Privacy Policy
Last updated: 3 April 2026
1. Who we are
truvely (“we”, “us”, “our”) operates the website at www.truvely.co.uk. truvely is the data controller responsible for your personal data under the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and applicable US privacy laws including the California Consumer Privacy Act (CCPA).
Contact us at: privacy@truvely.co.uk
2. What data we collect
Account data
When you create an account: your full name, email address, and password (stored as a secure hash, we never see your actual password).
Profile data
Information you choose to add to your profile: job title, employer, location, biography, and career history.
Reference data
When a colleague submits a reference for you: their name, work email address, job title, employer, the reference text, skills mentioned, and optionally a video recording.
Usage data
Standard server logs including IP address, browser type, pages visited, and timestamps. This data is retained for up to 90 days.
3. Why we collect it and our legal basis
| Purpose | Legal basis (UK/EU GDPR) |
|---|---|
| Providing the truvely service | Performance of contract (Art. 6(1)(b)) |
| Sending confirmation and reference request emails | Performance of contract (Art. 6(1)(b)) |
| Maintaining account security | Legitimate interests (Art. 6(1)(f)) |
| Improving the service | Legitimate interests (Art. 6(1)(f)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
4. Who we share data with
We do not sell, rent, or trade your personal data. We share data only with the following trusted service providers, each bound by appropriate data processing agreements:
- •Supabase, database and authentication (servers in EU West). Privacy policy
- •Vercel, website hosting. Privacy policy
- •Resend, transactional email delivery. Privacy policy
We may disclose your data if required to do so by law or in response to valid requests by public authorities.
5. International transfers
Some of our service providers process data outside the UK and EU. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission and the UK International Data Transfer Agreement (IDTA).
6. How long we keep your data
- •Account and profile data: retained while your account is active, then deleted within 30 days of account deletion.
- •Reference data: retained while your account is active. Deleted with your account.
- •Reference request emails sent to colleagues: retained for 14 days then expired automatically.
- •Server logs: retained for up to 90 days.
7. Your rights
Under UK GDPR, EU GDPR, and applicable US law (including CCPA for California residents), you have the following rights:
- •Right to access: Request a copy of the personal data we hold about you.
- •Right to rectification: Ask us to correct inaccurate or incomplete data.
- •Right to erasure: Ask us to delete your personal data (“right to be forgotten”).
- •Right to restriction: Ask us to limit how we use your data.
- •Right to data portability: Receive your data in a structured, machine-readable format.
- •Right to object: Object to our processing of your data based on legitimate interests.
- •Right to withdraw consent: Where processing is based on consent, withdraw it at any time.
- •CCPA rights: California residents have the right to know, delete, and opt-out of the sale of personal information. We do not sell personal information.
To exercise any of these rights, contact us at privacy@truvely.co.uk. We will respond within 30 days.
8. Cookies
truvely uses only strictly necessary cookies to maintain your login session. We do not use advertising or tracking cookies. No cookie consent banner is required as we rely solely on session cookies necessary for the service to function.
9. Security
We implement appropriate technical and organisational measures to protect your data, including TLS encryption in transit, bcrypt password hashing, and row-level security on our database. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security.
10. Children's privacy
truvely is intended for professional use by adults aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.
11. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by displaying a notice on the website. The date at the top of this page shows when it was last updated.
12. How to complain
If you are unhappy with how we handle your data, please contact us first at privacy@truvely.co.uk.
You also have the right to lodge a complaint with a supervisory authority:
- •UK: Information Commissioner's Office (ICO), ico.org.uk
- •EU: Your local data protection authority.