Legal
Privacy policy
Last updated: ·Controller: Netvett Ltd (England & Wales)
This privacy policy explains how Netvett Ltd (“we”, “us”, “our”) processes personal information when you use the Netvett platform (“Service”). We are the data controller for that processing under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who we are and how to contact us
- Legal entity: Netvett Ltd
- Registered office and company number: will be listed here once our Companies House filing is complete. Until then you may request written controller details by emailing our DPO (below).
- ICO registration: we will publish our ICO registration number here once confirmed.
- Data Protection Officer (DPO): reach us at dpo@netvett.io. Structured DPO and notice URLs are published for tooling at …/api/v1/.well-known/dpo-contact.
2. What personal information we collect
Depending on your role (for example employer, recruiter, worker, trainee, researcher) we may process:
- Identity and contact details: name, email, phone, date of birth, photograph or avatar.
- Professional profile: CV content, biography or pitch, sector, licences, registrations, qualifications, availability, referee contact details where you supply them.
- Vetting and compliance artefacts: Right to Work share code and nationality data you submit for verification; correspondence with our review desk; DBS disclosure outcomes and related reference numbers once a live disclosure route is activated; uploads you provide for identity or safeguarding checks where applicable.
- Employment workflow data: applications, vacancy details, shifts, attestations and similar operational records.
- Financial identifiers for payouts: where you connect a payment account via our payments partner, tokens and account metadata are processed by Stripe; we do not store payment card numbers.
- Security and telemetry: authentication factors (such as passkey material or password-derived secrets held as hashes), IP address, browser user-agent, session identifiers, coarse usage events, audit logs recording privileged actions inside the Service.
- Training and accreditation: course enrolments, results, and certificates linked to partnered training pathways.
- Messaging: in-Service messages necessary to fulfil recruitment workflows.
3. Sources of information
- You, when registering or uploading information.
- Organisations who invite users (for example employers adding staff or workers to a tenancy).
- Registries or verification workflows you direct us towards (such as Home Office Right to Work, professional registers once API agreements are live).
- Infrastructure telemetry automatically generated during use.
4. Purposes and lawful bases (UK GDPR)
Where we rely on legitimate interests, we weigh your rights and freedoms. You may object using the contacts below.
| Purpose | Lawful basis |
|---|---|
| Providing accounts, matching, communications | Art. 6(1)(b) performance of a contract |
| Employer-side statutory recruitment checks where you instruct us (RtW pathway, safeguarding-related records) | Art. 6(1)(c) legal obligation · Art. 10 / Art. 9(2)(b) where special-category conditions apply |
| Security, fraud prevention, abuse mitigation | Art. 6(1)(f) legitimate interests |
| Audit trails for regulated sectors and contractual assurance | Art. 6(1)(c) legal obligation · Art. 6(1)(f) legitimate interests where applicable |
| Marketing communications (never sold lists) | Art. 6(1)(a) consent · Art. 6(1)(f) soft business contact where allowed |
| Product improvement that does not involve solely automated eligibility decisions tied to employment outcomes | Art. 6(1)(f) legitimate interests |
Our matching and scoring features are decision-support. Where final hiring or engagement decisions are made, they sit with the employer or customer organisation unless we tell you otherwise in product terms.
5. Recipients and categories of processors
We share information only where necessary:
- Customer organisations you interact with (for example employers reviewing an application) receive the minimum data required for that workflow.
- Training partners when you choose accredited pathways.
- Infrastructure and security: cloud hosting (for example AWS in UK regions), edge protection (for example Cloudflare), email delivery providers, and payment processing (Stripe) under written data processing agreements.
- Professional advisers (lawyers, accountants) under confidentiality terms.
We do not sell personal information and we do not allow third-party advertising trackers on the Service as of the date above.
6. International transfers
Production personal data is hosted in the United Kingdom (including AWS eu-west-2, London). Backups may include the Republic of Ireland where covered by UK adequacy decisions or appropriate safeguards. We do not move customer personal data to jurisdictions without a valid transfer mechanism.
7. Retention
Retention follows our internal data retention schedule (summarised in product documentation and available to customers on request). Headline examples:
- Active accounts: for the life of the account.
- Closed accounts: up to seven years where employment, tax, or dispute records require it.
- Audit logs: typically seven years for regulated workflows.
- In-Service chat: rolling deletion after 90 days of inactivity unless a longer period is required for investigations.
8. Your rights
You may exercise the following rights free of charge in most cases:
- Access (Art. 15) — authenticated users can request an export via the API path documented in the product; others should email dpo@netvett.io.
- Rectification (Art. 16) — update profile fields in-app or contact us where an override is needed.
- Erasure (Art. 17) — use the in-Service erasure request where available (subject to statutory retention carve-outs), or email the DPO.
- Restriction / objection / portability: contact dpo@netvett.io; portability may reuse the structured export artefact where technically feasible.
You may complain to the Information Commissioner's Office: ico.org.uk/make-a-complaint.
9. Cookies and similar technologies
Authentication and security cookies are described in our Cookie notice. There are no advertising cookies unless we update that page and invite consent.
10. Security
A high-level description of defensive controls sits in our Security overview. Coordinate disclosure of vulnerabilities with security@netvett.io.
11. Automated processing
We do not make solely automated decisions that produce legal effects about you without human review, except where any future feature is clearly labelled and consented to separately.
12. Children
The Service is aimed at workforce participants. Accounts are intended for adults aged 18+. If you believe a minor has supplied data, contact dpo@netvett.io.
13. Changes
We update this notice when processing changes materially. Continued use after the effective date constitutes acknowledgement where legitimate; where consent is needed we will capture it expressly.