Last updated 29 June 2026
Lucuma is built for recruiters who take data protection seriously. This page explains how the product is designed to support your compliance with the UK GDPR and EU GDPR when you screen candidates.
All processing required to generate your screening results takes place within the EU.
Candidate CV data is processed only to produce your results and is not stored on our servers after your session ends.
We never use candidate data to train AI models. Your candidates' information is used solely to give you your results.
For the candidate data you upload, you (or your organisation) are the data controller and Lucuma acts as your processor. Agency and Enterprise plans include a full Data Processing Agreement that documents this relationship, the processing details, and the safeguards in place.
Lucuma is designed to help you meet the requirements around automated decision-making. Every score is explainable in plain English, low-data CVs are flagged for manual review rather than guessed, and Lucuma never makes a hiring decision or auto-rejects a candidate. It ranks and explains; a human always decides. This keeps a meaningful person in the loop, which matters under UK ICO guidance and EU rules on automated decisions in hiring.
Because you remain the controller, you are best placed to respond to candidate rights requests. Lucuma supports this by keeping screening transparent and auditable, with a clear reason behind every score.
We use a small number of trusted infrastructure and AI processing providers, each under contractual data protection terms, and apply appropriate technical and organisational security measures. A current list of sub-processors and our security overview are available on request.
To request a Data Processing Agreement, a sub-processor list, or our security documentation, email hello@marvanova.com. See also our Privacy Policy.