Privacy Policy

KoManao is a SaaS platform aimed at people actively looking for work or working on their professional development, aged 18 or over. The platform allows its users to voluntarily request structured feedback from interviewers they have interacted with after a hiring process, take self-knowledge assessments, and request a human review of their results by an expert.

KoManao does not perform any evaluations, official ratings or decisions about candidates by itself. Its role is to facilitate the collection, storage and display of data that users themselves request, generate or voluntarily provide. Every evaluation visible on the platform comes from third parties (interviewers, 360° evaluators, invited experts) or from the user about themselves.

The data controller for personal data collected through the platform is KoManao, headquartered in Spain. For any communication related to this policy, please write to privacy@komanao.com.

Terms used in this policy

• "Candidate" or "user": a person registered on KoManao who voluntarily uses the platform to request feedback, take assessments or request expert review.
• "Interviewer" or "third-party evaluator": a natural person who, at the express request of the candidate, leaves feedback about an interview or issues a 360° evaluation. KoManao does not contact interviewers on its own initiative.
• "Feedback": any comment, rating or evaluation submitted by a third party about the candidate's performance in an interview. By its nature, it is the personal opinion of the third party and never an official KoManao evaluation.
• "Self-knowledge assessments": psychometric questionnaires that the candidate completes themselves (KESA, KLPS, KMMS, KCMA). Results are calculated automatically from the candidate's own answers.
• "Expert report": qualitative review that a professional invited by the candidate may issue based on the collected data. It reflects the personal opinion of the expert, is not binding and does not imply any official certification by KoManao.
• "Anonymised data": data from which all direct and indirect identifiers have been removed to the point that re-identification is no longer possible, even by the platform itself.

KoManao only processes the personal data necessary to provide the service. The categories are as follows:

3.1 Candidate identification and contact data

• Email (stored only in the authentication system, never on public profiles).
• Display name chosen by the user.
• Public username (visible in the URL of their profile).
• Optional avatar.

3.2 Voluntary professional profile

• Year of birth or age range.
• Gender (optional, self-identified).
• Education level.
• Years of professional experience.
• Professional sector or role family.
• Current employment situation.
• Country of residence.

3.3 Self-knowledge assessment results

• Individual answers to each questionnaire (KESA, KLPS, KMMS, KCMA).
• Scores automatically calculated from those answers.
• Derived patterns (indices, dominant profiles, quality flags).
• Date and time of completion.

3.4 Selection processes and interactions with third parties

• Company, position, phase and status of each process the user chooses to record.
• Private notes written by the user themselves.
• Email of interviewers that the candidate decides to add, exclusively for sending the feedback request (see section 6).

3.5 Feedback received from external parties

• Numerical rating (1-5) issued by the interviewer.
• Optional free-text comment from the interviewer.
• Structured criteria (clarity, technical knowledge, cultural fit, etc.) selected by the interviewer.
• Date and time of submission.

3.6 Expert report data (if requested by the candidate)

• Editorial text written by the expert.
• BARS evaluations of 10 key competencies selected by the expert during the session.
• Frozen snapshot of the candidate's profile at the moment of report publication (results from the 4 assessments + derived metrics).

3.7 Minimum technical data

• SHA-256 hash of the IP of whoever leaves feedback (the IP is never stored in clear), only for duplicate detection and abuse prevention.
• Browser user-agent, only for technical debugging.
• Strictly necessary cookies to keep the authenticated session and the language preference.

3.8 Special categories (GDPR art. 9)

KoManao does NOT request, store or process special categories of data: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation. If a third party were to introduce data of this nature accidentally in a free-text feedback field, the candidate may request its immediate deletion by writing to privacy@komanao.com.

Each purpose of processing is supported by a specific legal basis under the GDPR. We detail each one below.

4.1 Provision of the contracted service — GDPR art. 6.1.b

Signing up as a user and using the basic functionalities (profile management, registration of processes, storage of private notes, generation of the personal link) is based on the performance of the service contract established between KoManao and the user when accepting the Terms of Use at registration. Without these data it is not possible to provide the service.

