Last updated: July 15, 2026
Changes in this revision: (1) your school's partner companies are described: how they are invited to publish job offers, exactly what you share when you apply (only your name and your public profile) and the aggregated summary of companies giving feedback, with its minimum anti-re-identification threshold (new section 4.5.quinquies); (2) the 3-month anonymisation period for the contact email of a partner company that does not accept the invitation is added (section 7).
KoManao is a SaaS platform aimed at people actively looking for work or working on their professional development, aged 18 or over. The platform allows its users to voluntarily request structured feedback from interviewers they have interacted with after a hiring process, take self-knowledge assessments, and request a human review of their results by an expert.
KoManao does not perform any evaluations, official ratings or decisions about candidates by itself. Its role is to facilitate the collection, storage and display of data that users themselves request, generate or voluntarily provide. Every evaluation visible on the platform comes from third parties (interviewers, 360° evaluators, invited experts) or from the user about themselves.
The data controller for personal data collected through the platform is Komanao Insights SL (hereinafter, "KoManao"), headquartered in Spain. For any communication related to this policy, please write to privacy@komanao.com.
KoManao only processes the personal data necessary to provide the service. The categories are as follows:
These data are requested only to personalise the interpretation of assessment results and to build aggregated, anonymised reference data. Providing them is optional.
Feedback is anonymous from the candidate's perspective: KoManao never reveals the identity of the interviewer. Only a hash of the interviewer's IP is stored to prevent duplicates.
KoManao does NOT request, store or process special categories of data: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation. If a third party were to introduce data of this nature accidentally in a free-text feedback field, the candidate may request its immediate deletion by writing to privacy@komanao.com.
Each purpose of processing is supported by a specific legal basis under the GDPR. We detail each one below.
Signing up as a user and using the basic functionalities (profile management, registration of processes, storage of private notes, generation of the personal link) is based on the performance of the service contract established between KoManao and the user when accepting the Terms of Use at registration. Without these data it is not possible to provide the service.
The collection of feedback from third parties about the candidate's performance in interviews is a processing activity based on explicit, granular and revocable consent. Before the candidate can generate their public link or QR code, they must expressly tick a checkbox in which they acknowledge that: (i) they voluntarily agree to receive evaluations and feedback from third parties; (ii) they understand that KoManao does not perform these evaluations; (iii) they know that the content of the feedback reflects individual opinions not validated by KoManao; and (iv) they may withdraw consent at any time from Settings.
KoManao records the UTC date and time of the consent (profiles.feedback_consent_at field) as documented proof that the opt-in was free, specific, informed and unambiguous. This evidence is kept while the account exists and is deleted when the account is deleted.
Withdrawing consent is as simple as granting it: from Settings → Feedback module → Deactivate. When revoking, the user can choose between keeping the historical feedback already received (it will simply stop accepting new ones) or deleting all received feedback irreversibly. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal (GDPR art. 7.3).
Taking the KESA, KLPS, KMMS and KCMA assessments is entirely voluntary. The candidate decides which assessments to start and may abandon them at any time. The results are calculated automatically from the candidate's own answers and are shown only to them. No third party accesses individual results without the candidate's express invitation.
When the candidate requests a session with a human expert at KoManao (optional paid service), they activate an additional processing consisting of sharing their aggregated profile with the selected expert and allowing them to write a qualitative report. The legal basis combines the consent given when requesting the service (art. 6.1.a) and the performance of the contract for the session (art. 6.1.b). The report is visible only to the candidate. The expert may not share it with third parties.
When a KoManao coach or expert accompanies the user (for example, after booking a session or within a coaching programme), both can exchange messages inside the platform. Each message stores: the subject, the body text, the language, the delivery channel (in-app and/or an email notice linking back to the in-platform reader), the sending date, the read date (read receipt) and, where applicable, the reply date. The conversation is bidirectional: the user can reply to their coach from the platform itself.
The legal basis is the performance of the coaching service requested by the user (GDPR art. 6.1.b). Only the user themselves, the assigned coach who sent them and, for service supervision purposes, KoManao administrators can read these messages, enforced through row-level access policies in the database. The read receipt (date and time you opened the message) is visible to your coach for the sole purpose of managing the coaching; it is not used for any other purpose. Messages are kept while the account exists and are deleted in cascade when the account is deleted. The content of the messages never constitutes an official KoManao evaluation: it reflects the personal professional opinion of the coach or expert who writes it.
