Privacy Policy
Contents
1. Introduction
Prova ("we", "our", "us") is committed to protecting your privacy and handling your personal data in an open and transparent manner. This Privacy Policy explains how we collect, use, store, and protect personal information when you use our BS7858 security vetting platform.
We act as a Data Controller for the personal information we process. By using our services, you acknowledge that you have read and understood this Privacy Policy.
2. Information We Collect
2.1 Information from Employers (Super Users)
When you register as an employer, we collect:
- Company name and registration details
- Contact name, email address, and phone number
- Account login credentials (password stored encrypted)
- Payment and billing information
2.2 Information from Candidates
To complete BS7858 vetting, we collect extensive personal information including:
- Identity Information: Full name, date of birth, National Insurance number, passport/driving licence details
- Contact Information: Current and previous addresses (5-year history), phone numbers, email addresses
- Employment History: 5-year employment history including employer names, dates, job titles, and reasons for leaving
- Education History: Qualifications, institutions attended, dates of attendance
- Financial Information: Credit reference data (obtained with consent) for financial probity checks
- Criminal Record Information: DBS check results (obtained with consent)
- Right to Work: Immigration status and right to work documentation
- References: Information provided by your referees
2.3 Special Category Data
BS7858 vetting may require processing of special category data including criminal conviction information. This processing is necessary for reasons of substantial public interest and is carried out with appropriate safeguards.
2.4 Technical Information
We automatically collect:
- IP addresses and browser information
- Device information and operating system
- Usage data and interaction with our platform
- Cookies and similar technologies (see Section 9)
3. How We Use Your Information
We use the information we collect to:
- Conduct BS7858-compliant security vetting and screening
- Verify identity, employment history, and qualifications
- Conduct criminal record checks (DBS) and credit reference checks
- Screen against sanctions lists and watchlists
- Generate vetting reports and certificates
- Process payments and manage accounts
- Communicate with you about your vetting progress
- Comply with legal and regulatory obligations
- Improve our services and platform
4. Legal Basis for Processing
We process personal data under the following legal bases:
- Consent: For DBS checks, credit reference checks, and obtaining references
- Contract: To provide our vetting services to employers and process candidate applications
- Legal Obligation: To comply with BS7858 requirements and employment law
- Legitimate Interests: To prevent fraud, improve our services, and for business administration
- Substantial Public Interest: For processing criminal conviction data as part of employment vetting
5. Data Sharing and Disclosure
We may share your information with:
- Employers: Vetting results and reports are shared with the employer who commissioned the check
- Verification Partners: Credit reference agencies (Experian, Equifax, TransUnion), DBS, HEDD (education verification)
- Previous Employers: To verify employment history and obtain references
- Government Agencies: Home Office (right to work), HMRC, law enforcement (if required by law)
- Service Providers: Cloud hosting (AWS), payment processors (Stripe), email services
We do not sell your personal information to third parties.
6. Data Retention
We retain personal data in accordance with BS7858 requirements:
- Vetting Records: Retained for the duration of employment plus 7 years, or as required by the employer's regulatory obligations
- Unsuccessful Applications: Retained for 6 months then securely deleted
- Account Information: Retained while account is active, plus 7 years for financial records
- Consent Records: Retained for the lifetime of the vetting record
7. Your Rights
Under UK GDPR, you have the following rights:
- Right of Access: Request a copy of the personal data we hold about you
- Right to Rectification: Request correction of inaccurate personal data
- Right to Erasure: Request deletion of your personal data (subject to legal retention requirements)
- Right to Restrict Processing: Request limitation of processing in certain circumstances
- Right to Data Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interests
- Right to Withdraw Consent: Withdraw consent at any time (this does not affect prior processing)
To exercise any of these rights, please contact us at privacy@useprova.co.uk.
8. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption of data in transit (TLS/SSL) and at rest (AES-256)
- Secure cloud infrastructure hosted within the UK/EU (AWS)
- Access controls and authentication measures
- Regular security assessments and penetration testing
- Staff training on data protection
- Incident response procedures
9. Cookies
We use essential cookies to operate our platform, including:
- Session Cookies: To keep you logged in and maintain your session
- Security Cookies: To prevent fraud and protect your account
We do not use advertising or tracking cookies.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through our platform. The "Last updated" date at the top of this policy indicates when it was last revised.
11. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us:
Prova
Email: privacy@useprova.co.uk
Address: Southampton, United Kingdom
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.