Legal
Privacy Policy
This Privacy Policy explains how Orvensa handles personal data in connection with its website, accounts, customer administration, support, billing, and the use of the Orvensa platform by recruiting organizations.
Last updated: March 10, 2026
Provider: Kobenski BV
Trade name: Orvensa
1. Who we are
Orvensa is operated by Kobenski BV.
Kobenski BV
Brusselstraat 51, 2018 Antwerpen, Belgium
Enterprise number / VAT number: BE0789853974
Telephone: +32 471 5555 60
Support email: support@orvensa.ai
For the activities described in this policy, Kobenski BV may act either as a controller or as a processor, depending on the context explained below.
2. Controller and processor roles
Orvensa is used by recruiting organizations to manage recruitment workflows and to run AI-assisted candidate review. In that context, roles differ depending on the type of data and the activity.
| Context | Primary role of recruiting organization | Primary role of Kobenski BV / Orvensa |
|---|---|---|
| Website visitors, demo requests, support, commercial contact, account creation, billing, and customer administration | Usually not applicable or separate controller for its own relationship with Orvensa | Controller |
| Applicant data processed in the platform for hiring workflows | Controller | Processor acting on documented instructions of the recruiting organization |
| Platform security logging, fraud prevention, incident handling, and legal compliance records needed to secure or defend the service | Controller or separate controller for those limited purposes, where applicable | Controller for those limited platform-level obligations |
Each recruiting organization remains responsible for ensuring that it has an appropriate legal basis for applicant-data processing, that candidates receive an adequate privacy notice, and that recruitment decisions remain lawful, fair, and transparent.
3. Scope of this policy
This policy applies to personal data processed in connection with:
- the Orvensa marketing website and contact channels,
- user accounts and authentication flows,
- organization administration inside the platform,
- billing and subscription management,
- support and customer communications,
- applicant and recruitment data processed within the platform, and
- security, audit, and compliance records linked to the service.
This policy does not replace a recruiting organization’s own applicant privacy notice. Where a candidate applies through a recruiting organization using Orvensa, that organization should provide its own recruitment privacy notice, while this policy explains the role and processing carried out through the Orvensa service.
4. Personal data we process
| Category | Examples |
|---|---|
| Identity and account data | Name, email address, username, password credentials, email verification status, pending email change data |
| Organization and admin data | Organization name, billing email, legal name, VAT number, billing address, team memberships, user roles |
| Applicant and recruitment data | Candidate name, email address where available, CV file, extracted CV content, intake data, job applications, DSAR records |
| Evaluation and decision-support data | Scores, subscores, summaries, strengths, risks, interview questions, confidence values, final decisions, contestation records, human review flags |
| Job and recruitment context data | Job descriptions, job posts, recruiter notes, manager intake information, prompts, rubrics, context documents uploaded for a role |
| Technical and usage data | IP address in audit logs where applicable, request metadata, timestamps, security and incident records, authentication events |
| Billing and transaction-related data | Stripe customer ID, subscription ID, plan, billing cycle, billing status, invoice-related events and metadata |
| Communications data | Support requests, invitation emails, password change notifications, billing emails, service emails |
5. Purposes and legal bases
The legal basis depends on the relevant processing context.
| Purpose | Typical legal basis | Who mainly determines the purpose |
|---|---|---|
| Operating the website, handling inbound requests, and responding to business inquiries | Legitimate interests | Kobenski BV |
| Creating and managing user accounts, authentication, password resets, and account security | Performance of a contract and legitimate interests | Kobenski BV |
| Billing, subscription management, invoices, and payment administration | Performance of a contract, legal obligation, and legitimate interests | Kobenski BV |
| Customer support, abuse prevention, incident handling, and service protection | Legitimate interests and, where applicable, legal obligations | Kobenski BV |
| Applicant-data processing for recruitment inside the platform | Determined by the recruiting organization, typically legitimate interests, contract-related necessity, or consent where required | Recruiting organization |
| Audit logging and compliance records | Legitimate interests and legal obligations, depending on context | Kobenski BV and/or recruiting organization |
In the platform, Orvensa allows the recruiting organization to configure a default applicant-data legal basis and to record the privacy notice URL and notice version associated with collection. It also snapshots the configured legal basis and notice details at applicant intake.
6. AI-assisted processing
Orvensa provides AI-assisted candidate evaluation as a decision-support tool. The system may use job context and CV-derived text to generate structured outputs such as summaries, strengths, risks, interview questions, score-related outputs, and confidence indicators.
Orvensa is designed so that a human reviewer remains responsible for the final hiring decision. The platform also includes controls that can disable AI screening or AI evaluations at organization level, require human review, and block automated processing where a candidate has objected, where processing is restricted, or where policy requirements are not met.
