Privacy Notice

Last updated: 14 June 2026

This notice explains how The Leverage Lab UK ("we", "us", "our") processes personal data when providing the BEDROX recruitment automation platform to recruitment agencies ("Clients"). We are committed to handling all personal data lawfully, transparently, and securely in accordance with UK GDPR and the Data Protection Act 2018.

1. Who We Are

The Leverage Lab UK
Email: hello@theleveragelabuk.com

In relation to candidate personal data processed through BEDROX, each recruitment agency (our Client) is the Data Controller. The Leverage Lab UK acts as the Data Processor, processing candidate data solely on the instructions of the Client. Each Client is responsible for their own ICO registration and for providing candidates with their own privacy notice.

2. What Personal Data We Process

On behalf of our Clients, we process the following categories of candidate personal data:

• Name, email address, phone number, and postcode
• CV and work history (as submitted by the candidate)
• AI-generated match score and screening outcome (Invited / Pending / Rejected)
• Job application reference and timestamps
• Right-to-work and licence information (where included in a CV)

We also process limited personal data about Client contacts (agency staff) for account management purposes, including name, email address, and login credentials (stored as a one-way hash).

3. Lawful Basis for Processing

• Candidate data: Processed on the lawful basis of legitimate interests of the Client (recruitment), as instructed by the Client under our Data Processing Agreement.
• Client contact data: Processed on the basis of contract (providing the BEDROX service) and legitimate interests (account security and communications).

4. How We Use Personal Data

We process candidate data to provide the BEDROX service, which includes:

• Receiving CV emails sent to a Client's intake inbox
• Extracting and parsing CV text from PDF attachments
• Sending CV text to OpenAI for automated scoring against job criteria
• Storing the candidate record and score in the Client's isolated workspace
• Sending automated outcome emails (invite / pending / reject) to candidates on the Client's behalf
• Providing the Client's dashboard access to their candidate data

We do not use candidate data for any purpose beyond providing the service, and we do not sell, share, or transfer candidate data to third parties except as set out in Section 6 (Sub-Processors).

5. Data Retention

Candidate records are retained for the following periods, after which they are automatically flagged for deletion:

Data Type	Retention Period	Reason
Rejected / No Response candidates	12 months from application	UK recruitment industry standard
Invited / Pending candidates	24 months from application	Ongoing recruitment relationship
Onboarding records	6 years from placement	HMRC payroll requirement
Timesheet records	6 years from week ending	HMRC payroll requirement
Compliance documents	2 years after expiry	Right-to-work / licence audit
Client account data	Duration of contract + 12 months	Account management

Clients may request early deletion of any candidate record at any time via the BEDROX erasure tool, subject to the HMRC retention carve-out above.

6. Sub-Processors

We use the following third-party sub-processors to deliver the BEDROX service. All sub-processors are contractually bound to handle data securely and only as instructed.

Sub-Processor	Purpose	Data Location	Link
Supabase	Database hosting — stores all candidate, job, and account data	EU (West Europe)	Privacy Policy
Netlify	Application hosting and serverless functions	USA (SCCs in place)	Privacy Policy
OpenAI	AI scoring — CV text is sent to OpenAI to generate a match score. No CV data is used to train OpenAI models (API data retention: 30 days then deleted).	USA (SCCs in place)	Privacy Policy
Resend	Transactional email — sends automated outcome emails to candidates	USA (SCCs in place)	Privacy Policy
Google (Gmail API)	Email intake — reads CV emails from the Client's Gmail inbox	USA (SCCs in place)	Privacy Policy
Calendly	Interview scheduling — Calendly booking links are included in invite emails	USA (SCCs in place)	Privacy Policy
Tally	Job intake forms — used to create new job postings	EU (Belgium)	Privacy Policy
Stripe	Payment processing — processes Client subscription payments	USA / EU (SCCs in place)	Privacy Policy

SCC = Standard Contractual Clauses (the EU/UK-approved mechanism for international data transfers).

7. Data Security

We implement the following technical and organisational measures to protect personal data:

• All data is encrypted in transit (TLS 1.2+) and at rest
• Database access uses service-role keys stored as server-side environment variables only — never exposed to the browser
• Multi-tenant isolation: each Client's data is scoped by a unique client_id; cross-tenant access is blocked at the application layer
• Row-Level Security is enabled on all database tables; anonymous access is blocked
• Login credentials are stored as a one-way scrypt hash; plaintext passwords are never stored or logged
• No personal data is included in application logs

8. Your Rights

Candidates whose data is processed through BEDROX should direct rights requests to the recruitment agency (Data Controller) that received their application. The agency is responsible for fulfilling those requests.

Client contacts (agency staff) have the following rights under UK GDPR:

• Right of access to your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing

To exercise any of these rights, contact us at hello@theleveragelabuk.com. We will respond within 30 days.

9. Data Processing Agreement

As a Data Processor, we offer a Data Processing Agreement (DPA) to all Clients on request. The DPA governs how we process candidate data on the Client's behalf and includes the sub-processor list above. Contact hello@theleveragelabuk.com to request a copy.

10. Complaints

If you have a concern about how we handle personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Website: ico.org.uk
Phone: 0303 123 1113

11. Changes to This Notice

We may update this notice from time to time. We will notify active Clients of material changes. The latest version is always available at this URL.

← Back to BEDROX