Privacy Policy

Identivera is operated by the legal entity registered with the UK Information Commissioner's Office (ICO) as the data controller. The contact point for data protection matters is privacy@identivera.com.

A Data Protection Officer (DPO) will be appointed before public launch. Their contact details will be published here at that time.

The data we collect depends on which side of the platform you use:

Students (free tier)

• Email address (institutional, used as your account identifier)
• University name, course, year of study, graduation year, key modules
• Skills, AI skills, extracurricular activities, personal statement (free-text fields you choose to fill in)
• LinkedIn profile URL (optional)
• CV content generated from the above
• Job application records you log on the platform (status, employer, role title, dates, notes)
• Conversations with Vera, our AI career assistant
• If you choose to start Vera voice: realtime microphone audio is processed to run the call. Identivera does not store raw audio or raw voice transcripts by default; confirmed profile facts may be saved when you agree.
• Connection requests, approvals, and revocations with employers
• If you choose to upload them: right-to-work documents (passport, BRP card, UKVI share code) and student enrolment confirmation. These are stored encrypted (AES-256) and never shared with employers — only the resulting verification badge.

Employers (paid tier)

• Work email address (account identifier)
• Company name, sector, description, culture statement, size
• Skill pathway posts you publish
• Subscription billing details (handled by Stripe — we receive only an opaque customer/subscription ID)
• Connection request history and pipeline records

Operational metadata (everyone)

• Sign-in events with timestamps, hashed IP addresses (HMAC, never raw), and user-agent strings — for security and audit
• Session cookies — see Cookies section below

What we never collect

• Your academic grades. Grades are not stored anywhere on the platform. Our database schema does not contain a grades column.
• Photo identification beyond right-to-work documents. No selfies, no profile photos, no biometric data.
• Payment card details. All card processing is done by Stripe; we never see your card number.
• Date of birth or age beyond the 18+ confirmation at signup. Identivera is an adults-only platform — we capture a one-time confirmation that you are 18 or older and store nothing further about your age.

Different categories of processing rely on different lawful bases under UK GDPR Article 6:

• Contract (Article 6(1)(b)) — operating your account, generating your CV, running job-matching, processing employer subscriptions.
• Explicit consent (Article 6(1)(a)) — sharing your profile and CV with a specific employer. We ask for your individual approval before any employer can see your full profile, and you can withdraw that approval at any time with immediate effect.
• Legitimate interests (Article 6(1)(f)) — security audit logs, fraud prevention, anonymous service-improvement analytics. Balancing test documented in our Records of Processing Activities.
• Legal obligation (Article 6(1)(c)) — right-to-work checks where required by UK immigration law.

• To authenticate you (magic-link sign-in)
• To generate your AI-written CV using Anthropic's Claude API. The system prompt explicitly forbids fabrication — Vera works only from what you provide
• To match you with relevant jobs based on your stated profile
• To allow approved employers to view your profile and CV
• To send transactional email (sign-in links; verdict-change alerts you opt into)
• To detect and prevent fraud, abuse, and security incidents
• To meet legal and regulatory obligations

We do not sell or share your data with third parties for advertising.No analytics cookies, no advertising trackers. Vera's AI processing is bound by Anthropic's data-processing terms, with no use of your data for model training.

We rely on a small set of trusted third-party services to operate Identivera. Each is bound by a written Data Processing Agreement and the safeguards required by UK GDPR Articles 28 and 46.

• Frontend hosting — serves the website and the proxy to our backend
• Backend hosting — runs our API + database + cache
• Anthropic (Claude API) — generates AI-assisted CVs, cover letters, and Vera responses. Anthropic does not train its models on customer data under our agreement
• LiveKit Cloud / LiveKit Inference — carries realtime Vera voice sessions and provides speech-to-text / text-to-speech processing for calls you explicitly start
• Stripe (UK) — handles employer subscription payments
• Resend — delivers transactional emails (sign-in links etc.)
• Sentry (planned) — error tracking with personal-data redaction

Our Records of Processing Activities (ROPA) records the full list, lawful basis per processor, data categories, retention period, and transfer mechanism. Available on request to privacy@identivera.com.

Our preferred data residency is the UK or EEA. Where a sub-processor is established outside the UK (e.g. Anthropic, Stripe US), transfers are made under the UK Extension to the EU-US Data Privacy Framework (where the processor is certified) or the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, with a documented Transfer Impact Assessment.

• Active student account — for as long as you keep your account, plus 30 days after deletion to allow recovery from accidental deletion.
• Vera voice audio — realtime only in Identivera. We do not store raw audio or raw voice transcripts by default. If you confirm a profile update during a call, the saved profile fact and Vera audit record follow normal account-retention rules.
• Right-to-work documents — retained only while your account is active; deleted within 30 days of account closure.
• Connection consent records — retained for the duration of your account plus 6 years to evidence GDPR compliance, then deleted.
• Audit logs (sign-in events, connection state changes) — 12 months, then deleted.
• Magic-link tokens — 15 minutes; expired tokens are deleted on the next maintenance cycle.
• Operational logs (server access, errors) — 30 days, with PII scrubbed at write time.
• Anonymised aggregate analytics — indefinite, but contains no personal data.

You have the following rights:

• Access (Article 15) — request a machine-readable copy of all personal data we hold about you
• Rectification (Article 16) — correct inaccurate personal data
• Erasure (Article 17) — request deletion of your account and all associated data
• Restriction (Article 18) — restrict our processing in certain circumstances
• Portability (Article 20) — receive your data in a structured, common, machine-readable format
• Objection (Article 21) — object to processing based on legitimate interests
• Withdrawal of consent (Article 7) — withdraw consent for any specific employer connection at any time, with immediate effect

Exercise these rights via your account settings or by emailing privacy@identivera.com. We respond within 30 days.

If you believe we have breached your rights, you may complain to the UK Information Commissioner's Office at ico.org.uk. You do not need to contact us first.

Identivera is intended for adults. Every user must confirm at signup that they are 18 years of age or older. We do not knowingly collect or process personal data from anyone under 18.

• The signup form requires explicit confirmation of being 18+. Accounts cannot be created without it.
• If we discover that an account was created by someone under 18, we will delete the account and all associated data.
• Parents or guardians who believe a child under 18 has created an account should contact us at privacy@identivera.com; we will action removal promptly.
• No profiling or behavioural tracking. No advertising or marketing emails. These apply to every user, regardless of age.

We apply layered security controls including HTTPS-only transport, magic-link authentication (no passwords), HMAC-signed sessions, CSRF protection, content security policy, application-layer AES-256 encryption of right-to-work documents, hashed IPs in logs, per-IP and per-account rate limiting, and least-privilege admin tooling. The full technical security model is documented at docs/SECURITY.md in our source repository, available on request.

In the unlikely event of a personal-data breach, we follow the UK GDPR notification requirements: ICO notification within 72 hours where required, and direct user notification where there is a high risk to your rights and freedoms.

We use only essential first-party cookies required for the service to function: a session cookie (HttpOnly, SameSite=Lax, Secure in production) and a CSRF token cookie. We do not set analytics, advertising, or any third-party cookies.

We will update this Privacy Policy if we change how we handle your data. Material changes will be highlighted to you in-product before they take effect. The version date at the top of this page reflects the most recent revision.