Privacy Policy

Effective date: 18 September 2025

Operator / Controller: Zach Hamilton (sole trader), trading as Uniswipe (“we”, “us”, “our”)

Contact: support@uniswipe.co · privacy@uniswipe.co
Postal address: Flat 2, 5 St. John Bosco, Sliema, Malta

1) Scope

This Policy explains how Uniswipe collects, uses, shares, and protects personal data when you visit our site and use our university-matching service (the “Service”). It applies to visitors and users worldwide.

2) Data we collect

• You provide: email, graduation year (used for age gating); academics (GPA/test scores—SAT/ACT/IB/AP), intended major, regions/languages, extracurricular “hooks”, swipe actions, and (optionally) international-student status, financial-aid interest, first-generation indicator.
• Automatically: IP address, device/browser/OS, referrer/UTM, coarse geolocation; privacy-friendly analytics events (Plausible), bot checks (Cloudflare Turnstile), and error diagnostics (Sentry).

We do not request name/phone or payment data at MVP. We do not intentionally collect GDPR special-category data.

3) Purposes & legal bases

• Provide matching & email your shortlist — consent.
• Share/sell to universities & education partners (only if you opt in) — consent.
• Security/anti-abuse & analytics/product improvement — legitimate interests.
• Compliance & record-keeping (consent logs, suppression lists) — legal obligation / legitimate interests.

We do not use your data for cross-context behavioral advertising or retargeting.

4) Selling or sharing (only with your consent)

With your explicit opt-in, we may disclose your information to universities/colleges, education providers (test prep/tutoring), scholarship platforms, student-finance providers, and reputable education-focused data brokers. We keep consent logs and exclude anyone who opts out.

5) Automated profiling

We compute a reach/match/safety band from your inputs. This is informational only and not used for legal, credit, housing, or employment decisions.

6) Your rights

EU/UK GDPR: access, rectification, erasure, restriction, portability, objection/withdraw consent (respond in ~30 days).
US-CA (CPRA): know, delete, correct, and opt out of sale/share (respond in ~45 days). Submit requests at /privacy-request or email privacy@uniswipe.co.

7) Retention

• User data: 24 months after last activity, then deletion/de-identification.
• Consent & rights logs: 5 years.
• Email suppression list: kept indefinitely to respect unsubscribes.

8) Security

TLS in transit, encryption at rest (Supabase), Row-Level Security (RLS), least-privilege access, monitoring (Sentry), backups, and a breach-response process. No method is 100% secure, but we take appropriate steps to protect your data.

9) International transfers

We use US-based processors (e.g., Supabase US region, Vercel, Resend, Sentry, Upstash, Cloudflare). For EU/UK data we rely on Standard Contractual Clauses (SCCs) and appropriate safeguards.

10) Children

We gate by graduation year and do not accept submissions from under-age users (EU/UK 16+, US 13+). If we learn a child’s data was submitted, we delete it and instruct partners to delete it.

11) Your choices

• Withdraw consent at any time.
• Do Not Sell or Share My Personal Information (we honor GPC where feasible).
• Unsubscribe via link in every email.

12) Changes

We may update this policy; material changes will be posted with a new effective date.