When the candidate provides the email of a third party (interviewer, hiring manager, 360° evaluator, invited expert or other professional contact), KoManao processes that data as the data controller for the sole purpose of sending the feedback or evaluation request on behalf of the candidate.
The legal basis for this processing is the concurrent legitimate interest of the candidate (GDPR art. 6.1.f) — requesting professional feedback after a hiring process or a workplace interaction — and the legitimate interest of KoManao in providing this functionality as the core of its service. Both interests are aligned and have been balanced against the rights of the third party in a documented internal legitimate-interest assessment.
KoManao guarantees, regarding this data:
Before they can leave any feedback, the third party receives, in the invitation email itself, clear information about who is contacting them, why, what data of theirs is being processed, and a link to this policy. They freely decide whether to participate. Each email also contains a direct opt-out link inside the platform — no need to write to anyone or wait for a reply — where the third party can in a single click remove their email from that specific request. The opt-out is scoped to the specific interview or invitation: after the email is removed, KoManao keeps no further record of the third party, in line with the data minimisation principle.
The candidate, when using this functionality, commits to providing only data of people with whom they have had a real prior professional interaction, and not to introduce third-party data abusively or without legitimate connection to the purpose of the service. Every time the candidate enters an external email in the platform they must expressly tick a checkbox confirming this commitment. Without that confirmation, the invitation cannot be sent. KoManao records the date of the confirmation together with the dispatch as documented proof of legitimate use.
Completely independently from the flow above, interviewers who leave feedback on KoManao may, if they wish, voluntarily register their email at the end of the form to accumulate a count of contributed feedbacks and obtain a symbolic level within the "Guardians of Feedback" programme. It is a gamification and social recognition feature, completely optional, that requires the express consent of the interviewer themselves (GDPR art. 6.1.a) — not the candidate.
The data stored in this case are only the interviewer's email, optional name, the counter of contributed feedbacks and the date of last activity. By architectural design, there is no link in the database between this registration and the specific feedback the interviewer has submitted: KoManao can know that an interviewer has contributed N feedbacks, but not to which candidates. This preserves the anonymity of feedback toward the candidate, which is a fundamental product value.
Verified credential claim: from the thank-you screen after giving feedback, the interviewer can take an extra step and create a password-verified KoManao account to "claim" their Guardian credential. When doing so, the existing Guardian record is automatically linked to their profile (profile_id column in the interviewer_contacts table) by email match. This link does not change what KoManao stores (we still do not tie their identity to specific feedbacks), but it lets them see in their dashboard their current level, their counter and, in the future, a history of the feedbacks they explicitly decide to save (a functionality that will require an additional granular opt-in inside the feedback form itself, not yet active). Public visibility of the credential on ranking-style pages is controlled by a feature flag and, once enabled, will only show Guardians who have claimed their credential (i.e. with a linked profile and public username).
The interviewer can request the deletion of their Guardian registration at any time by writing to privacy@komanao.com. We are working on a self-service screen so this opt-out can also be done with a single click, without needing to send an email. Additionally, any Guardian registration that has not been updated in the last 24 months (i.e. without new feedbacks counted for 2 years) is automatically deleted by the same audited daily cron.
Authenticated KoManao users can sign the Feedback Manifesto — a public declaration of adherence to the five principles of honest and useful feedback. Signing is strictly voluntary and requires an explicit affirmative action: pressing the "Sign" button after reading the manifesto. The legal basis is the user's own consent (GDPR art. 6.1.a).
The data stored for a signature are exclusively: the profile identifier of the signer, the date and time of signing, a public visibility indicator (displayed_on_wall, false by default), and a supporter tier (supporter_tier, "free" by default). The public name and username shown on the wall at /manifesto/firmantes are derived from the profiles table; they are not duplicated in the signatures table.
Visibility: by default, the signature is NOT public. The user must explicitly tick the "show me on the public wall" checkbox for their name and username to appear on /manifesto/firmantes. This visibility is revocable: the user can turn off the toggle at any time without deleting the signature, or revoke the full signature (DELETE on their own row) with a single click. Both controls live on the manifesto page itself when the user is authenticated.
The signature does not expire automatically — it is a declaration of commitment, not a functional data point subject to a retention period. If the user deletes their KoManao account (standard right-to-erasure flow), the signature row is cascaded by the referential integrity constraint.
