Privacy Policy

Last updated: 16 June 2026

This is a working draft provided for transparency. It is under review and may change before it becomes binding.

This policy explains how personal data is processed in the LOVIC platform under UK GDPR and the Data Protection Act 2018. LOVIC is provided to institutions; for staff data held in the platform the institution is the data controller and LOVIC operates as its processor.

Who we are

LOVIC is a trading name of [LEGAL ENTITY NAME] (company number [COMPANY REGISTRATION NUMBER]), registered at [REGISTERED OFFICE ADDRESS]. Our ICO registration number is [ICO REGISTRATION NUMBER]. Privacy enquiries: [PRIVACY CONTACT EMAIL].

What data we process

The platform holds the following categories of personal data about institution staff:

  • Identity and contact details (name, work email), provisioned from the institution's Microsoft Entra ID
  • Employment context (job title, department, reporting line)
  • Skills, confirmed competencies and development records
  • Uploaded CV documents and the structured data extracted from them
  • Career-development activity (goals, pathways, CPD records)

Identity and access data is provisioned from the institution's Microsoft Entra ID; the platform does not create standalone passwords for staff.

Lawful basis

For staff data, the institution (as controller) relies on its own lawful basis, typically the performance of the employment relationship and its legitimate interests in staff development. LOVIC processes this data only on the institution's documented instructions as its processor.

AI processing

Some features use advisory AI to summarise or suggest. AI outputs are advisory only and never make a decision about a person. Every AI interaction is logged with its model, prompt version and an output summary, and each output is validated before it is shown. Inputs sent to the AI provider are minimised to what the feature needs.

Sub-processors

We use the following sub-processors:

  • Microsoft Azure - Application hosting, database and file storage (UK South (United Kingdom)).
  • Microsoft Entra ID - Single sign-on and user provisioning for institution staff (European Union / United Kingdom).
  • Anthropic - Advisory AI features (Claude), on governed, minimised inputs only (United Kingdom / European Union data-processing region).
  • Azure Communication Services - Transactional and notification email (United Kingdom / European Union).

Data residency

Application data is hosted in Microsoft Azure UK South. Email and identity providers operate in the United Kingdom or European Union. AI processing uses the provider's UK or EU data-processing region.

Retention

Retention periods are set by each institution through the platform's data-retention policy configuration. Data is retained for as long as the institution's policy requires and is then deleted. On request, an institution's data can be permanently erased, cascading through every related record.

Your rights

Individuals have the right to access, rectify, erase and restrict the processing of their personal data, and to object to processing. Because the institution is the controller, requests are handled through the institution; the platform provides the administrative tools to fulfil them. You may also complain to the Information Commissioner's Office (ico.org.uk).

Contact

For any privacy question, contact [PRIVACY CONTACT EMAIL].