GDPR & Data Protection

Who is responsible for what

When you use Lucuma to screen CVs, there are two distinct roles under GDPR:

Our GDPR commitments

• No retention: CV data is processed in memory and not written to persistent storage. We do not retain copies of CVs after screening.
• No training: We do not use candidate data to train AI models. Anthropic, our AI provider, does not train on API data.
• No sale: We do not sell candidate data or share it with third parties for their own purposes.
• EU processing: All data is processed within the UK and EU, or under appropriate safeguards (Anthropic is covered by the EU-US Data Privacy Framework).
• Security: Data in transit is encrypted via TLS. No candidate data is written to persistent storage.
• Sub-processors: We use only Anthropic (AI processing) and our hosting provider. Both are bound by appropriate data processing agreements.

Data Processing Agreement (DPA)

Agency and Enterprise plan subscribers receive a formal GDPR Data Processing Agreement which documents:

• The nature and purpose of processing
• Categories of personal data processed
• Your rights and our obligations as processor
• Sub-processor details
• Security measures
• Data breach notification procedures
• Data deletion procedures

To request a DPA, contact hello@marvanova.com.

Your obligations as a recruiter

When using Lucuma you remain responsible for:

• Having a lawful basis to process each candidate's CV (Article 6 UK GDPR)
• Not uploading special category data (health, race, religion etc.) unless you have explicit consent and a specific purpose
• Informing candidates that AI screening tools may be used in your process
• Responding to candidate subject access requests or deletion requests
• Not using AI screening results as the sole basis for rejection without human review (Article 22, automated decision-making)
• Retaining your own records in accordance with your data retention policy

Candidate rights

Lucuma does not retain candidate data, so we cannot respond to candidate data subject access requests on your behalf. If a candidate contacts you about how their data was used in your screening process, that is your responsibility as data controller to address.

If a candidate contacts us directly, we will direct them to you as the data controller and confirm that we hold no copies of their data.

AI and automated decision-making (Article 22)

Lucuma's screening results constitute automated processing. Under Article 22 of UK GDPR, if automated processing produces legal or similarly significant effects on candidates, those candidates have the right not to be subject to solely automated decisions.

Lucuma is designed as a screening tool, it produces a ranked shortlist for human review, not a final decision. We recommend that you:

• Inform candidates in your job postings that automated screening tools are used
• Ensure a human reviews all final shortlisting decisions
• Be able to explain to candidates why they were or were not shortlisted

Data breach notification

In the event of a data breach affecting your account data, we will notify you within 72 hours of becoming aware of the breach, in accordance with UK GDPR Article 33. As we do not retain candidate CV data, a breach would not expose candidate CVs.

ICO registration

As a UK-based data processor, Marvanova is registered with the Information Commissioner's Office (ICO). If you have unresolved concerns about how we handle data, you may lodge a complaint with the ICO at ico.org.uk.

Contact our data team

For all GDPR-related enquiries, DPA requests, or data subject assistance:
hello@marvanova.com