Privacy Policy

The data controller responsible for your personal data is:

We collect the following categories of personal data:

We use your personal data for the following purposes:

• Providing the service: Processing your application, verifying documents, generating LOMs, submitting to universities, and tracking application status.
• AI document verification: Your uploaded documents are sent to OpenAI's GPT-4o Vision API for automated verification checks (name consistency, attestation stamps, score validity). Documents are not used to train AI models.
• LOM generation: Your academic profile and document data are sent to OpenAI's GPT-4o API to generate personalised Letters of Motivation. This data is not used for model training under OpenAI's API terms.
• Communications: Sending application status updates, document requests, and service notifications via email and WhatsApp Business API.
• Payments: Processing platform fee payments through Paddle.
• Security & fraud prevention: Detecting and preventing fraudulent document submissions or account activity.
• Legal compliance: Meeting obligations under applicable laws.

We do not use your data for advertising, profiling for marketing purposes, or selling to third parties.

We process your data under the following legal bases:

• Contract performance: Processing is necessary to provide the university application service you have signed up for.
• Legitimate interests: Fraud prevention, platform security, and improving service quality.
• Legal obligation: Compliance with applicable laws and regulations.
• Consent: Where we ask for your consent (e.g., optional marketing communications), you may withdraw it at any time.

We share your data only with trusted service providers who assist us in delivering the service. All third parties are bound by data processing agreements and are prohibited from using your data for their own purposes.

We may also disclose data when required by law, court order, or government authority, or to protect our rights and the safety of users.

We retain your data for as long as necessary to provide the service and meet legal obligations:

• Account and profile data: Retained for 3 years after your last activity, then deleted.
• Documents: Retained for the duration of your application and for 1 year after completion or termination, then permanently deleted from storage.
• Payment records: Retained for 7 years to comply with financial record-keeping requirements.
• Application and LOM data: Retained for 2 years after the application cycle is closed.

You may request deletion of your account and personal data at any time (see Section 8). Note that deletion of payment records may be delayed where legally required.

We take appropriate technical and organisational measures to protect your data against unauthorised access, disclosure, alteration, or destruction. These include:

• Data encryption in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls limiting data access to authorised personnel
• Secure, isolated storage for uploaded documents via Supabase Storage
• Regular security reviews and dependency audits

No method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. Please notify us immediately at privacy@studyssey.com if you suspect a security incident.

You have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request that we correct inaccurate or incomplete data.
• Deletion: Request that we delete your personal data, subject to legal retention requirements.
• Restriction: Request that we restrict processing of your data in certain circumstances.
• Portability: Request your data in a structured, machine-readable format.
• Objection: Object to processing based on legitimate interests.
• Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at privacy@studyssey.com. We will respond within 30 days. We may need to verify your identity before processing your request.

The Platform uses essential cookies to maintain your session and authentication state. These are strictly necessary for the Platform to function and cannot be disabled.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

The Platform is not intended for users under 18 years of age. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, please contact us at privacy@studyssey.com and we will delete it promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by email or by posting a prominent notice on the Platform before the changes take effect.

Your continued use of the Platform after the updated policy takes effect constitutes acceptance of the changes.

For any privacy-related questions, data requests, or concerns, please contact our privacy team: