Skip to main content
Koromanda

Legal

Privacy policy

This template requires legal review before launch. The retention periods, controller details, and DPO contact below are drafted to match the operational policy on file (POLICY-RETENTION.md) and current Koromanda practice. They become legally binding only after counsel sign-off.

Koromanda B.V. ("Koromanda", "we") processes personal data submitted through koromanda.com in line with the General Data Protection Regulation (EU 2016/679) and Dutch implementing law. This page explains what we collect, why, where it lives, how long we keep it, and how you exercise your rights.

Last reviewed: 18 May 2026.

Controller

  • Koromanda B.V. — registered in the Netherlands. Registration details pending publication.
  • Operational contact: privacy@koromanda.com
  • Data Protection Officer: contact via the same address until a dedicated DPO is appointed.

What we collect, and why

Table
CategoryExamplesLawful basis (GDPR Art. 6)
Candidate application dataName, date of birth, passport status, contact details, qualifications, experience, certifications, language self-rating, country preference, CV, passport scan, certification copiesContract (Art. 6(1)(b)) — necessary to assess candidacy and prepare a potential employment contract
Employer inquiry dataCompany, contact name, role, email, phone, expected volume, timeline, country, message, preferred discovery-call timeLegitimate interest (Art. 6(1)(f)) — responding to a commercial inquiry
Audit fieldsIP address, user agent, consent timestampLegitimate interest — fraud and abuse mitigation, audit trail

We do not process special categories of data (Art. 9) through the public site. If candidates submit special-category information in a CV (e.g. health data), we treat it under explicit consent and the right of erasure applies as below.

Where your data lives

  • Application + inquiry rows: Supabase Postgres, EU region (Frankfurt). Row-level security enabled; only server-side service-role keys insert and read.
  • Uploaded files (CV, passport, certifications): Cloudflare R2 object storage, EU region. Files are referenced by an opaque key in the application row.
  • Transactional email: Brevo (Sendinblue). EU servers.
  • Rate-limiting counters: Upstash Redis, EU region.
  • Bot challenge: Cloudflare Turnstile. No data retained beyond the verification handshake.

Data does not leave the EU during normal operation. Backup snapshots are held in the same EU region as the primary store.

How long we keep it

Retention is governed by POLICY-RETENTION.md in our public repository, summarised here:

  • Unsuccessful candidate applications: 24 months from receipt.
  • Successful candidate applications: 6 months past employment termination.
  • Employer inquiries: 24 months from receipt.
  • Backup snapshots: aged out within 30 days of source deletion.

You can request earlier deletion at any time (see "Your rights" below).

Your rights

Under GDPR you may exercise the following rights at any time:

  • Access (Art. 15) — request a copy of the data we hold about you.
  • Rectification (Art. 16) — correct inaccurate or incomplete data.
  • Erasure (Art. 17) — request deletion of your data.
  • Restriction (Art. 18) — request that processing be limited while a dispute is resolved.
  • Portability (Art. 20) — receive your data in a machine-readable format.
  • Objection (Art. 21) — object to processing based on legitimate interest.
  • Withdraw consent (Art. 7(3)) — withdraw any consent previously given.

To exercise any right, use the form below or write to privacy@koromanda.com. We respond within 30 calendar days as required by GDPR.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

Request deletion of your record

Erasure request — GDPR Article 17

Submit the email and reference number from your original application or inquiry. We will send a confirmation link to that email. On confirmation we delete the record and any uploaded files within 5 business days.

Cookies and storage

We use a minimal set of browser storage values, listed on the cookies page. The site is cookieless for analytics — no third-party tracking script collects identifiers on first visit.

International transfers

Personal data is processed in the EU. The only sub-processors that may receive data outside the EU are part of Cloudflare's global edge network for delivery purposes only; substantive storage remains in EU regions under Cloudflare's Standard Contractual Clauses.

Changes to this policy

Material changes are versioned and dated at the top of this page. Significant changes (purpose, retention, sub-processors) are notified by email to candidates with active applications.