Vidhya — Privacy Policy

Operated by Super Apply LLC Website: govidhya.com Contact: hello@govidhya.com

Last Updated: May 26 2026 Effective Date: May 26 2026

1. Introduction

1.1 About this Policy

This Privacy Policy ("Policy") explains how Super Apply LLC ("Super Apply," "we," "us," or "our"), the operator of the Vidhya platform ("Vidhya" or the "Service"), collects, uses, discloses, retains, and protects personal information about you when you access or use the Service through govidhya.com, our mobile applications, our APIs, or any other channel through which the Service is delivered.

This Policy applies in conjunction with our Terms and Conditions ("Terms") and any other notices we provide at the point of collection (for example, just-in-time prompts when you enable Gmail Integration or upload a document). If there is a conflict between this Policy and a specific notice we provide at the point of collection, the more protective provision applies.

1.2 Who is the Controller / Business

For purposes of the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and similar laws that designate a "controller," and for purposes of the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA") and similar US state laws that designate a "business," Super Apply LLC is the controller / business that determines the purposes and means of processing personal information through the Service, except where we expressly act as a processor or service provider on behalf of a third party.

If we are required to designate a representative in any jurisdiction (for example, an EU GDPR Article 27 representative or a UK GDPR representative), the contact details for that representative will be listed in Section 22 once appointed.

1.3 Scope

This Policy applies to all individuals who interact with the Service, including:

• Registered Users on the Explorer, Navigator, or Constellation plans;
• Visitors who browse govidhya.com without registering;
• Parents, legal guardians, and other Authorized Adults who provide consent on behalf of a Minor User;
• Recipients of email communications drafted or sent through the Service (to a limited extent — see Section 8);
• Advisors and other personnel accessed through the Service (separate notice may apply to advisors in their professional capacity);
• Visitors who contact us at hello@govidhya.com for support or other purposes.

1.4 Definitions

Terms used in this Policy carry the meanings given in the Terms. Additional defined terms:

• "Personal Information" or "Personal Data" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. It includes, where applicable, the broader definitions used under GDPR, CCPA/CPRA, and other laws.
• "Process" or "Processing" means any operation performed on Personal Information, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, alignment, restriction, erasure, or destruction.
• "Sensitive Personal Information" means Personal Information that is afforded heightened protection under applicable law, including (where applicable) data revealing racial or ethnic origin, religious or philosophical beliefs, sexual orientation, biometric data used to uniquely identify an individual, health information, precise geolocation, government-issued identifiers, financial account information, and the contents of mail, email, and text messages.

2. Summary at a Glance

This summary is provided for convenience only. The full Policy below controls.

• What we collect: Account info, profile/academic info you share, your chats with our AI Advisor, university and scholarship lists you build, application materials you upload, optional Gmail data you authorize, payment info handled by our processors, and standard usage and device data.
• Why we collect it: To provide the Service, generate AI Advisor responses, help you organize applications, draft and (with your one-click approval) send emails on your behalf via your Gmail account, charge you for Paid Plans, secure the Service, comply with law, and improve the Service.
• AI training: We do not use the contents of your private chats, application essays, or email drafts to train publicly available AI models, except for de-identified, aggregated analytics or where you have given separate consent.
• Gmail: We use Google user data only to provide the Gmail Integration features you can see in the Service, in line with Google's Limited Use requirements. We do not sell it, do not use it for ads, and do not use it to train generalized AI models.
• Children: The Service is designed to be usable by high-school students, including Minors above the applicable digital-consent age in their country. We require parental or guardian consent where the law requires it and apply additional protections for Minors.
• Your rights: Depending on where you live, you have rights to access, correct, delete, export, restrict, opt out of certain processing, and complain to a regulator. See Section 13.
• Contact: Email hello@govidhya.com for any privacy question, complaint, or request.

3. Information We Collect

We collect Personal Information in three ways: (a) information you provide directly; (b) information we collect automatically when you use the Service; and (c) information we receive from third parties you authorize.

3.1 Information You Provide Directly

Account registration: Your name, email address, password (hashed), and country of residence. If you sign up using Google or another third-party identity provider, we receive the profile fields you authorize that provider to share (typically name, email, and profile picture).

Academic profile: Information you choose to enter about your educational background, current school, intended field of study, target start year, target degree level (e.g., undergraduate, master's, doctoral), target countries, standardized-test scores (e.g., IELTS, TOEFL, SAT, ACT, GRE, GMAT), and similar information used to personalize your experience and the AI Advisor's responses.

Application materials: Drafts of personal statements, statements of purpose, essays, CVs, transcripts, recommendation requests, and related documents that you create, paste, or upload into the Service.

Application Board content: Names of Educational Institutions you are tracking, application stages, requirements checklists, deadlines, notes, and any other content you place on the Kanban-style Application Board.

AI Advisor conversations: The prompts you submit to the AI Advisor, the AI Advisor's responses, any documents or context you attach to prompts, any to-do items generated from your conversations, and any feedback (e.g., thumbs up / thumbs down) you give on responses.

Email drafts and metadata: If you enable the Gmail Integration, the recipients, subjects, and bodies of email drafts prepared through the Service, your edits to those drafts, and metadata about when you send drafts via Gmail. See Section 8 for the full Gmail Integration disclosure.

Saved scholarships and search history: Scholarships you save, filter, or click on; searches you perform within the scholarship finder; and similar interactions used to make the search experience more useful.

Advisor session content: If you book a session with an advisor accessed through the Service, the topic you provide at booking, scheduling information, your time zone, and (where you consent or where session content is exchanged through the Service) the text or recordings of those sessions.

