Trust & Data

Built for compliance.
Not just compatible with it.

Avlo is built for UK recruitment teams. Every decision about how we handle candidate data — where it's stored, how long we keep it, who can see it, and how AI verdicts are reached — was made with GDPR and fairness as the starting point. Not a checkbox exercise.

01 · Infrastructure

Your data stays in the UK. Full stop.

Avlo runs on Supabase's London region — one of the most trusted data infrastructure providers in the world, SOC 2 Type II certified and ISO 27001 compliant. All candidate data, CV files, extracted text, and screening outputs are stored in the UK and never transferred outside it.

We don't use third-party servers in the US, EU, or anywhere else to store your data. What goes into Avlo stays in the UK.

  • Supabase London region (eu-west-2)
  • SOC 2 Type II certified infrastructure
  • ISO 27001 compliant
  • No data transfer outside the UK
  • HTTPS enforced across all endpoints
  • Row-level security — organisations can only access their own data
London region hosting
All data stored at Supabase's London data centre. Nothing is processed or stored outside the UK at any point.
Row-level security
Each organisation's data is isolated at the database level. There is no technical path for one organisation to access another's candidates, jobs, or screening outputs.
SOC 2 Type II & ISO 27001
Our infrastructure provider holds both certifications. Audit reports available on request for enterprise due diligence.
HTTPS everywhere
All data in transit is encrypted. No unencrypted endpoints exist in the Avlo platform.
02 · Data Handling

Enough to hire. Nothing more.

CV files and extracted text are automatically deleted 12 months after upload — no manual process required, no chasing. The deletion runs on a nightly schedule. Candidate records (name, email, screening verdict) are retained for talent matching purposes in line with our privacy policy, and can be erased on request at any time.

We don't sell candidate data. We don't share it with third parties. We don't use it to train AI models. It exists solely to power your screening and talent matching workflow.

  • CV files and extracted text deleted after 12 months — automatically
  • Candidate records retained for talent matching; erasable on request
  • Nightly deletion schedule — no manual intervention needed
  • Data never sold, shared with third parties, or used to train AI models
  • Audit log of deletion events available on request
✦ Data lifecycle
1
Candidate applies
CV uploaded via apply link. File stored securely in UK infrastructure. 12-month deletion clock starts.
2
Screening & clarification
AI reads the CV. Clarification messages sent if needed. Verdict stored. All within UK infrastructure.
3
Role filled
Hiring complete. Candidate record retained for talent matching. CV file and extracted text deleted at 12 months. Erasure available on request at any time.
CV file auto-deleted at 12 months
CV file and extracted text permanently deleted on nightly schedule. Candidate record retained for talent matching unless erasure requested.
03 · AI & Fairness

Screening that reads the person, not the postcode.

Avlo uses reasoning-based AI to assess candidates against your specific job requirements — not keyword lists, not pattern matching, and not proxies for protected characteristics. The model is instructed to ignore name, address, educational institution, and graduation year when forming its verdict.

Every verdict is accompanied by a written rationale. You can see exactly what Avlo considered, what it flagged as a strength, and what it noted as a gap. There are no black boxes.

  • Name-blind assessment — candidate names not weighted
  • Address/postcode not used in verdict formation
  • Educational institution not used as a proxy for ability
  • Every verdict accompanied by a written explanation
  • Consistent standard applied to every candidate in the same pipeline
  • No pattern matching against demographic proxies
✦ What Avlo ignores
The following data points are visible in the CV but explicitly excluded from verdict formation.
Signal Used in verdict?
Candidate name ✕ Excluded
Home address / postcode ✕ Excluded
University / school attended ✕ Excluded
Graduation year ✕ Excluded
Relevant skills & experience ✓ Used
Job-specific requirements ✓ Used
Seniority & scope of previous roles ✓ Used
04 · Human Oversight

AI recommends. Humans decide.