KoManao offers business schools and other educational institutions ("organisations") the ability to give their students access to the platform. In that case, the organisation provides KoManao with the email addresses of the students it wants to invite. KoManao acts as a processor for those invitations (it sends them on the organisation's behalf, under its instructions, and does not use those emails for any other purpose); the legal basis for the mailing is the organisation's legitimate interest within its academic relationship with the student (art. 6.1.f). Every invitation states the identity of the originating organisation (art. 14), includes a one-click decline link and, if the recipient does not accept it, their email is automatically anonymised after 3 months.
If the student accepts the invitation, they obtain a paid plan covered by their organisation for a time window (usually 6 months). On the acceptance screen the student decides — through separate, revocable checkboxes recorded with a timestamp (GDPR art. 7) — what the organisation's career services team can see: (a) the results of their self-knowledge assessments, (b) the interview feedback they receive, and (c) the messaging with the organisation's coach. Membership status and overall progress along the preparation path are visible to the organisation as part of the membership, and this is prominently disclosed before accepting. Access to the paid plan is NOT conditional on granting any of these consents.
The organisation's visibility is a data disclosure that only happens with the student's consent, ceases immediately and at a technical level when the student revokes it from Settings or when their access window expires, and is contractually limited: the organisation commits to using the data solely for the student's career coaching and is expressly forbidden from using it to grade or sanction them or to decide on admissions, scholarships or internships. The student's account is their own: when the window ends they keep their account, data and history intact, on their personal plan.
An organisation may invite its partner companies to publish job offers inside its own environment on KoManao. To do so, the organisation provides KoManao with the company's contact email; KoManao processes it on the organisation's behalf for the sole purpose of sending that invitation (the organisation's legitimate interest in its relationship with the company, art. 6.1.f). The invitation states the identity of the originating organisation (art. 14), includes a one-click decline link and, if it is not accepted, the email is automatically anonymised after 3 months. A partner company can only publish in the organisations that have invited it, and each organisation can pause or revoke that partnership, and close any offer published in its environment, at any time.
When a student applies to one of these offers, they share with the publishing company and with their organisation only their name and their public profile page (/u/your-username) exactly as the student has configured it at that moment: KoManao sends the company no additional data — not their email address, not their assessment results, not their feedback. The legal basis is the performance of an action requested by the student themselves (art. 6.1.b): applying is a voluntary, explicit act directed at a specific recipient, and this is disclosed before they click. Any subsequent contact is coordinated through the organisation's career services team.
The organisation can also consult an aggregated summary of which companies are giving feedback to its students. That summary is built exclusively from the feedback of students who have expressly consented to the "interview feedback" category and have not revoked it, is shown only in aggregate form (never individual data, never the content of the feedback) and is only generated when at least three students have consented within the scope consulted, to prevent re-identification. The company name comes from free text entered by the student or their interviewer, so the grouping is indicative only.
KoManao performs aggregated and fully anonymised analyses of the results of the self-knowledge assessments in order to improve the psychometric quality of the instruments, generate population norms by demographic segment and detect biases. These analyses are based on KoManao's legitimate interest in continuously improving the reliability and usefulness of its product, without that interest overriding the rights of the user, since the data analysed do not allow re-identification of any person.
Certain processing operations may be necessary to comply with legal obligations applicable to KoManao, such as responding to court orders or requests from data protection authorities, retaining minimum evidence to defend itself against claims, or complying with accounting and tax obligations.
If your plan includes it, you can ask us to introduce your candidacy to a recruiter, headhunter or search firm you designate. In that case, KoManao writes to that third party on your behalf (with your email as the reply-to address) and provides your professional report.
Legal basis: your explicit consent (art. 6.1.a GDPR), given specifically for each recipient before each send.
You can revoke access at any time from your account; the report link stops working immediately. The recipient becomes the data controller for any data they received and/or retained from the moment of receipt.
To access the report you share, the recruiter must consent to joining our database of recruiting professionals, so that we may introduce them to relevant candidate profiles in the future (legal basis: their consent, art. 6.1.a GDPR).
The recruiter can revoke this consent and unsubscribe at any time via the link included in each communication, and exercise the other rights described in this policy.
To access the report, the recipient must enter the email address it was sent to, proving they are the legitimate recipient (temporary, per-session access). This prevents a link forwarded to third parties from exposing your data.
For data minimization, the report expires 14 days after sending: past that point the link stops working permanently. The candidate can revoke access at any time, even before the 14 days.
This feature is voluntary and optional. If you do not use it, we do not share your candidacy with any third party.
This section is essential to understand the legal and product role of KoManao and applies as a priority over any other interpretation.
