This Privacy Policy describes how Leading srl STP ("we", "us", "our"), operating the Consonia service at consonia.app, collects, uses, and protects personal data when you use our platform.
Consonia is used by recruiters and HR professionals to assess hiring fit. The platform processes data about three categories of people: (a) the recruiter or administrator who holds the account, (b) the members of the hiring team whose interviews are uploaded, and (c) the candidates whose interviews are uploaded. This policy distinguishes the role we play in each case.
1. Who we are
The data controller for account, billing, and usage data is: Leading srl STP
Via Lazzaretto 1, 20060 Gessate (MI), Italy
Email: support@consonia.app
For interview transcripts, grid parameters, and candidate evaluations — the recruiter (or the recruiter's organisation) is the data controller; we act as data processor under their instructions, in accordance with Art. 28 GDPR.
2. Data we collect
About the recruiter (account holder):
Account data — email address, hashed password, role (admin or recruiter), and organisation name. Collected at registration.
Billing data — company name, VAT number, SDI / PEC code, and address. Collected only when a paid plan is purchased and invoicing is requested.
Usage data — number of searches created, credits consumed, plan history. Used for service operation and analytics.
About team members and candidates (uploaded by the recruiter):
Team interview transcripts — text or audio of interviews with team members, uploaded by the recruiter to map the team's cultural grid.
Candidate interview transcripts — text or audio of interviews with candidates, uploaded by the recruiter to evaluate fit.
AI-generated grid parameters — cultural parameters extracted by our AI from team transcripts, with verbatim citations.
AI-generated evaluations — fit ratings (evident, partial, not observed) and supporting verbatim passages, generated for each candidate against each parameter.
The recruiter is responsible for ensuring a lawful basis (typically consent, legitimate interest, or contract) for processing the personal data of team members and candidates. We provide tools to facilitate anonymisation but do not enforce it on our own initiative.
3. How we use your data
To provide, operate, and improve the Consonia service.
To manage your account, organisation, and credits.
To process payments and generate invoices.
To send transactional emails (account verification, password reset, billing receipts).
To respond to support requests.
To comply with legal obligations.
We do not sell your data. We do not use it for advertising. We do not use uploaded transcripts to train our own AI models or third-party AI models.
4. Legal basis for processing (GDPR)
Contract performance — processing necessary to provide the service (Art. 6(1)(b) GDPR).
We share data with the following sub-processors, each bound by data processing agreements:
Anthropic (USA) — processes interview transcripts to extract grid parameters and evaluate candidates. Anthropic does not train its models on data submitted via API. Privacy policy.
Google (USA) — processes audio recordings via the Gemini API for transcription. Privacy policy.
Cloudflare (USA / EU) — hosts the application and stores account, search, and transcript data in Cloudflare D1 and R2. Privacy policy.
Stripe (USA) — processes payment card data. We do not store card numbers. Privacy policy.
Transfers to the USA are made under Standard Contractual Clauses (SCCs) or equivalent safeguards as required by GDPR Chapter V.
6. Data retention
Account data — retained while your account is active and for 12 months after deletion.
Search data, team interviews, candidate transcripts, grid parameters, evaluations — retained while the corresponding search exists in your account. Deleted when you delete the search or your account. The recruiter (controller) is responsible for deleting transcripts in line with their own retention obligations toward the data subjects.
Billing records — retained for 10 years as required by Italian tax law.
Audio recordings — sent to the Gemini API for transcription and not permanently stored on our systems beyond the duration of the API call.
7. Your rights (GDPR)
If you are based in the EEA, UK, or Switzerland, you have the following rights regarding personal data we hold about you as the recruiter:
Access — request a copy of your data.
Rectification — request correction of inaccurate data.
Erasure — request deletion of your account and associated data.
Portability — request your data in a machine-readable format.
Objection — object to processing based on legitimate interests.
Restriction — request that we limit processing of your data.
If you are a team member or candidate whose interview was uploaded to Consonia by a recruiter, please direct your request to the recruiter (the data controller). If you cannot identify the controller, contact us and we will route the request appropriately.
Passwords are stored as bcrypt hashes and are never readable by us. All data in transit is encrypted via HTTPS/TLS. Database access is restricted to our Cloudflare Worker infrastructure. Authentication tokens use signed JWT with short rotation.
9. Cookies
Consonia does not use tracking or advertising cookies. We use browser localStorage to store your authentication token and session preferences. No third-party analytics scripts are loaded.
10. AI processing and the EU AI Act
Consonia uses AI to assist hiring decisions. AI in employment is classified as a high-risk use case under the EU AI Act. Accordingly:
Every AI-generated reading is traced back to a verbatim passage from the source transcript.
The recruiter retains final decision authority — Consonia produces evidence, never decisions.
The cultural grid is editable by the recruiter and not imposed by the AI.
Consonia does not score, rank, or filter candidates automatically.
See our Ethical Commitment for a fuller account of how we approach AI in recruiting.
11. Children
Consonia is intended for professional use and is not directed at individuals under 16. We do not knowingly collect data from minors.
12. Changes to this policy
We may update this policy from time to time. Material changes will be notified to registered users by email. The "Last updated" date above reflects the most recent revision.