Avlo is designed around the principle that AI should support recruiter judgement — not replace it. Every verdict is a recommendation. Every shortlist requires a human to review. No candidate is progressed or rejected without a person in the loop.

Where Avlo's AI flags a candidate as an Exception — an unusual profile that doesn't fit neatly into a standard verdict — it pauses and explicitly invites the recruiter to make the call. The Override Verdict function lets recruiters correct any verdict, with an automatic audit note recording who changed what and when.

  • All verdicts are recommendations — no automatic rejection or progression
  • Exception flag for unusual profiles — explicit human review requested
  • Override Verdict — any recruiter can change any verdict
  • Override audit trail — timestamped note records every change
  • Hiring manager shortlist requires human approval before progression
Screening workflow
Human in the loop
1
AI screens CV
Avlo reads and assesses the application against job requirements. Returns a verdict with written rationale and strengths/gaps breakdown.
2
Clarification sent if needed
Borderline candidates receive a follow-up message. Avlo re-evaluates on reply. Verdict updates automatically — recruiter sees the full thread.
3
Recruiter reviews shortlist
Human decision required. Recruiter can override any verdict. Exception-flagged candidates require explicit review before any action.
4
Hiring manager approves
Live shortlist shared with hiring manager. They review and mark candidates. Recruiter sees feedback before any progression decision is made.
05 · Candidate Rights

Candidates have rights. We make them easy to honour.

Under UK GDPR, candidates have the right to access data held about them, to correct inaccurate data, and to request erasure. Avlo is built to make honouring these rights straightforward — not a support burden.

Right to erasure requests can be submitted by candidates directly to privacy@avlo.uk. Avlo processes these promptly, permanently deleting all data associated with the candidate — CV file, extracted text, screening outputs, and correspondence records.

  • Right of access — data available on request
  • Right to erasure — candidate data permanently deleted on request
  • Single point of contact: privacy@avlo.uk
  • No retention of deleted candidate data in backups beyond standard schedule
  • WhatsApp clarification messages sent only with explicit candidate consent
  • Opt-out available at any point in the clarification process
Right of access
Candidates can request a copy of all data held about them. Contact privacy@avlo.uk — we respond within the statutory timeframe.
Right to erasure
A single request to privacy@avlo.uk permanently deletes all candidate data — CV, extracted text, screening outputs, and correspondence.
WhatsApp consent
Candidates receive an explicit opt-in consent message before any WhatsApp clarification is sent. They can decline at any point — no consequences to their application.
Automated decision-making
Avlo's AI verdicts are recommendations only. No candidate is rejected solely by automated means — a human recruiter reviews all outcomes.
06 · DPA & Legal

The paperwork. Sorted.

Avlo acts as a data processor on behalf of your organisation. You remain the data controller for all candidate data processed through the platform. Our Data Processing Agreement sets out each party's responsibilities clearly and is available on request — or included as standard on the Growth plan.

Our privacy policy is published at avlo.uk/privacy and our terms of service at avlo.uk/terms. If you have specific compliance questions not addressed here, get in touch at privacy@avlo.uk.

  • Avlo is data processor — your organisation is data controller
  • DPA available on request (Core) or included as standard (Growth)
  • Privacy policy: avlo.uk/privacy
  • Terms of service: avlo.uk/terms
  • DPA published at avlo.uk/dpa
  • Compliance questions: privacy@avlo.uk
Data Processing Agreement
Included on Growth plan. Available on request for Core customers. Sets out processor/controller responsibilities, sub-processors, and data handling obligations.
Sub-processors
We use a limited number of sub-processors: Supabase (infrastructure), Anthropic (AI screening), Twilio (WhatsApp), Postmark (email), Clerk (authentication). Full list available in the DPA.
Response times
We aim to respond to all data-related requests within 5 working days and within the statutory timeframe in all cases.

Questions not answered here? Contact us at privacy@avlo.uk

Request DPA →
Get started

30 days free. No card required.

Built for UK recruitment teams who take compliance seriously — and want screening that works.

Start free trial See pricing