Skip to content

Security & privacy

Conversation, not surveillance.

Konvenable is GDPR-compliant by default. This page lays out plainly where your data lives, how long we keep it, who processes it on our behalf, what we refuse to do with it, and how you can exercise your rights.

Last updated: May 2026

Maintained by Konvenable's DPO

01 — Hosting and infrastructure

Your data stays in Europe.

The platform is hosted in France, and candidate files in Ireland: your data never leaves the European Union. Traffic is protected by a CDN with dedicated TLS certificates and encryption in transit. Data is encrypted at rest; application secrets are encrypted with keys managed in-house, never shared with cloud providers. Backups are encrypted and stored in the same geographic zone. Production access is restricted, logged and protected by strong authentication.

02 — Retention policy

How long we keep your data.

These are Konvenable's default durations, aligned with CNIL deliberation No. 2002-017. A client organisation can configure shorter durations for its own data; it cannot extend these caps.

Inactive candidate account

{{n}} months

Rejected application

{{n}} months

Talent pool (with explicit opt-in)

{{n}} months

Session transcript and audio

{{n}} months

Signed hire (French legal requirement)

{{n}} years

GDPR export link

{{n}} days

Cancellation window after confirmation

{{n}} days

03 — Sub-processors

The categories of providers that process your data on our behalf.

Each sub-processor is bound by a Data Processing Agreement (DPA) or by Standard Contractual Clauses when located outside the EU. The current named list, with contact details and jurisdiction, is provided on request at [email protected].

Application hosting and database

European Union (France)

All operational platform data

CDN and DDoS protection

Europe (encrypted transit)

HTTP request metadata

Object storage (CVs, GDPR exports, candidate files)

European Union (Ireland)

Candidate files and DSAR exports

Transactional email

Outside EU — Standard Contractual Clauses

Recipient email address and message content

Third-party AI models (Hiring Decision, matching, embeddings)

Mixed EU / outside EU — Standard Contractual Clauses

Session transcripts and application metadata

Real-time voice inference

Outside EU — Standard Contractual Clauses

Session audio, deleted after transcription

Client organisation billing

European Union

Recruiter billing details (no candidate data)

Product analytics

European Union (Germany)

Usage events with pseudonymous identifiers

04 — Your GDPR rights

Five rights, exercisable without an intermediary.

Full export of your data

ZIP archive containing your profile, applications, messages, session transcripts and GDPR history. Available self-service.

Anonymisation

Your identifying data is erased while preserving an anonymised history for recruiters. Cancellable for 7 days after email confirmation.

Permanent deletion

Irreversible deletion of all your data. Signed contracts are retained for 7 years for tax and legal reasons.

Rectification

Your profile information is editable at any time from your candidate account.

Objection to profiling

No automated decision is made on your application. AI matching prepares the recruiter's reading; the recruiter decides.

To exercise these rights, sign in to your account or email [email protected]. We respond within one month, in line with GDPR article 12.

05 — AI Act compliance

Explicit AI, with a human in the loop.

The European AI Act classifies recruitment as a high-risk system. Konvenable strictly applies the transparency obligations (art. 50) and human oversight requirements (art. 14). You are interacting with AI, clearly announced before each step; the hiring decision belongs to the recruiter, never to the algorithm.

Human oversight (art. 14)

No adverse decision is taken without explicit validation by an identified recruiter. AI prepares the reading, the human decides and signs.

EU registry (art. 49)

Registration in the EU registry of high-risk AI systems is in progress, due by 2 August 2026. The identifier will be published here once assigned.

Beyond legal obligations, we publish below the manifesto of features Konvenable commits not to develop, even if they become legally permitted. Three items are strictly required by EU regulation; the others are positive commitments aligned with our product thesis.

No facial analysis

No emotion analysis

AI Act art. 5(1)(g) — prohibited in the workplace

No voice scoring (transcription yes, voice analysis no)

No accent analysis

No lie detection

No automated rejection

GDPR art. 22 + AI Act art. 14 — human decision required

No predictive score of future on-the-job performance

No inference of protected categories (gender, origin, religion, etc.) from name, photo or CV

AI Act art. 5(1)(f) — biometric categorisation prohibited

Manifesto version 1.0.0 — any change requires a public ADR.

The full AI Act documentation (System Card art. 13, decision process, model sub-processors, audit log extract for your organisation) is delivered within 24h on request to [email protected].

06 — Contacts

How to reach us.

Data Protection Officer

[email protected]

Konvenable SAS — postal address provided on request to the DPO.

Supervisory authority

CNIL — French supervisory authority

You may file a complaint directly with the CNIL if you believe your rights are not being respected.

Konvenable

Market intelligence for the French job market, for candidates and recruiters.

Synced continuously

For Recruiters

© 2026 Konvenable. All rights reserved.

Terms of ServicePrivacy PolicyLegal