Privacy Notice
This Privacy Notice explains how AVLO LTD (we, us, or /avlo:) collects and processes personal data. We provide an AI-assisted recruitment screening platform designed to help employers (the Client) analyse, screen, and engage with candidate applications efficiently.
Our platform includes an AI-powered clarification loop that may contact candidates directly by email or WhatsApp to gather additional context about their application. WhatsApp contact is only made with the candidate's explicit prior consent. All AI-generated outputs are subject to human review, and no automated decisions are made about candidates.
Clients operating under a subscription agreement are subject to a Data Processing Agreement (DPA) which governs how we handle Candidate Data on their behalf. A copy is available on request at privacy@avlo.uk.
Our Legal Role
We process candidate data — CVs, names, contact details, and clarification responses — strictly on the documented instructions of our Clients, who are the Data Controllers.
We are the Controller for our own business data, including Client login credentials and contact details.
Data We Process
Candidate Data: CVs, employment history, education, contact details, and any clarification responses submitted by candidates in response to our screening messages (email or WhatsApp).
Usage Data: Metadata related to platform use, including timestamps, interaction logs, and screening outcomes.
Client Data: Account credentials, organisation settings, and billing information.
AI Transparency & Automated Decision-Making
/avlo: uses artificial intelligence to support candidate screening. Here's how that works in practice:
Our AI analyses CV text against job requirements to assess relevant skills and experience. Where a CV leaves specific questions unanswered, our system may send a clarification message to the candidate via email or WhatsApp. The candidate's response is then incorporated into the final assessment.
We do not engage in solely automated decision-making under Article 22 UK GDPR. All AI-generated recommendations are subject to human review. The final decision to progress or reject a candidate always rests with a human recruiter.
AI processing is conducted via the Anthropic API (Claude). We do not permit Anthropic to use Client or Candidate data to train their models. Data is transmitted via encrypted API connections. Under Anthropic's API terms, data may be retained for up to 30 days for trust and safety purposes only, after which it is deleted.
Candidates may receive a message from /avlo: as part of the screening process, via email or — with their explicit prior consent — via WhatsApp. This message will identify itself as AI-assisted, confirm that no automated decision has been made, and explain that their response will be reviewed by a human recruiter. Candidates may opt out by not responding or by declining the WhatsApp consent prompt.
Sub-processors & Infrastructure
We use the following trusted third-party services to operate the platform:
| Provider | Purpose | Data Location |
|---|---|---|
| Supabase | Database, CV file storage & user authentication | UK (London) |
| Netlify | Platform hosting & serverless functions | EU / CDN |
| Anthropic (Claude API) | AI screening & re-evaluation | USA (SCCs in place, UK Addendum included — data not stored beyond 30 days) |
| Postmark | Transactional email delivery | USA (SCCs in place) |
| Twilio | WhatsApp candidate messaging | USA (SCCs in place) |
Where data is processed outside the UK, appropriate safeguards are in place including Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms under UK GDPR.
Data Retention
CV files and extracted CV text are automatically deleted 12 months after the candidate's application date. This runs on a nightly automated schedule — no manual action required.
Candidate records (name, email, screening verdict, and correspondence history) are retained beyond this point for legitimate recruitment purposes including talent matching and silver medallist consideration. Candidates may request full erasure of all data at any time by contacting privacy@avlo.uk.
CV files are stored in a private, access-controlled storage bucket. Signed URLs are generated on demand and expire after 7 days.
Client account data is retained for the duration of the subscription and deleted within 30 days of account closure, unless a longer period is agreed in writing.
Data Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or disclosure:
- All candidate data stored in UK-based infrastructure (Supabase, London region).
- CV files stored in a private bucket with no public access — accessible only via expiring signed URLs.
- All AI processing conducted via encrypted API connections.
- Row-level security enforced at database level — organisations can only access their own data.
- Authentication managed via Supabase Auth with session-based access controls, validated server-side on every request.
- Platform served over HTTPS with DNS managed via Cloudflare.
Your Rights
Where we act as a Controller, individuals have the following rights under UK GDPR:
- The right to access the personal data we hold about you.
- The right to rectification of inaccurate or incomplete data.
- The right to erasure (right to be forgotten) in certain circumstances.
- The right to restrict or object to processing.
- The right to data portability.
- The right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
Where we act as a Processor on behalf of a Client, please direct your request to the relevant Client organisation in the first instance. We will assist the Client in responding to your request as required under UK GDPR.
Changes to This Notice
We may update this Privacy Notice from time to time. Any material changes will be communicated to Client users directly. The current version will always be accessible at avlo.uk/privacy.
Contact Us
If you have any questions about this Privacy Notice or wish to exercise your rights, please contact:
AVLO LTD
Email: privacy@avlo.uk
Website: www.avlo.uk