4.2 Activation of the feedback module — GDPR art. 6.1.a + art. 7

The collection of feedback from third parties about the candidate's performance in interviews is a processing activity based on explicit, granular and revocable consent. Before the candidate can generate their public link or QR code, they must expressly tick a checkbox in which they acknowledge that: (i) they voluntarily agree to receive evaluations and feedback from third parties; (ii) they understand that KoManao does not perform these evaluations; (iii) they know that the content of the feedback reflects individual opinions not validated by KoManao; and (iv) they may withdraw consent at any time from Settings.

KoManao records the UTC date and time of the consent (profiles.feedback_consent_at field) as documented proof that the opt-in was free, specific, informed and unambiguous. This evidence is kept while the account exists and is deleted when the account is deleted.

Withdrawing consent is as simple as granting it: from Settings → Feedback module → Deactivate. When revoking, the user can choose between keeping the historical feedback already received (it will simply stop accepting new ones) or deleting all received feedback irreversibly. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal (GDPR art. 7.3).

4.3 Self-knowledge assessments — GDPR art. 6.1.a

Taking the KESA, KLPS, KMMS and KCMA assessments is entirely voluntary. The candidate decides which assessments to start and may abandon them at any time. The results are calculated automatically from the candidate's own answers and are shown only to them. No third party accesses individual results without the candidate's express invitation.

4.4 Request for review by an expert — GDPR art. 6.1.a + art. 6.1.b

When the candidate requests a session with a human expert at KoManao (optional paid service), they activate an additional processing consisting of sharing their aggregated profile with the selected expert and allowing them to write a qualitative report. The legal basis combines the consent given when requesting the service (art. 6.1.a) and the performance of the contract for the session (art. 6.1.b). The report is visible only to the candidate. The expert may not share it with third parties.

4.5 Communications to third parties invited by the candidate — GDPR art. 6.1.f

When the candidate provides the email of a third party (interviewer, hiring manager, 360° evaluator, invited expert or other professional contact), KoManao processes that data as the data controller for the sole purpose of sending the feedback or evaluation request on behalf of the candidate.

The legal basis for this processing is the concurrent legitimate interest of the candidate (GDPR art. 6.1.f) — requesting professional feedback after a hiring process or a workplace interaction — and the legitimate interest of KoManao in providing this functionality as the core of its service. Both interests are aligned and have been balanced against the rights of the third party in a documented internal legitimate-interest assessment.

KoManao guarantees, regarding this data:

• Its use is strictly limited to the specific purpose for which it was provided (sending the invitation or request).
• It will never be used for commercial communications, marketing, profiling or sharing with third parties other than the providers strictly necessary to deliver the email (Resend) and store it while the interview is active (Supabase).
• It will not be retained beyond what is necessary to manage the request. Specifically, the third party's email and name are irreversibly anonymised (NULL) 3 months after the row is created, by an audited daily automatic cron.

Before they can leave any feedback, the third party receives, in the invitation email itself, clear information about who is contacting them, why, what data of theirs is being processed, and a link to this policy. They freely decide whether to participate. Each email also contains a direct opt-out link inside the platform — no need to write to anyone or wait for a reply — where the third party can in a single click remove their email from that specific request. The opt-out is scoped to the specific interview or invitation: after the email is removed, KoManao keeps no further record of the third party, in line with the data minimisation principle.

The candidate, when using this functionality, commits to providing only data of people with whom they have had a real prior professional interaction, and not to introduce third-party data abusively or without legitimate connection to the purpose of the service. Every time the candidate enters an external email in the platform they must expressly tick a checkbox confirming this commitment. Without that confirmation, the invitation cannot be sent. KoManao records the date of the confirmation together with the dispatch as documented proof of legitimate use.

4.5.bis Voluntary interviewer registration — Guardians of Feedback (GDPR art. 6.1.a)

Completely independently from the flow above, interviewers who leave feedback on KoManao may, if they wish, voluntarily register their email at the end of the form to accumulate a count of contributed feedbacks and obtain a symbolic level within the "Guardians of Feedback" programme. It is a gamification and social recognition feature, completely optional, that requires the express consent of the interviewer themselves (GDPR art. 6.1.a) — not the candidate.