KoManao is a technological intermediation platform. It does not perform any evaluation of candidates by itself, does not issue professional judgements, does not produce official certifications and does not guarantee the objectivity, accuracy, completeness or usefulness of the content provided by third parties through the platform. All feedback visible in a candidate's profile is the expression of the personal and individual opinion of the interviewer, evaluator or expert who issued it, voluntarily requested by the candidate themselves.
In particular, KoManao is not responsible for:
KoManao reserves the right to remove from the platform any content that is manifestly unlawful, abusive, discriminatory or that infringes the rights of third parties, at the request of the affected user or on its own initiative after reasonable detection.
Section 4.5 above details the legal basis for processing third-party data (KoManao as controller under legitimate interest). This section 7 develops the two complementary sides: what the candidate commits to when providing such data, and what rights the third party can exercise at any time.
When using the invitation functionality, the candidate declares, under their own responsibility, that:
Every time the candidate enters the email of a third party in the platform they must expressly tick a checkbox confirming this commitment. Without that confirmation, the dispatch of the invitation is blocked by the system itself. KoManao records the confirmation together with the dispatch date as documented proof of legitimate use. Fraudulent or massive use of this functionality may lead to the immediate suspension of the candidate's account.
Any person whose email has been provided to KoManao by a candidate is the holder of the following rights regarding their own data:
The fastest way to exercise these rights is to use the opt-out link inside the email you received — a single click removes your email from that specific request and KoManao keeps no further record of you. The opt-out applies to the specific request you received; if the same candidate or a different one invites you in the future to a new process, you will receive a new email that you can also decline in the same way. This is in line with the data minimisation principle: KoManao does not maintain indefinite lists of people who have exercised their right to object.
If you have lost the original email or prefer to exercise your rights through another channel, you can also write to privacy@komanao.com indicating the email address concerned and, if you wish, the identity of the candidate who invited you (it is not essential). KoManao will handle the request within the legal time limit, normally in less than 72 hours.
If the third party receives an invitation that they consider should not have been sent (for example, because they do not remember the prior professional interaction described by the candidate), they can communicate this to the same address. KoManao will take the appropriate measures, which may include the immediate removal of the email from its system and the warning or suspension of the responsible candidate if misuse is confirmed.
KoManao retains personal data only for the time necessary for the purposes for which they were collected and to comply with applicable legal obligations.
While the user account is active. When the user requests the deletion of their account, identifying and profile data are deleted immediately.
Individual answers are deleted together with the account. Calculated scores are kept in anonymised form, dissociated from the user and aggregated with a demographic summary (age range, sector, country), only for statistical analysis and improvement of the psychometric quality of the assessments. These anonymised data do not allow re-identification.
While the candidate has the feedback module active. If the candidate revokes consent and chooses to keep the historical record, the feedback remains stored only for their own consultation. If they choose to delete it, it is deleted immediately. In any case, data are deleted when the account is deleted.
While the account is active. The frozen snapshot of the profile at the time of publication is kept as part of the report to ensure the reproducibility and traceability of the expert's opinion.
When a candidate provides the email of an interviewer, 360° evaluator or other professional contact in order to send them an invitation, that email and, where applicable, the name are kept only for the time necessary to manage the request. Specifically:
When an interviewer voluntarily registers to accumulate a count of feedbacks (section 4.5.bis), their email and optional name are kept while they remain active. They are considered active if they have contributed new counted feedbacks in the last 24 months. After that period of inactivity, the entire registration (email, name, counter and dates) is automatically deleted by the same daily cron. The interviewer can request deletion at any time by writing to privacy@komanao.com.
When a candidate proactively sends their application to a recruiter or company, that recipient’s name and email are irreversibly anonymised (NULL) 3 months after sending, by the same daily cron. If a recruiter joins our contact base when accessing a shared report, their record (email, name, company) is automatically deleted when they revoke consent — immediately via the opt-out link, materialised on the next daily cron cycle — or after 24 months of inactivity.
If your organisation invites you and you do not accept the invitation, your email is irreversibly anonymised 3 months after sending, by the same daily cron. If you accept it, the invitation email is deleted at that very moment (your account already identifies the membership). You can decline the invitation in one click from the email itself, with immediate deletion.
When an organisation invites a partner company to publish offers in its environment, the contact email it provided is irreversibly anonymised 3 months after sending, by the same daily cron, if the invitation is not accepted. If it is accepted, that email is deleted at that very moment (the linked company already identifies the partnership). The recipient can decline the invitation in one click from the email itself, with immediate deletion.
