Privacy Policy

1. Information we collect

We collect the following categories of data:

• Account information: name, email address, password hash, role (student, recruiter, admin), profile photo if you upload one.
• Inquiry & academic information: information you submit through our inquiry and intake forms, such as your name, email address, phone number, country of origin, target countries, preferred degree level, program interests, test scores (TOEFL/IELTS/GRE/GMAT, etc.), GPA, prior institution, budget, and entry term. You can submit an inquiry without creating an account.
• Documents you upload: transcripts, statements of purpose, recommendation letters, passport copies, visa documents, and other application materials.
• Communications: messages you send to advisors, support tickets, review submissions.
• Referral information: if you join our referral or recruiter program, or sign up using someone else’s referral code or link, we record the referral code and the resulting connection between accounts in order to administer the program.
• Payment information: we do not store card numbers; payments are processed by Stripe, which receives the card details directly from your browser. We retain Stripe’s payment identifier, the amount charged, and the status of the purchase.
• Usage & device information: IP address, user-agent string, request path, and timestamp recorded in server-side logs and at our edge provider (Cloudflare). Used for security, abuse prevention, and debugging only. We do not run client-side analytics or advertising trackers.
• Consent records: when you submit an inquiry, register, or opt into marketing email, we store a record of the permission you granted (which checkbox, on which page, the policy version, your IP, and your user-agent at the time) so we can demonstrate the consent if later challenged.
• Authentication providers: if you log in with Google, we receive your name, email, and profile picture from Google per your consent.

2. Why we process this data (legal bases)

For users in the EU, UK, and EEA, we rely on the following legal bases under GDPR:

• Contract (Art. 6(1)(b)): to create and manage your account, respond to your inquiries, surface relevant university and scholarship listings, process payments, deliver purchased services, provide advisor support, and administer the referral program.
• Legitimate interest (Art. 6(1)(f)): to operate and secure the Service, prevent fraud and abuse, analyze aggregate usage to improve product quality, and respond to your inquiries.
• Legal obligation (Art. 6(1)(c)): to comply with tax, accounting, and regulatory requirements.
• Consent (Art. 6(1)(a)): for optional marketing communications.

3. How we share your data

We do not sell your personal data. We do not share your personal data with universities or scholarship providers; the listings on the Service are curated from public sources, and we are not a recruitment agent for any institution. We share data with:

• Service providers that help us run the Service:
  • Stripe, Inc. (payment processing, USA), privacy policy.
  • Hetzner Online GmbH (server hosting, Germany), privacy policy.
  • Cloudflare, Inc. (DNS, CDN, TLS, edge security, USA), privacy policy.
  • Neon, Inc. (managed Postgres database, region: AWS Frankfurt, Germany), privacy policy.
  • Resend, Inc. (transactional email, USA), privacy policy.
  • Google LLC (OAuth sign-in, USA), privacy policy.
  These providers are contractually restricted to use your data only as necessary to provide services to us.
• Legal authorities: when required by law, subpoena, or to protect our rights and safety.
• Business transfers: in connection with a merger, acquisition, or sale of assets (with notice to you).

4. International data transfers

Our servers and primary database are located in Germany (EU). Some of our service providers (Stripe, Resend, Cloudflare, Google) are based in the United States. When data is transferred outside the EU/EEA we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, and on each provider’s certification under applicable frameworks (e.g., EU–US Data Privacy Framework).

5. How long we keep your data

• Account data: for as long as your account is active, and up to 24 months after deletion for fraud prevention.
• Application documents: for 5 years after the most recent use, or until you delete them via the dashboard.
• Payment records: 7 years for tax and accounting compliance.
• Support communications: up to 3 years after resolution.
• Server logs: up to 90 days.

6. Your rights

Depending on where you live, you may have the following rights over your personal data:

• Access: request a copy of the data we hold about you.
• Correction: ask us to fix inaccurate data.
• Deletion: request erasure of your account and associated data (subject to legal retention obligations).
• Portability: receive a machine-readable copy of your data.
• Objection & restriction: object to processing or ask us to limit it.
• Withdraw consent: for any processing based on consent.
• Complaint: lodge a complaint with your local data protection authority.

Many of these rights can be exercised yourself from the Privacy & Data page inside your account: you can download a machine-readable copy of your data (portability), edit your profile (correction), manage marketing consent, and request account deletion. For anything you can’t complete there, email us at [email protected]. We respond within 30 days.

EU/UK residents (GDPR/UK GDPR): if you believe we have not handled your data properly, you have the right to lodge a complaint with your national data protection authority. You can find your authority via the European Data Protection Board.

California residents (CCPA/CPRA): in addition to the rights above, you have the right to know what personal information we collect, to request its deletion or correction, to opt out of the sale or sharing of personal information, and to limit the use of sensitive personal information. We do not sell or share personal information in the sense those terms are used in the CCPA/CPRA (we do not exchange it for monetary or other valuable consideration, and we do not share it for cross-context behavioral advertising). You may also designate an authorized agent to make a request on your behalf; we will verify the agent’s authority before acting. We do not discriminate against users who exercise their privacy rights.

Brazil (LGPD): data subjects in Brazil have equivalent rights of access, correction, anonymization, portability, deletion, information about sharing, and revocation of consent. Our contact above also serves as the channel for LGPD requests.

Canada (PIPEDA): Canadian users may request access to and correction of their personal information, and may withdraw consent (subject to legal or contractual restrictions) by contacting us at the email above.

7. Security

We use industry-standard measures to protect your data in transit (TLS 1.3) and at rest (AES-256 on our database and file storage). Passwords are hashed with bcrypt. Access is restricted to authorized personnel on a need-to-know basis. Despite these measures, no system is fully secure; if we discover a breach that materially affects your data, we will notify you and, where required, the relevant authorities without undue delay.

8. Cookies and analytics

We do not use third-party analytics, advertising, or cross-site tracking. We log basic server-side request metadata (IP address, user-agent, request path, and timestamp) for security, abuse prevention, and debugging. These logs are retained for up to 90 days.

We use a small number of first-party cookies and one localStorage entry, all of which are strictly necessary or preference-based (no consent required under EU ePrivacy rules):

• Authentication session (cookie set by NextAuth, HTTP-only, expires when you sign out or after the session lifetime): keeps you signed in across pages.
• gp_ref (90-day TTL): records the referral code from a ?ref=CODE URL so we can attribute your sign-up to the correct recruiter or referring user.
• gp-lang (1-year TTL): remembers the interface language you selected.
• gp-theme (stored in browser localStorage, not as an HTTP cookie): remembers your light/dark/high-contrast preference.

You can clear these at any time from your browser’s site-data controls. Clearing the authentication cookie signs you out; clearing the others reverts to defaults and removes referral attribution.

9. Children

GlobalPath is not directed at children under 16. We do not knowingly collect personal information from anyone under 16. If we learn that we have collected such information, we delete it. If you believe a child under 16 has provided us with personal data, please contact us at [email protected].

10. Changes to this policy

We may update this policy from time to time. Material changes will be announced via email and on this page, with the revised effective date above. Continued use of the Service after the changes take effect constitutes acceptance of the updated policy.

11. Contact us

If you have questions or requests regarding this Privacy Policy, contact us at [email protected].