The data stored in this case are only the interviewer's email, optional name, the counter of contributed feedbacks and the date of last activity. By architectural design, there is no link in the database between this registration and the specific feedback the interviewer has submitted: KoManao can know that an interviewer has contributed N feedbacks, but not to which candidates. This preserves the anonymity of feedback toward the candidate, which is a fundamental product value.

Verified credential claim: from the thank-you screen after giving feedback, the interviewer can take an extra step and create a password-verified KoManao account to "claim" their Guardian credential. When doing so, the existing Guardian record is automatically linked to their profile (profile_id column in the interviewer_contacts table) by email match. This link does not change what KoManao stores (we still do not tie their identity to specific feedbacks), but it lets them see in their dashboard their current level, their counter and, in the future, a history of the feedbacks they explicitly decide to save (a functionality that will require an additional granular opt-in inside the feedback form itself, not yet active). Public visibility of the credential on ranking-style pages is controlled by a feature flag and, once enabled, will only show Guardians who have claimed their credential (i.e. with a linked profile and public username).

The interviewer can request the deletion of their Guardian registration at any time by writing to privacy@komanao.com. We are working on a self-service screen so this opt-out can also be done with a single click, without needing to send an email. Additionally, any Guardian registration that has not been updated in the last 24 months (i.e. without new feedbacks counted for 2 years) is automatically deleted by the same audited daily cron.

4.5.ter Signing the Feedback Manifesto (GDPR art. 6.1.a)

Authenticated KoManao users can sign the Feedback Manifesto — a public declaration of adherence to the five principles of honest and useful feedback. Signing is strictly voluntary and requires an explicit affirmative action: pressing the "Sign" button after reading the manifesto. The legal basis is the user's own consent (GDPR art. 6.1.a).

The data stored for a signature are exclusively: the profile identifier of the signer, the date and time of signing, a public visibility indicator (displayed_on_wall, false by default), and a supporter tier (supporter_tier, "free" by default). The public name and username shown on the wall at /manifesto/firmantes are derived from the profiles table; they are not duplicated in the signatures table.

Visibility: by default, the signature is NOT public. The user must explicitly tick the "show me on the public wall" checkbox for their name and username to appear on /manifesto/firmantes. This visibility is revocable: the user can turn off the toggle at any time without deleting the signature, or revoke the full signature (DELETE on their own row) with a single click. Both controls live on the manifesto page itself when the user is authenticated.

The signature does not expire automatically — it is a declaration of commitment, not a functional data point subject to a retention period. If the user deletes their KoManao account (standard right-to-erasure flow), the signature row is cascaded by the referential integrity constraint.

4.6 Anonymised statistical analysis — GDPR art. 6.1.f

KoManao performs aggregated and fully anonymised analyses of the results of the self-knowledge assessments in order to improve the psychometric quality of the instruments, generate population norms by demographic segment and detect biases. These analyses are based on KoManao's legitimate interest in continuously improving the reliability and usefulness of its product, without that interest overriding the rights of the user, since the data analysed do not allow re-identification of any person.

4.7 Compliance with legal obligations — GDPR art. 6.1.c

Certain processing operations may be necessary to comply with legal obligations applicable to KoManao, such as responding to court orders or requests from data protection authorities, retaining minimum evidence to defend itself against claims, or complying with accounting and tax obligations.

This section is essential to understand the legal and product role of KoManao and applies as a priority over any other interpretation.

KoManao is a technological intermediation platform. It does not perform any evaluation of candidates by itself, does not issue professional judgements, does not produce official certifications and does not guarantee the objectivity, accuracy, completeness or usefulness of the content provided by third parties through the platform. All feedback visible in a candidate's profile is the expression of the personal and individual opinion of the interviewer, evaluator or expert who issued it, voluntarily requested by the candidate themselves.

