← Back to Admit Coach

Privacy Policy

Effective Date: April 7, 2026 · Last Updated: April 7, 2026

At GPTKIDS LLC, we respect your privacy and are committed to protecting the personal information you share with us through Admit Coach & University Finder. This Privacy Policy explains how we collect, use, and safeguard your data.

1. Information We Collect

Account Information: Name, email address, and password (hashed with bcrypt) when you register.

Academic Profile: GPA, SAT/ACT scores, desired major, class rank, state, and family income bracket — provided voluntarily to enable personalized recommendations.

Extracurricular Activities: Activity names, years of participation, and impact descriptions — provided voluntarily.

College List & Applications: Schools you save, application statuses, essay drafts, and notes — created by your actions on the platform.

Usage Data: Pages visited, features used, timestamps, IP addresses, and user agent strings — collected automatically for security and service improvement.

Chat Conversations: Messages sent to the AI counselor are stored in session history for continuity. Sessions can be deleted by the user.

We do NOT collect: Social Security numbers, exact household income, health information, disciplinary records, or disability status.

2. How We Use Your Information

• Personalized Recommendations: Your academic profile powers admission chance estimates, school matching, test-optional advice, and financial aid projections.
• AI Counseling: Your profile and conversation history are sent to AI language models to generate personalized advice. These providers process data per their own privacy policies and are contractually bound not to use your data for training.
• Service Improvement: Aggregated, anonymized usage data helps us improve features and fix bugs. Individual data is never sold or shared for marketing.
• Security & Compliance: Login attempts, API access, and data modifications are logged for security audit (SOC2 CC6/CC7 compliance).
• Communication: Your email address may be used for account verification, password reset, and deadline reminders you opt into.

3. How We Store & Protect Your Data

• Passwords are hashed with bcrypt. Sessions use JWT tokens with HMAC-SHA256 signatures and 24-hour expiry.
• All API endpoints require authentication. Rate limiting prevents brute-force attacks.
• Logging out invalidates your token immediately via a revocation table.
• All data access and modifications are logged with timestamps and user identifiers for compliance.

4. Data Sharing

We do NOT sell your personal data to third parties.

We do NOT share your data with universities, admissions offices, or marketing companies.

• AI Providers: Your profile context and chat messages are sent to AI APIs for AI-powered features. Providers are contractually bound not to use your data for training.
• Family Shares: If you create a family share link, the viewer can see school names, application statuses, and timeline — but NOT essays, financial details, chat history, or your email.
• Legal Obligations: We may disclose data if required by law, court order, or to protect the safety of users.

5. Cookies & Tracking

We use minimal cookies. Authentication tokens and theme preferences are stored in localStorage (not cookies).

We do NOT use third-party tracking cookies, advertising pixels, Google Analytics, Facebook Pixel, or similar tracking tools.

6. Your Rights (CCPA/FERPA)

• Right to Access: View all your data via the Profile page and data export feature.
• Right to Delete: Delete your entire account and all associated data permanently.
• Right to Portability: Export your data as a document via the Profile page.
• Right to Correct: Update your profile information at any time.
• Right to Opt Out: You can stop using the platform at any time. We do not sell data.
• Parental Rights (FERPA): Parents with family share links can view limited student data. Students control what is shared.

To exercise any right, email support@edugaia.com or use the in-app account settings.

7. Data Retention

• Active Accounts: Data is retained as long as your account is active.
• Deleted Accounts: All data is permanently deleted within 30 days of account deletion.
• Audit Logs: Security logs are retained for 1 year for compliance, then purged.

8. Children's Privacy (COPPA)

This platform is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13. If we discover a user under 13, their account will be deleted promptly. Users aged 13–17 are encouraged to use this platform with parental awareness.

9. Third-Party Links

Our website may contain links to external university websites, accreditation bodies, and scholarship providers. We are not responsible for the privacy practices or content of those third-party websites.

10. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via the platform. Continued use after changes constitutes acceptance of the updated policy.

11. Contact Us

For privacy questions, data requests, or concerns:
Email: support@edugaia.com
Response time: Within 30 days for data access/deletion requests.