Compliance

GDPR and data processing

Last updated 29 June 2026

Lucuma is built for recruiters who take data protection seriously. This page explains how the product is designed to support your compliance with the UK GDPR and EU GDPR when you screen candidates.

Data residency

All processing required to generate your screening results takes place within the EU.

No retention after your session

Candidate CV data is processed only to produce your results and is not stored on our servers after your session ends.

No model training on candidate data

We never use candidate data to train AI models. Your candidates' information is used solely to give you your results.

Controller and processor

For the candidate data you upload, you (or your organisation) are the data controller and Lucuma acts as your processor. Agency and Enterprise plans include a full Data Processing Agreement that documents this relationship, the processing details, and the safeguards in place.

Explainable and human-in-the-loop by design

Lucuma is designed to help you meet the requirements around automated decision-making. Every score is explainable in plain English, low-data CVs are flagged for manual review rather than guessed, and Lucuma never makes a hiring decision or auto-rejects a candidate. It ranks and explains; a human always decides. This keeps a meaningful person in the loop, which matters under UK ICO guidance and EU rules on automated decisions in hiring.

Your candidates' rights

Because you remain the controller, you are best placed to respond to candidate rights requests. Lucuma supports this by keeping screening transparent and auditable, with a clear reason behind every score.

Sub-processors and security

We use a small number of trusted infrastructure and AI processing providers, each under contractual data protection terms, and apply appropriate technical and organisational security measures. A current list of sub-processors and our security overview are available on request.

Request a DPA or more information

To request a Data Processing Agreement, a sub-processor list, or our security documentation, email hello@marvanova.com. See also our Privacy Policy.