In particular, KoManao is not responsible for:

• The accuracy or truthfulness of data introduced by a third party in a free-text field.
• The objectivity or methodological reliability of the numerical or qualitative ratings issued by a third party.
• The interpretation that the candidate makes of the feedback received or the decisions they take based on it.
• The conduct of the third parties invited by the candidate, including the use those third parties may make of their email after receiving the invitation.
• The editorial content of the expert's reports, except where it is shown that KoManao has breached its contractual duties towards the expert.

KoManao reserves the right to remove from the platform any content that is manifestly unlawful, abusive, discriminatory or that infringes the rights of third parties, at the request of the affected user or on its own initiative after reasonable detection.

Section 4.5 above details the legal basis for processing third-party data (KoManao as controller under legitimate interest). This section 6 develops the two complementary sides: what the candidate commits to when providing such data, and what rights the third party can exercise at any time.

6.1 Candidate commitment

When using the invitation functionality, the candidate declares, under their own responsibility, that:

• They have had a real prior professional interaction with the person whose email they provide (interview, hiring process, evaluation, mentoring session or other concrete work or professional relationship).
• They do not provide emails of people with whom no such real prior relationship exists, nor do they use the platform in a massive, automated or abusive way.
• They do not provide emails of minors.
• They understand that the third party will receive clear information about the processing and will be free to decide whether to participate.

Every time the candidate enters the email of a third party in the platform they must expressly tick a checkbox confirming this commitment. Without that confirmation, the dispatch of the invitation is blocked by the system itself. KoManao records the confirmation together with the dispatch date as documented proof of legitimate use. Fraudulent or massive use of this functionality may lead to the immediate suspension of the candidate's account.

6.2 Third-party rights

Any person whose email has been provided to KoManao by a candidate is the holder of the following rights regarding their own data:

• Right of access: to know what data of theirs we process and why.
• Right of rectification: to correct inaccurate data.
• Right of erasure: to request the immediate deletion of their email, even before the automatic 3-month deadline.
• Right to object: to object to processing based on legitimate interest. KoManao will stop the processing unless there are compelling legitimate grounds that override the third party's rights, which will not normally be the case.
• Right to object to specific requests: each email received includes a one-click opt-out link that removes your email from that specific request. KoManao does not maintain permanent exclusion lists, in line with the data minimisation principle; if the same candidate or another invites you in the future, you will receive a new email that you can also decline.
• Right to lodge a complaint with the Spanish Data Protection Agency (see section 16).

The fastest way to exercise these rights is to use the opt-out link inside the email you received — a single click removes your email from that specific request and KoManao keeps no further record of you. The opt-out applies to the specific request you received; if the same candidate or a different one invites you in the future to a new process, you will receive a new email that you can also decline in the same way. This is in line with the data minimisation principle: KoManao does not maintain indefinite lists of people who have exercised their right to object.

If you have lost the original email or prefer to exercise your rights through another channel, you can also write to privacy@komanao.com indicating the email address concerned and, if you wish, the identity of the candidate who invited you (it is not essential). KoManao will handle the request within the legal time limit, normally in less than 72 hours.

If the third party receives an invitation that they consider should not have been sent (for example, because they do not remember the prior professional interaction described by the candidate), they can communicate this to the same address. KoManao will take the appropriate measures, which may include the immediate removal of the email from its system and the warning or suspension of the responsible candidate if misuse is confirmed.

KoManao retains personal data only for the time necessary for the purposes for which they were collected and to comply with applicable legal obligations.

Account and professional profile data

While the user account is active. When the user requests the deletion of their account, identifying and profile data are deleted immediately.

Self-knowledge assessment results

Individual answers are deleted together with the account. Calculated scores are kept in anonymised form, dissociated from the user and aggregated with a demographic summary (age range, sector, country), only for statistical analysis and improvement of the psychometric quality of the assessments. These anonymised data do not allow re-identification.

Feedback received from third parties

While the candidate has the feedback module active. If the candidate revokes consent and chooses to keep the historical record, the feedback remains stored only for their own consultation. If they choose to delete it, it is deleted immediately. In any case, data are deleted when the account is deleted.

