← Home

Privacy policy

Last updated: May 2026

This policy explains what personal data GradApp collects, why we collect it, how long we keep it, who we share it with, and your rights under the EU GDPR, UK GDPR, California CCPA/CPRA, and comparable laws. It covers both the website at gradappai.com and the GradApp mobile app on iOS and Android. Our working principle is simple: we collect the minimum needed to make the product useful, and we give you direct control over it.

Data we collect

  • Account identity — email, name, and a password hash (or the social-provider identifier if you sign in with Apple or Google). Held by our authentication provider, Neon Auth. We never see or store your raw password.
  • Profile details you enter — target program, target disciplines, target countries, current school, GPA, research interests, target intake.
  • Your CV — the text you paste or the PDF you upload, plus the analysis we run on it (research themes, strengths, etc.).
  • Match activity — which professors we matched you to, the explanation narratives we generated, your shortlist, and any outreach drafts you produce.
  • Application tracking — the applications, requirements, deadlines, and reminders you create.
  • Mobile-only data— an Expo Push device token (so we can send you notifications), and the photo you select for your avatar (the photo never leaves your device — it's only stored in the device's secure storage).
  • Minimal operational logs — request timestamps and error traces, kept up to 30 days. No third-party analytics, no advertising identifiers, no tracking pixels.

What we don't collect

  • No advertising identifiers, no fingerprinting, no IDFA.
  • No third-party analytics or tracking cookies (no Google Analytics, no Mixpanel, no PostHog, no Segment).
  • No transcripts, GPA statements, or financial records unless you explicitly paste them into your CV.
  • No location data. The app does not request location permission on either platform.

How we use it

Your CV and profile drive the matching pipeline. Specifically:

  • Google Gemini (provider: Google) — reads your CV to extract research themes and ranks candidate professors. Calls are made server-to-server over TLS. Under our agreement your data is not used for provider model training.
  • OpenAI embeddings(provider: OpenAI) — generates numeric vector representations of CV themes and faculty research for similarity matching. No raw text identifying you is transmitted; the embeddings cannot be reversed into your CV. Under OpenAI's API terms, API content is not used for training.
  • Firecrawl(provider: Firecrawl) — fetches and parses faculty pages on universities' public websites. No user data is sent to Firecrawl; the URLs we crawl are public department listings, not anything tied to your identity.
  • OpenAlex (free public scholarly API) — pulls paper metadata for faculty we surface to you. No user data sent.
  • Stripe (provider: Stripe) — processes subscription payments if you upgrade to a paid plan. We receive only the subscription status and last-4 of the card; Stripe holds the actual card data under PCI DSS.
  • Expo Push (provider: Expo / EAS) — relays push notifications to your device. Only the push token and notification payload (title + body) are sent — never your CV, matches, or other profile data.
  • Resend (provider: Resend) — delivers transactional emails (welcome, password reset, application reminders, feedback follow-ups). Receives your email address and the email body we send.

All data flows are over TLS. Your data is isolated from other users at the database level via Postgres Row-Level Security.

How we store it

Data lives in a Postgres database operated by Neon (provider: Neon). Encryption at rest and TLS in transit are on by default. Authentication credentials live in Neon Auth (which uses the same Neon Postgres instance, isolated by schema). Mobile session tokens stay on your device in the iOS Keychain or the Android Keystore — never in regular app storage. We do not sell, rent, or otherwise monetize your data.

Your rights

At any time you can:

  • Access — download everything we hold for you as JSON via the in-app export option (Profile → Edit profile → Export my data).
  • Correct — update your profile fields from the Edit profile screen on either web or mobile.
  • Delete — see the dedicated Delete your account page for the exact steps on web and mobile. Deletion is immediate and irreversible; encrypted backup copies age out within 30 days.
  • Object / restrict processing — email privacy@gradappai.com and we'll honor your request.

Retention

We keep your data for as long as you have an active account. Within 30 days of account deletion, all personal data is removed from primary storage; encrypted backup snapshots age out within a further 30 days. Stripe-side payment records may be retained longer where tax or accounting law requires it (typically 7 years).

Data controller and contact

The data controller for the purposes of GDPR/UK GDPR is the operator of GradApp. Contact privacy@gradappai.com for any privacy question, DPO inquiry, or supervisory authority matter.

Children

GradApp is intended for users aged 16 and over (the GDPR digital-consent floor in most member states). We do not knowingly collect data from anyone younger; if you believe a minor has signed up, email us and we'll delete the account.

International transfers

Some of our processors (Stripe, OpenAI, Firecrawl, Resend, Expo) are based in the United States. Where required, transfers rely on Standard Contractual Clauses or the EU–US Data Privacy Framework, depending on the processor.

Changes to this policy

We'll notify you by email (and update the “last updated” date above) for any material change. Trivial wording tweaks won't trigger a notice.