ScholarAI / GrantPath — Privacy Policy v1.0
**What this means in 60 seconds**
- We collect the data you give us (profile, documents, interview answers) and
technical data needed to run the service.
- We never sell your data. We only share with a university if you explicitly
toggle the B2B consent and that university has signed a Data Processing Agreement with us.
- You can export every byte we hold about you and request deletion at any
time. Deletion is scheduled 30 days out so you can cancel.
- We treat consent as the legal basis: you can revoke any consent and we
log every change.
1. Who we are
ScholarAI Inc. ("we", "us") is the data controller. The product is also known as GrantPath.
2. What we collect
- **Identifiers**: email, full name, password hash, date of birth, billing
country, IP address, user-agent.
- **Profile**: CGPA, IELTS/TOEFL, GRE, target degree, target countries and
fields, Pakistani university, city, family financial flags.
- **B2B contact (opt-in)**: phone, WhatsApp, LinkedIn/GitHub URLs.
- **Activity**: tracker items, generated SOPs, interview transcripts,
consent grants and revokes.
- **Sensitive data we do NOT collect**: religion, political views, biometric
data. Pakistani PDPB sensitive-data carve-outs apply.
3. Why we use it
- Run the matching, drafting, and interview features you asked for.
- Compute a lead score used internally to prioritise B2B outreach (only when
b2b_share_consent is true).
- Comply with legal obligations (consent records, breach notification,
retention).
- Improve the service in aggregate, anonymised form.
4. Legal bases
- **Consent**: marketing, B2B share, optional analytics cookies.
- **Contract**: running the features you paid for.
- **Legitimate interest**: anti-abuse, fraud prevention, internal analytics
(anonymised).
- **Legal obligation**: retention of consent audit logs and tax records.
5. B2B sharing (off by default)
Profile data is **never** sold or shared with third parties unless the b2b_share_consent toggle is on. With consent we may share a point-in-time snapshot of your profile with universities that have signed a Data Processing Agreement (DPA). Each share is logged in your "Shared With" list. You may revoke consent at any time; revocation stops future shares, but past shares cannot be unsent (this is disclosed in the consent dialog).
6. International transfers
Our services may store and process data in Pakistan, the EU/EEA, the UK, and the United States. We rely on Standard Contractual Clauses, UK International Data Transfer Addendum, and PDPB cross-border safeguards where applicable.
7. Retention
- Application data: 5 years after last login (lets you re-use it).
- SOP and interview transcripts: 2 years.
- Consent audit log: 7 years (for legal defensibility).
- Server logs and IP addresses: 90 days.
- Anonymised analytics records: indefinite, no PII.
8. Your rights
You can: access, export, correct, delete, restrict, port, and object. The product surfaces these through "Settings → Privacy" and:
- `POST /api/v1/privacy/data-export` for a full ZIP of your data;
- `POST /api/v1/privacy/account-deletion` (scheduled 30 days out, cancel
any time).
To exercise rights specifically under GDPR, UK DPA 2018, PDPB, PIPEDA, or CCPA/CPRA, write to **privacy@scholarai.pk**. We respond within 30 days.
9. Children
Minimum age 16. Users 16–18 must provide a parental consent email which we verify before unlocking premium features.
10. Breach notification
If a breach is likely to affect you we notify you and the relevant regulators (PTA Pakistan, ICO UK, EU DPAs) within 72 hours of discovery.
11. Cookies
See the Cookie Policy. Strictly-necessary cookies require no consent; analytics and marketing cookies are opt-in.
12. Contact
privacy@scholarai.pk — Data Protection Officer