Expert report data

While the account is active. The frozen snapshot of the profile at the time of publication is kept as part of the report to ensure the reproducibility and traceability of the expert's opinion.

Third-party data provided by the candidate

When a candidate provides the email of an interviewer, 360° evaluator or other professional contact in order to send them an invitation, that email and, where applicable, the name are kept only for the time necessary to manage the request. Specifically:

• If the candidate deletes the corresponding interview, process or invitation: the email is deleted immediately (cascade).
• If the candidate deletes their account: the email is deleted immediately as part of the cascade deletion of the account.
• In any other case: 3 months after the interview or invitation was created, the email and name are irreversibly anonymised (NULL) by an automatic daily cron. The interview or invitation row may persist as part of the candidate's history but no longer holds any identifying data of the third party.
• If the third party requests deletion before any of the above by writing to privacy@komanao.com: the email is deleted within 72 hours.

Guardian of Feedback registration (interviewer opt-in)

When an interviewer voluntarily registers to accumulate a count of feedbacks (section 4.5.bis), their email and optional name are kept while they remain active. They are considered active if they have contributed new counted feedbacks in the last 24 months. After that period of inactivity, the entire registration (email, name, counter and dates) is automatically deleted by the same daily cron. The interviewer can request deletion at any time by writing to privacy@komanao.com.

IP hash and technical abuse-prevention data

SHA-256 IP hash: 6 months from the feedback submission (automatically deleted by a daily cron). User-agent: 30 days from the submission (automatically deleted by the same cron). Server access logs: managed by our hosting provider (Vercel) in accordance with their own retention policy, typically up to 30 days.

Proof of consent

While the account exists, plus a reasonable additional period after closure to be able to demonstrate compliance with the GDPR in the event of a complaint. Maximum period: 3 years after closure.

Audit of compliance with the deadlines

The deletion deadlines described in this section are not aspirational: they are implemented by an automatic cron (`/api/cron/gdpr-retention-sweep`) that runs daily and whose results are logged. Additionally, KoManao runs frequent audits via an independent script (`scripts/audit-gdpr-retention.ts`) that verifies that no row has exceeded its retention deadline. If the audit detects any deviation, it is investigated and corrected before it can become a non-compliance. These audits are frequent (at least monthly) and are intensified after any change in the retention infrastructure.

KoManao does not sell, rent or share personal data with third parties for commercial purposes. The only external recipients of the data are the service providers strictly necessary for the operation of the platform, in their capacity as processors contractually bound to KoManao.

Processors used

• Supabase (Supabase Inc., with PostgreSQL servers in the Frankfurt region of the European Union) — database, authentication and storage.
• Vercel (Vercel Inc., with CDN and serverless functions in European regions) — hosting of the web application.
• Resend (Resend Inc.) — sending of transactional emails (email verification, notifications, invitations to interviewers).
• Vercel Analytics — aggregated and anonymous traffic metrics (no tracking cookies, no fingerprinting).

Each of these providers is subject to a data processing agreement (DPA) with KoManao and applies appropriate technical and organisational safeguards.

International transfers

User data are stored on servers located in the European Union. Some of the providers mentioned are companies incorporated in the United States. Where there is any data flow to infrastructure outside the European Economic Area, transfers are based on the mechanisms provided for by the GDPR: standard contractual clauses approved by the European Commission, EU-US Data Privacy Framework certification where applicable, and additional measures of encryption in transit and at rest.

Under the GDPR and Spanish data protection legislation, every user has the following rights:

• Right of access (GDPR art. 15): obtain confirmation of which personal data of yours we process and a copy thereof.
• Right of rectification (GDPR art. 16): request correction of inaccurate or incomplete data.
• Right of erasure (GDPR art. 17), also known as the "right to be forgotten": request the deletion of your personal data in the cases provided for by law.
• Right to restriction of processing (GDPR art. 18): request that we process your data only for storage, for the time necessary to resolve a complaint or verify a rectification.
• Right to data portability (GDPR art. 20): receive your data in a structured, commonly used and machine-readable format, as well as transmit them to another controller.
• Right to object (GDPR art. 21): object at any time to the processing of your data based on KoManao's legitimate interest.
• Right to withdraw consent (GDPR art. 7.3): when processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.
• Right not to be subject to automated decisions (GDPR art. 22): KoManao does not make automated decisions with legal effects on the user (see section 11).
• Right to lodge a complaint with a supervisory authority: in Spain, the Spanish Data Protection Agency (www.aepd.es).

