We want to be straightforward about what data we collect, why we collect it, and what we do with it. This policy covers everyone who uses loocy — students, companies, and visitors to our website.
loocy is operated by [Loocy Ltd], a company registered in England and Wales. We are the data controller for personal information collected through the loocy platform and website.
Registered address: [to be confirmed on incorporation]
ICO registration: [to be confirmed]
Contact: hello@loocy.io
This policy applies to the loocy website at loocy.io and all services provided through the platform, including student accounts, company accounts, problem submissions, portfolio tools, and the loocy AI assistant.
For students, we collect:
| Data | How collected | Why |
|---|---|---|
| Name and email address | At signup | Account creation and communication |
| University, degree, graduation year | During onboarding or profile setup | To show on your profile to companies |
| Career path and specialism preferences | During onboarding | To recommend problems and track your progress |
| Problem submissions and written responses | When you submit | For AI scoring; shared with a company only if you choose to |
| AI scoring results | Generated automatically | To populate your portfolio and provide feedback |
| CV and work experience | Optionally uploaded by you | To display on your loocy profile |
| loocy AI chat conversations | When you use the AI thinking partner | To provide the service and improve AI responses |
| Usage data (pages visited, time on site) | Automatically via cookies | To understand how the platform is used and improve it |
For companies, we collect:
| Data | How collected | Why |
|---|---|---|
| Company name, industry, size, website | During onboarding | Company profile and matching |
| Contact name, job title, work email | During onboarding | Account management and communication |
| Problem briefs and rubric session answers | When posting a problem | To score submissions and generate shortlists |
| Shortlist decisions (contacted, declined) | When reviewing the shortlist | To operate the platform |
| Usage data | Automatically via cookies | Platform improvement |
We do not collect sensitive personal data (race, ethnicity, health, religion, sexual orientation) and our platform is not designed to capture it. If you include such information in a problem submission, CV, or message, it will be stored as part of that content.
We use the personal data we collect for the following purposes:
To operate the platform — creating and managing accounts, processing problem submissions, running AI scoring, generating shortlists, and enabling company-to-student contact.
To provide feedback to students — sharing scored responses, criteria breakdowns, and AI-generated scoring notes with the student who submitted them.
To show companies shortlisted candidates — when a hiring manager reviews a shortlist, they can see a student's name, university, career path, scores, the strengths and weaknesses of their answer, capability graph, and loocy profile. A student's full answer is never shared unless they choose to share it, and contact details are only shared once they accept an invitation.
To improve the platform — we use aggregated, anonymised usage data to understand how loocy is used and make it better. We do not use individual submissions or responses to train AI models without explicit consent.
To communicate with you — account notifications, shortlist alerts, submission confirmations, and product updates. We will not send marketing communications without your consent.
To comply with our legal obligations — record keeping, fraud prevention, and responding to lawful requests.
Under UK GDPR, we are required to have a legal basis for processing personal data. We rely on the following:
| Processing activity | Legal basis |
|---|---|
| Creating and managing your account | Contract — necessary to provide the service you signed up for |
| Scoring submissions and generating shortlists | Contract — core function of the platform |
| Sharing your profile with companies who shortlist you | Contract — you agreed to this when signing up as a student |
| Sending account and service notifications | Contract and legitimate interests |
| Platform analytics and improvement | Legitimate interests — improving the service for all users |
| Marketing communications | Consent — we will ask before sending these |
| Legal compliance and fraud prevention | Legal obligation and legitimate interests |
Companies using loocy — when a company posts a problem you respond to, they receive your scores, the strengths and weaknesses of your answer, your capability graph, and your profile (name, university, career path, portfolio entries, specialism). Your full answer is shared only if you choose to share it, and your email address is not shared until you accept their invitation.
Technology providers — we use the following third-party services to operate the platform. Each is bound by data processing agreements:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, and server functions | EU / UK |
| OpenAI | AI scoring and loocy AI chat | USA (Standard Contractual Clauses apply) |
| Vercel | Website hosting | EU / USA (SCC apply) |
We do not sell personal data. We do not share personal data with advertisers or data brokers. We do not use your data for targeted advertising.
Legal requirements — we may disclose personal data if required to do so by law, regulation, court order, or to protect the rights and safety of our users.
Business transfers — if loocy is acquired or merged with another company, personal data may be transferred as part of that transaction. We will notify users before any such transfer takes effect.
We keep personal data for as long as it is needed to provide the service and for the periods set out below:
| Data type | Retention period |
|---|---|
| Student account data | For the duration of the account, plus 2 years after deletion request |
| Problem submissions and scores | For the duration of the account. Removed on account deletion. |
| Company account and problem data | For the duration of the account, plus 6 years (legal record-keeping) |
| loocy AI chat logs | 90 days, then automatically deleted |
| Usage and analytics data | 24 months, then aggregated and anonymised |
| Email communications | 3 years from last contact |
You can request deletion of your account and personal data at any time. See Your Rights below.
We take reasonable technical and organisational measures to protect your personal data against loss, misuse, and unauthorised access. These include:
Encryption of data in transit (TLS) and at rest. Access controls ensuring only authorised personnel can access personal data. Authentication requirements for all platform accounts. Regular review of our data handling practices.
No method of electronic transmission or storage is 100% secure. If you believe your account has been compromised, contact us immediately at hello@loocy.io.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay, as required by UK GDPR.
Under UK GDPR, you have the following rights in relation to your personal data:
To exercise any of these rights, email hello@loocy.io with your name, email address, and what you are requesting. We will respond within one month.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
We use cookies and similar technologies to operate the platform and understand how it is used. The cookies we use fall into the following categories:
| Category | Purpose | Can you opt out? |
|---|---|---|
| Essential | Login sessions, security, platform functionality | No — the platform cannot function without these |
| Analytics | Understanding how the platform is used (page views, session length) | Yes — via cookie preferences |
| Preferences | Remembering your settings and preferences | Yes |
We do not use advertising or tracking cookies. We do not use your browsing behaviour to serve you targeted ads.
A full cookie notice will be added before the platform launches publicly.
loocy is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a person under 16 has provided us with personal data, please contact us at hello@loocy.io and we will delete it promptly.
We may update this privacy policy from time to time. When we make changes, we will update the "last updated" date at the top of the page. If the changes are significant, we will notify you by email or by a prominent notice on the platform before the changes take effect.
The most current version of this policy is always available at loocy.io/privacy.
If you have any questions about this privacy policy or how we handle your personal data, please contact us:
Email: hello@loocy.io
Subject line: Privacy enquiry
Address: [Loocy Ltd, registered address — to be confirmed]
We will respond to all privacy enquiries within one month.