Legal

Privacy Policy

What we hold, why we hold it, how long we keep it, and the rights you have over your data.

Draft, pending legal review. This page describes the data-handling mechanisms Ovation actually enforces. The final wording is being reviewed by a solicitor before launch and may change.

Ovation is an independent, Irish review platform for service businesses. This policy explains how we handle your personal data under the General Data Protection Regulation (GDPR).

What we hold, where, and why

The personal data Ovation processes, its lawful basis, and how long we keep it.
DataWhere it livesLawful basisRetention
Account: email, phone, display nameApplication databaseContract and legitimate interestUntil you erase your account
Sign-in one-time codesKey store (hashed)Contract10 minutes
SessionsKey store (opaque token)Contract30 days
Reviews and sub-ratingsApplication databaseLegitimate interestUntil erasure or removal
Proof of transaction (uploaded file)Private EU file storeConsentA short window (30 days by default), then deleted
Proof verification resultApplication databaseLegitimate interestRetained (no raw file)
Instructor ADI-card image (identity proof)Private EU file storeConsentA short window (30 days by default), then deleted
Instructor-claim verdict and statusApplication databaseLegitimate interestRetained (no raw image; the note and verdict are scrubbed on erasure)
Moderation and audit logApplication databaseLegal obligation and legitimate interestRetained, holds no personal contact data

How we minimise your data

  • Proof-of-transaction files are sensitive documents. They live in a private file store, pinned to the EU, for a short window only. At expiry the raw file is deleted automatically and we keep only the verification result. We never build up an archive of receipts.
  • Instructor ADI registration-card images, submitted when an instructor claims a profile, are treated the same way. They are stored privately, screened by an advisory AI check, then deleted at expiry. Only the structured verdict and claim status survive. A human moderator makes the ownership decision. The AI is advisory only.
  • The audit log records identifiers and actions only. It never records your email or the contents of a document.
  • We never store passwords. Sign-in codes are stored hashed and compared in constant time.

Where your data is stored

Personal data does not leave the EU. The private file store for proof and identity documents is pinned to the EU jurisdiction, and the application database is hosted in the European region.

Your rights

Right to erasure (Article 17)

You can delete your account at any time. When you do, we scrub your email, phone and display name, and mark the account deleted. Your review content is removed from public view and from scoring, and its sub-ratings are deleted. We purge your proof files and any instructor-claim card images from the file store, and tombstone the claim record so no personal data survives while keeping the record itself for provenance. Any instructor profile you claimed is unclaimed. Existing sessions stop working immediately.

Right of access and portability (Article 15 and 20)

You can ask for a copy of everything we hold about you. We return it as a structured file, with proof documents represented as metadata only.

Contact

To exercise any of these rights, or with any question about how we handle your data, contact us through the platform. We are based in Ireland and you also have the right to lodge a complaint with the Data Protection Commission.