Draft — pending legal review. This wording is a working draft and not yet in force. Text in [square brackets] is still to be confirmed.

Privacy Policy

Last updated: July 2026 (draft).

This notice explains what personal information Lenny collects, why, who sees it, how long we keep it, and your rights. We've written it in plain English. If you're a young person, the short version: we only collect what we need to help you find a safe first shift, businesses can't see your contact details unless your parent or guardian says yes, and you can leave at any time.

Who we are

Lenny matches young people aged 14 to 17 with safe, supervised first shifts in hospitality. The data controller is Lenny's Limited, company no. [•], registered office [•]. The Lenny platform is built and run for us by our technology partner, Candid Hospitality, acting as our data processor. For any privacy question, contact [email protected].

What we collect

If you're a young person

  • Your first name and date of birth (to work out your age band and the hours you're legally allowed to work).
  • Your postcode — to match you with nearby businesses. We turn this into an approximate distance on our own servers and never send it to any outside service.
  • Your email address — this is how you log in, and it's the contact detail a business gets, only after your parent or guardian has agreed.
  • Your culture words, a short intro you write, and your availability.
  • Your password, stored scrambled ("hashed") so no one can read it.
  • We do not collect your phone number, surname, home address, or any health or medical information.

If you're a parent or guardian

  • Your email address, and your name if you give it, so we can ask for your consent and tell you each time a business is shown your child's contact details.

If you're a business

  • Your business name, contact name, contact email, named safeguarding lead, postcode, culture profile, the shifts you need, and a hashed password.

Why we use it, and our lawful basis

  • Matching and running your account: for young people we rely on consent, given by a parent or guardian at sign-up.
  • Introducing you to a business: your contact email is shared only after parental consent, and only with a business we've approved.
  • Business accounts: we rely on our legitimate interests and our agreement with the business.
  • Safeguarding: where a concern is raised, we act on it to keep young people safe.

Who can see your information

  • Approved businesses only. We check and approve every business before it can see any candidate.
  • A business first sees a limited profile: first name, approximate area, age band, availability, culture snapshot and your intro, never your full postcode, surname or contact details.
  • Your contact email is shared only after your parent or guardian has consented, and we email them each time it happens.
  • We never sell your data, and we don't use it for advertising or to track you across the web.

Companies that help us run Lenny

Candid Hospitality, our technology partner, builds and runs the Lenny platform for us as our data processor. To deliver the service it uses a small number of trusted providers (sub-processors):

  • DigitalOcean — hosting and our database, in the United Kingdom (London region).
  • Postmark — sends our emails (such as consent and notification emails). Based in the USA.
  • Google (Google Workspace) — receives email sent to our address. Based in the USA and globally.
  • Where data goes outside the UK, we rely on appropriate safeguards [UK IDTA / Standard Contractual Clauses / Data Privacy Framework], and keep the personal data in those emails to a minimum.

How long we keep it

  • Young-person accounts: while active; removed after [12 months] of inactivity.
  • If consent is withdrawn or declined: your data is removed or anonymised promptly (a decline deletes it straight away).
  • Business accounts: for the relationship plus [a set period].
  • Safeguarding records: kept longer where we must, for audit and safety.

Your rights

You can ask us to show you the data we hold about you, correct it, delete it, restrict or object to how we use it, or give you a copy to reuse. Where we rely on consent, you can withdraw it at any time and it takes effect straight away. A parent or guardian can do this for their child, and young people can also act for themselves.

To exercise any right, contact [email protected]. You can also complain to the ICO (ico.org.uk), though we'd appreciate the chance to help first.

Keeping your data safe

We protect your data with encryption in transit (HTTPS), hashed passwords, strict access controls, and a design that keeps contact details walled off until the consent and approval conditions are met. We don't collect phone numbers and we process postcodes locally. No system is perfectly secure, but we take this seriously, especially because our users are young people.

Children

Lenny is designed for 14 to 17 year-olds and follows the ICO's Age Appropriate Design Code: high privacy by default, only the data we need, no nudges or pressure tactics, no profiling for advertising, and clear information for both young people and their parents or guardians. Anyone 18 or over is directed to Candid Hospitality instead.

Back to Lenny