Privacy Policy
1. Who We Are
Univise (the "Service") is operated by an independent team based in Baku, Azerbaijan ("Univise", "we", "us", "our"). We are the data controller for personal data processed through the Service. You can reach us at privacy@univise.io.
2. What Data We Collect
We collect only what we need to operate and improve the Service. Specifically:
2.1 Information you provide directly
| Category | Examples |
|---|---|
| Account | Email, username, password (stored as a bcrypt hash, never in plain text), full name, optional phone number, language preference. |
| Student profile (optional) | Nationality, target degree level, target field of study, IELTS / TOEFL / GPA, preferred countries, monthly budget, intake. |
| Applications | Programs you save or apply to, personal statements, application notes you write yourself. |
| AI usage | Messages and prompts you submit to AI Features; resulting responses. |
| Support / contact | Any email you send us. |
2.2 Information collected automatically
- IP address and approximate location (used for rate limiting, fraud prevention, and analytics).
- Browser type, operating system, device type.
- Pages visited, search queries, and feature usage on the Service.
- Timestamps of registration, login, and key actions.
2.3 Information from third parties
- Payment status and subscription state from our payment processor (LemonSqueezy). We do not receive your full card number.
- Email delivery status from our email provider (Resend).
3. How We Use Your Data
- Provide the Service โ create your account, authenticate you, run searches, save your applications.
- Personalisation โ calculate match scores against your profile, recommend programs.
- AI features โ process your prompts to generate suggestions and cost insights.
- Billing โ manage Pro subscriptions, invoices, refunds.
- Communication โ send transactional emails (verification, password reset, application status). We do not send marketing emails without your opt-in consent.
- Security โ detect abuse, enforce rate limits, investigate incidents, comply with law.
- Improve the Service โ aggregated, de-identified usage analytics.
We do not sell your personal data to third parties. We do not share it with advertisers or data brokers.
4. Legal Bases for Processing
Where the GDPR applies, we rely on the following legal bases:
- Contract โ to provide the Service you signed up for.
- Legitimate interests โ to keep the Service secure, prevent abuse, and improve features. We balance these interests against your rights.
- Consent โ for optional cookies, marketing emails, and AI features that involve sharing your prompts with third-party AI providers.
- Legal obligation โ to comply with tax, accounting, and court orders.
5. Service Providers (Sub-processors)
To run the Service we rely on a small number of carefully chosen third-party providers, each acting as a data processor under our written instructions and bound by appropriate confidentiality and security obligations. By category, these are:
| Category | Purpose | Data shared |
|---|---|---|
| Cloud hosting and database | Hosting the application, storing user accounts and program data | All Service data (encrypted at rest and in transit) |
| Transactional email | Delivering verification, password-reset, and application-status emails | Your email address, your name, and the relevant message content |
| Payment processing | Processing Pro subscriptions and managing billing | Your email, billing name, and transaction metadata. We do not receive or store full card numbers |
| AI inference | Powering the AI Advisor and AI Cost Insights features | The text of your AI prompts and any profile context you choose to share with the AI |
| Product analytics (optional) | Understanding aggregated usage to improve the Service | De-identified usage events; loaded only after you accept the cookie banner |
We sign data-processing agreements where required and choose providers with strong security postures. The current list of named sub-processors is available on request โ email privacy@univise.io and we will share it with you. We update our providers from time to time and will notify you of material changes through this Policy.
6. International Transfers
The Service is hosted in the United States and our key providers operate globally. If you access the Service from the EEA, the UK, or another jurisdiction with data-export rules, your personal data may be transferred to and processed in countries that do not have an equivalent standard of protection. Where required, we rely on EU Standard Contractual Clauses (SCCs) or equivalent safeguards.
7. Data Retention
- Account data โ kept while your account is active and for up to 12 months after deletion, then purged.
- Application records โ kept while your account is active or until you delete them.
- Billing records โ kept for the period required by law (typically up to 7 years for tax purposes).
- AI prompts and responses โ kept for up to 30 days for abuse prevention, then deleted from our systems. Third-party AI providers may retain prompts under their own retention windows.
- Server logs and analytics โ kept for up to 90 days, then aggregated or deleted.
8. Your Rights
Depending on your jurisdiction, you have some or all of the following rights with respect to your personal data:
- Access โ request a copy of the data we hold about you.
- Rectification โ correct data that is inaccurate or incomplete.
- Erasure ("right to be forgotten") โ ask us to delete your data, subject to legal exceptions.
- Restriction โ ask us to pause processing while a question is resolved.
- Portability โ receive your data in a structured, machine-readable format.
- Objection โ object to processing based on legitimate interests.
- Withdraw consent โ at any time, where processing is based on consent. Withdrawal does not affect prior lawful processing.
- Complain โ to a supervisory authority (in Azerbaijan: the State Service for Personal Data Protection; in the EU: your local DPA).
To exercise any right, email privacy@univise.io. We respond within 30 days. We may need to verify your identity before disclosing or deleting data.
9. Cookies and Local Storage
We use a minimal amount of browser storage:
- Essential cookies / local storage โ used for authentication (your login session token), language preference, dark mode, and saved-program "wishlist" before login. These cannot be disabled without breaking the Service.
- Optional analytics โ only loaded after you accept the cookie banner. We currently use Microsoft Clarity (planned) for product analytics.
We do not use third-party advertising or tracking cookies.
10. Security
We apply industry-standard measures, including:
- HTTPS/TLS for all data in transit.
- bcrypt password hashing.
- JWT tokens with short expiry, account lockout after failed login attempts, and server-side token revocation on logout.
- Rate limiting on sensitive endpoints (registration, login, password reset).
- Encryption at rest on Azure SQL and Blob Storage.
- Strict access control on production systems.
No system is perfectly secure. If we become aware of a breach affecting your data, we will notify you and the relevant authority within 72 hours where required by law.
11. Children
The Service is not intended for users under 16 unless verifiable parental consent is provided. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with data, contact us and we will delete it.
12. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and/or by posting a notice on the Service before the change takes effect.
13. Contact and Complaints
For privacy questions, data requests, or to exercise your rights: privacy@univise.io
Univise ยท Baku, Azerbaijan