You can exercise most rights directly from your account without needing to contact us:

• Access and portability: download a JSON file with all your data from Settings → GDPR → Export my data.
• Rectification: edit your professional and demographic profile from Settings → Professional profile.
• Erasure: delete your account and all associated data from Settings → GDPR → Delete account.
• Withdrawal of consent for the feedback module: from Settings → Feedback module → Deactivate (you can choose between keeping or deleting the historical feedback).
• Objection to anonymised statistical analysis: write to us at privacy@komanao.com.

For any request you cannot resolve from your account, write to us at privacy@komanao.com clearly indicating the right you wish to exercise and, if necessary, a copy of your ID or equivalent document to verify your identity. We will resolve the request within a maximum of one month from receipt, extendable by a further two months in particularly complex cases, in which case we will inform you.

KoManao does not make automated decisions, including profiling, that produce legal effects on the user or similarly significantly affect them (GDPR art. 22).

In particular, the scores that the system calculates from the self-knowledge assessments are merely informational tools for the user themselves. They are not used to make hiring decisions, are not automatically shared with companies, do not generate rankings between candidates and are not reused for advertising profiles. Any decision about a candidate (whether to advance or not in a process, whether to hire or not) is always taken by a human external to KoManao within the scope of their own selection process.

KoManao is not intended for persons under 18 years of age. The platform does not knowingly collect data from minors. If we become aware that a user has provided data while being a minor, we will proceed to delete the account and all associated data without delay. Parents, guardians or the minor themselves may request immediate deletion by writing to privacy@komanao.com.

KoManao applies reasonable technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure or destruction. These measures include:

• Encryption in transit of all communications (HTTPS / TLS).
• Encryption at rest of the database on the provider's servers.
• Row Level Security (RLS) policies in PostgreSQL to prevent a user from accessing data of another user.
• Hashing of the user's IP when stored, using SHA-256 with a secret salt.
• Mandatory authentication for all endpoints handling personal data.
• Granular control of internal roles (admin, expert) recorded in a dedicated table with audit.
• Periodic security and dependency reviews.

Despite these measures, no system is absolutely impenetrable. In the event of detecting a personal data breach that may pose a risk to the rights and freedoms of the user, KoManao will notify the Spanish Data Protection Agency within a maximum of 72 hours and, where required, also the affected users.

KoManao uses only strictly necessary cookies for the operation of the service: a session cookie to keep the user authenticated and a language preference cookie. It does not use advertising tracking cookies, marketing cookies or analytics cookies with persistent identifiers. For this reason, no cookie banner is required under current Spanish regulations.

Aggregated traffic metrics are obtained through Vercel Analytics, which does not use cookies or user identifiers; it aggregates information at route level without tracking individuals.

KoManao may update this policy to reflect legal, product or internal practice changes. The updated version is published at the same URL with the date of the last revision visible in the header. When changes are substantial, users will be informed by a prominent notification in the dashboard or by email before they take effect.

We recommend that you review this policy periodically. Continued use of the service after the publication of changes will be considered acceptance of them, without prejudice to the user's right to unsubscribe at any time if they do not agree.

If you consider that KoManao has not processed your personal data in accordance with the GDPR or Spanish data protection legislation, you have the right to lodge a complaint with the Spanish Data Protection Agency:

• Web: https://www.aepd.es
• Electronic site: https://sedeagpd.gob.es
• Postal address: C/ Jorge Juan, 6. 28001 Madrid (Spain)

We encourage you to contact us first at privacy@komanao.com so that we can resolve any incident as quickly as possible.

For any questions about this privacy policy, the exercise of your rights or any other matter related to the processing of your personal data, you can write to us at privacy@komanao.com. We commit to responding within a maximum of one month.