Privacy Policy
Last updated: 23 February 2026
1. Controller
The data controller for personal data processed through the Unifolio platform is Unifolio OÜ, a private limited company incorporated in Estonia with registry number 17442831, registered address Juhkentali 8, 10132 Tallinn, Estonia.
For all privacy-related enquiries, please contact us at [email protected].
2. What data we collect
We collect and process the following categories of personal data:
| Category | Examples | Source |
|---|---|---|
| Account data | Name, email address, profile picture | Provided by you via Clerk authentication |
| Quiz responses | Budget range, preferred states, major interests, campus preferences, priority weights | Provided by you when completing the college-matching quiz |
| Usage data | Pages visited, quiz sessions started/completed, AI advisor messages, shortlisted schools | Collected automatically via our servers |
| Organisation data | Organisation name, type, member list, quiz completion status | Provided by counselors when creating or managing an organisation |
| Billing data | Stripe customer ID, subscription ID, payment status | Generated by Stripe when you subscribe to a paid plan; we never store card numbers |
| Technical data | IP address, browser type, device type, session identifiers | Collected automatically; used for security and performance |
3. Legal basis and purposes
We process your personal data on the following legal bases under GDPR Article 6:
- Performance of a contract (Art. 6(1)(b)) — to provide the college-matching quiz, generate personalised results, operate the AI advisor, and manage your account and any paid subscription.
- Legitimate interests (Art. 6(1)(f)) — to improve our service, detect fraud, ensure platform security, and send transactional emails (e.g. welcome emails, payment confirmations). We have assessed that these interests are not overridden by your rights.
- Compliance with legal obligations (Art. 6(1)(c)) — to retain billing records as required by Estonian accounting law.
- Consent (Art. 6(1)(a)) — where we explicitly ask for your consent (e.g. optional marketing communications). You may withdraw consent at any time.
4. How we use your data
We use the data we collect to:
- Create and maintain your account;
- Run the college-matching algorithm and surface personalised university shortlists;
- Power the AI advisor with context from your quiz responses and match results;
- Allow counselors to track quiz completion and match scores for their student cohort;
- Process payments and manage subscriptions via Stripe;
- Send transactional emails (welcome, billing confirmations, payment failure alerts);
- Detect and prevent abuse, fraud, and security incidents;
- Comply with applicable legal obligations.
We do not sell your personal data to colleges, universities, third-party advertisers, or any other party.
5. Data sharing and sub-processors
We share personal data only with the following categories of recipients:
| Recipient | Purpose | Location |
|---|---|---|
| Clerk Inc. | Authentication and user management | USA (SCCs in place) |
| Stripe Inc. | Payment processing and subscription management | USA (SCCs in place) |
| Resend Inc. | Transactional email delivery | USA (SCCs in place) |
| Manus AI (hosting) | Cloud infrastructure, database, file storage | USA (SCCs in place) |
| RapidAPI / College Scorecard | University data enrichment (no personal data shared) | USA |
Where data is transferred outside the European Economic Area, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure an adequate level of protection.
6. Retention
We retain personal data for as long as necessary to fulfil the purposes described above:
- Account and quiz data — retained for the duration of your account and deleted within 30 days of account deletion upon request.
- Billing records — retained for 7 years as required by Estonian accounting law (Raamatupidamise seadus § 12).
- Server logs — retained for up to 90 days for security and debugging purposes.
7. Your rights
Under the GDPR, you have the following rights with respect to your personal data. To exercise any of these rights, please contact us at [email protected].
- Right of access (Art. 15) — obtain a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — correct inaccurate or incomplete data.
- Right to erasure (Art. 17) — request deletion of your data where no legal obligation requires us to retain it.
- Right to restriction (Art. 18) — request that we restrict processing of your data in certain circumstances.
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
- Right to object (Art. 21) — object to processing based on legitimate interests.
- Right to lodge a complaint — you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, aki.ee) or the supervisory authority in your country of residence.
We will respond to all requests within 30 days. In complex cases we may extend this by a further two months, in which case we will notify you.
8. Cookies and local storage
Unifolio uses browser local storage (not cookies) to persist your quiz progress between sessions so you do not lose your answers if you close the browser tab. This data is stored entirely on your device and is not transmitted to our servers unless you choose to save your results.
We use a session cookie set by our authentication provider (Clerk) to keep you signed in. This cookie is strictly necessary for the functioning of the service and does not require consent under the ePrivacy Directive.
We do not use advertising cookies, cross-site tracking cookies, or third-party analytics cookies.
9. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or disclosure. These include HTTPS encryption in transit, hashed session tokens, role-based access controls, and regular dependency updates. No system is completely secure; if you believe your data has been compromised, please contact us immediately at [email protected].
10. Children
Unifolio is intended for use by high school students aged 13 and above. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us and we will delete it promptly.
11. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email. Your continued use of Unifolio after the effective date of any changes constitutes your acceptance of the updated policy.
12. Contact
Unifolio OÜ
Registry number: 17442831
Juhkentali 8, 10132 Tallinn, Estonia
Email: [email protected]