When you book a session with a coach or expert through the integrated calendar, the name and email entered at booking time (which may differ from your account details) and the technical copy of the booking are irreversibly anonymised 3 months after the booking, by the same daily cron. Only the non-identifying data needed for service accounting (amount, status and session date) is kept.
SHA-256 IP hash: 6 months from the feedback submission (automatically deleted by a daily cron). User-agent: 30 days from the submission (automatically deleted by the same cron). Contact form IP hash: 30 days from submission. Technical error logs: 90 days (section 3.7). Server access logs: managed by our hosting provider (Vercel) in accordance with their own retention policy, typically up to 30 days.
While the account exists, plus a reasonable additional period after closure to be able to demonstrate compliance with the GDPR in the event of a complaint. Maximum period: 3 years after closure.
The deletion deadlines described in this section are not aspirational: they are implemented by an automatic cron (`/api/cron/gdpr-retention-sweep`) that runs daily and whose results are logged. Additionally, KoManao runs frequent audits via an independent script (`scripts/audit-gdpr-retention.ts`) that verifies that no row has exceeded its retention deadline. If the audit detects any deviation, it is investigated and corrected before it can become a non-compliance. These audits are frequent (at least monthly) and are intensified after any change in the retention infrastructure.
KoManao does not sell, rent or share personal data with third parties for commercial purposes. The only external recipients of the data are the service providers strictly necessary for the operation of the platform, in their capacity as processors contractually bound to KoManao.
Each of these providers is subject to a data processing agreement (DPA) with KoManao and applies appropriate technical and organisational safeguards.
User data are stored on servers located in the European Union. Some of the providers mentioned are companies incorporated in the United States. Where there is any data flow to infrastructure outside the European Economic Area, transfers are based on the mechanisms provided for by the GDPR: standard contractual clauses approved by the European Commission, EU-US Data Privacy Framework certification where applicable, and additional measures of encryption in transit and at rest.
Under the GDPR and Spanish data protection legislation, every user has the following rights:
You can exercise most rights directly from your account without needing to contact us:
For any request you cannot resolve from your account, write to us at privacy@komanao.com clearly indicating the right you wish to exercise and, if necessary, a copy of your ID or equivalent document to verify your identity. We will resolve the request within a maximum of one month from receipt, extendable by a further two months in particularly complex cases, in which case we will inform you.
KoManao does not make automated decisions, including profiling, that produce legal effects on the user or similarly significantly affect them (GDPR art. 22).
In particular, the scores that the system calculates from the self-knowledge assessments are merely informational tools for the user themselves. They are not used to make hiring decisions, are not automatically shared with companies, do not generate rankings between candidates and are not reused for advertising profiles. Any decision about a candidate (whether to advance or not in a process, whether to hire or not) is always taken by a human external to KoManao within the scope of their own selection process.
KoManao is not intended for persons under 18 years of age. The platform does not knowingly collect data from minors. If we become aware that a user has provided data while being a minor, we will proceed to delete the account and all associated data without delay. Parents, guardians or the minor themselves may request immediate deletion by writing to privacy@komanao.com.
KoManao applies technical and organisational measures proportionate to the risk, in accordance with Article 32 of the General Data Protection Regulation (GDPR), to ensure the confidentiality, integrity, availability and resilience of the processing systems. These measures include:
In compliance with Article 32(1)(c) GDPR, which requires the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, KoManao maintains a documented and operational business continuity and recovery plan. Its main elements are:
Despite all these measures, no system is absolutely impenetrable. In the event of detecting a personal data breach that may pose a risk to the rights and freedoms of the user, KoManao will notify the Spanish Data Protection Agency within a maximum of 72 hours and, where required, also the affected users.
KoManao may update this policy to reflect legal, product or internal practice changes. The updated version is published at the same URL with the date of the last revision visible in the header. When changes are substantial, users will be informed by a prominent notification in the dashboard or by email before they take effect.
We recommend that you review this policy periodically. Continued use of the service after the publication of changes will be considered acceptance of them, without prejudice to the user's right to unsubscribe at any time if they do not agree.
If you consider that KoManao has not processed your personal data in accordance with the GDPR or Spanish data protection legislation, you have the right to lodge a complaint with the Spanish Data Protection Agency:
We encourage you to contact us first at privacy@komanao.com so that we can resolve any incident as quickly as possible.
For any questions about this privacy policy, the exercise of your rights or any other matter related to the processing of your personal data, you can write to us at privacy@komanao.com. We commit to responding within a maximum of one month.