Orvensa applies a data-minimization step before sending CV text to the AI provider by redacting obvious direct identifiers such as email addresses and phone-like numbers. This is a pragmatic minimization measure, not full anonymization.
At the current stage of implementation, extracted raw CV text may be stored in evaluation metadata in the platform. For that reason, Orvensa does not state that CV text is never persisted. Recruiting organizations should take this into account in their internal legal review, retention configuration, and candidate notices.
7. Sources of personal data
We obtain personal data from different sources depending on the context:
- directly from users who create accounts, request support, or manage an organization,
- from recruiting organizations that upload candidate files and related recruitment data,
- from candidates’ CVs and application materials uploaded into the platform,
- from authentication, audit, and system-generated events created during platform use, and
- from payment and subscription events generated through Stripe.
8. Recipients and processors
Personal data may be disclosed to the following categories of recipients where necessary:
- authorized users within the relevant recruiting organization, based on role-based access permissions,
- Kobenski BV personnel and contractors who need access for support, maintenance, security, or compliance purposes,
- hosting, infrastructure, email, and payment providers engaged to operate the service,
- AI model providers engaged to process candidate evaluation inputs on behalf of the service, and
- public authorities, courts, regulators, or advisers where disclosure is legally required or reasonably necessary to establish, exercise, or defend legal claims.
Current key service-provider categories include infrastructure/hosting providers, SendGrid for transactional email, Stripe for subscription billing, and OpenAI for AI inference functionality.
9. International transfers
Orvensa aims to structure processing in a GDPR-compliant way. Where personal data is transferred outside the European Economic Area, appropriate safeguards should be used, such as an adequacy decision, the European Commission’s Standard Contractual Clauses, or another lawful transfer mechanism as applicable to the relevant processor relationship.
If a recruiting organization uses Orvensa to process applicant data, that organization should review the processor list, transfer setup, and contractual safeguards as part of its own legal review.
10. Retention
Retention depends on the type of data and the processing context.
| Data set | Retention approach |
|---|---|
| Website, contact, support, and account-related data | Retained for as long as necessary for the relevant relationship, support history, security, and legal obligations |
| Billing and subscription records | Retained for contract administration, accounting, tax, and legal retention obligations |
| Applicant records in recruitment workflows | Retention can be configured at organization level. Current platform settings allow retention when enabled, with a retention period between 6 and 24 months. |
| Applicant CV files | Deleted when the applicant record is deleted, including through retention deletion flows, subject to implementation and storage behavior |
| DSAR records and compliance records | Retained for as long as necessary to document and defend compliance with legal obligations and requests |
| Audit and incident records | Retained for accountability, service protection, and legal compliance purposes for an appropriate period |
The platform includes automated retention enforcement for applicant records where enabled by the organization. Applicants marked as processing-restricted are skipped by the retention deletion routine unless separately resolved.
11. Security
Orvensa applies technical and organizational measures intended to protect personal data against unauthorized access, loss, misuse, or unlawful destruction. These measures include, among other things:
- authenticated access controls and organization-scoped permissions,
- role-based access management for owners, admins, and members,
- audit logging of sensitive actions,
- security incident tracking,
- transactional email notifications for certain account-security events,
- controlled deletion of CV files when applicant records are deleted, and
- separate billing-provider handling for payment and subscription events.
No security measure can guarantee absolute security. If you suspect misuse, unauthorized access, or a security issue, contact support immediately.
12. Data subject rights
Under applicable law, data subjects may have the right to request access, rectification, erasure, restriction, objection, portability, and not to be subject to a decision based solely on automated processing where the legal conditions are met.
In recruitment workflows, the recruiting organization is usually the first point of contact for candidate rights requests because it is the controller for that applicant-data processing. Orvensa provides functionality that can support:
- access exports,
- rectification workflows,
- erasure workflows,
- restriction of processing,
- objection to automation, and
- human review and contestation of evaluations.
If your request concerns your account, billing, support communications, or website interaction with Kobenski BV directly, you may contact Kobenski BV using the details below.
13. Complaints and contact
For privacy questions concerning Orvensa as operated by Kobenski BV, you can contact:
Kobenski BV
Brusselstraat 51, 2018 Antwerpen, Belgium
VAT: BE0789853974
Email: support@orvensa.ai
Telephone: +32 471 5555 60
If you are a candidate and your request concerns a recruitment process run by a recruiting organization through Orvensa, you should normally contact that recruiting organization first.
You also have the right to lodge a complaint with the competent supervisory authority, including in Belgium the Gegevensbeschermingsautoriteit / Autorité de protection des données.
14. Changes to this policy
We may update this Privacy Policy from time to time to reflect legal, operational, or product changes. The latest version will be published on this page with an updated revision date.