI Act art. 5(1)(g) — prohibited in the workplace
No voice scoring (transcription yes, voice analysis no)
No accent analysis
No lie detection
No automated rejection
GDPR art. 22 + AI Act art. 14 — human decision required
No predictive score of future on-the-job performance
No inference of protected categories (gender, origin, religion, etc.) from name, photo or CV
AI Act art. 5(1)(f) — biometric categorisation prohibited
Manifesto version 1.0.0 — any change requires a public ADR.
The full AI Act documentation (System Card art. 13, decision process, model sub-processors, audit log extract for your organisation) is delivered within 24h on request to [email protected].
06 — Contacts
How to reach us.
Data Protection Officer
[email protected]Konvenable SAS — postal address provided on request to the DPO.
Supervisory authority
CNIL — French supervisory authorityYou may file a complaint directly with the CNIL if you believe your rights are not being respected.
Popular categories
© 2026 Konvenable. All rights reserved.