Payment and billing information: When you purchase a Paid Plan, our payment processors (currently expected to include [Stripe and/or other processors — confirm]) collect your payment-card or bank-account details, billing address, and tax-relevant information. Super Apply does not directly store your full payment-card number; we store only tokenized references, the last four digits, card type, expiration, and billing zip/postal code as needed to manage your subscription.

Communications with us: Any messages you send to hello@govidhya.com or via in-app support channels, including the contents of those messages and any attachments you provide.

Survey and feedback responses: If you respond to a survey, leave a review, participate in a user research interview, or otherwise volunteer feedback, the information you choose to share.

Information about third parties you provide: Where you supply us with information about other people — for example, a recommender's email address, a professor's contact details, a parent's email address for consent verification, or a friend's information for referral programs — you represent that you have the necessary right to share that information with us for the purposes described in this Policy. We rely on you for that representation.

Authorized Adult information: If you are a Minor, the name, email, and consent record of your parent or legal guardian.

3.2 Information Collected Automatically

Device and connection information: IP address, approximate location derived from IP address (city or region level, not precise GPS), browser type and version, operating system and version, device type, screen resolution, language preference, time zone, and the referring URL.

Usage information: Pages and screens you view; features you use; buttons you click; the time, frequency, and duration of your activity; searches you run; AI Advisor usage statistics (e.g., message counts and token counts for plan-limit enforcement); errors and crashes; and performance metrics. We use this for product analytics, plan-limit enforcement, debugging, fraud prevention, and improvement of the Service.

Cookies and similar technologies: See Section 14 for details on cookies, local storage, web beacons, and similar technologies.

Log data: Standard server logs including timestamps, request methods, response codes, and request paths.

Inferences: We may derive inferences from the above — for example, that you are likely interested in a particular country or degree level — to personalize features. Such inferences are treated as Personal Information.

3.3 Information from Third Parties

Google (if Gmail Integration enabled): Gmail content described in Section 8.

Third-party identity providers (if you use them to sign in): Profile fields you authorize the provider to share, in line with that provider's policies.

Payment processors: Limited information needed to confirm a transaction (e.g., approval/decline status, last four digits of card).

Public sources: Publicly available information about Educational Institutions, scholarships, faculty members, and similar items that we incorporate into the Service. This may include publicly listed professor email addresses on university faculty pages.

Service providers: Information from our analytics, error-monitoring, anti-fraud, and email-delivery providers about your interactions with the Service.

3.4 Sensitive Personal Information

The Service is not designed to require Sensitive Personal Information. We ask you to refrain from submitting Sensitive Personal Information (for example, information about your religion, ethnicity, health, or sexual orientation) unless it is directly necessary for the application or scholarship you are pursuing.

We acknowledge, however, that:

• Application essays, scholarship applications, and similar documents may include such information (for example, an essay about overcoming a health condition, or a diversity-scholarship eligibility question);
• IP-derived location is, in some jurisdictions, treated as Sensitive Personal Information when it is sufficiently precise — our IP-derived location is approximate, not precise GPS;
• Payment account information is treated as Sensitive Personal Information under certain US state laws.

Where you do provide Sensitive Personal Information, you authorize us to process it for the purposes described in this Policy (including providing the Service, generating AI Advisor responses, and storing it on your behalf). Where applicable law requires explicit consent for the processing of certain Sensitive Personal Information, we will obtain that consent at the appropriate time.

3.5 No Collection of Government IDs in Default Flows

Our default user flows do not require national ID numbers, passport numbers, visa numbers, social security numbers, or similar government identifiers. Please do not paste such identifiers into the AI Advisor or upload documents containing them unless strictly necessary. Where Beta Features (such as the Relocation Planner or Mock Visa Interview) may incorporate visa-related content in the future, we will provide specific notice and consent flows before any such information is collected.

4. How We Use Personal Information

We use Personal Information for the purposes described below. Each purpose is paired with the corresponding legal basis under GDPR / UK GDPR (Section 5) and, where relevant, the disclosure-category under US state laws.

4.1 To Provide and Operate the Service

• Create, authenticate, and maintain your Account;
• Display your Application Board, saved scholarships, to-do lists, and other personalized content;
• Generate AI Advisor responses to your prompts, including by passing your prompt and relevant context to third-party AI providers acting as our sub-processors (see Section 9);
• Allow you to draft emails and, with your explicit one-click confirmation, send them through your authorized Google account (see Section 8);
• Schedule and facilitate advisor sessions you book;
• Process payments and manage subscriptions;
• Provide customer support in response to your messages.

4.2 To Personalize and Improve the Service

• Tailor recommendations, university suggestions, scholarship matches, and to-do items to your profile and stated goals;
• Measure aggregate usage to identify features that are working well or poorly;
• Conduct A/B tests, user research, and product experimentation, using pseudonymized or aggregated data where feasible;
• Train, fine-tune, or evaluate AI models only as described in Section 6 (and not on private chat content, essays, or email drafts without your separate consent).

4.3 To Communicate with You

• Send transactional and service messages (account confirmations, password resets, deadline reminders you have configured, billing receipts, policy updates, security alerts);
• Where you have not opted out, send product-update and marketing emails about new features, tips for using the Service, and similar matters;
• Respond to your support inquiries.

4.4 To Secure the Service and Prevent Abuse

• Detect, investigate, and prevent fraud, abuse, security incidents, account takeovers, and violations of the Terms or this Policy;
• Enforce rate limits and plan limits;
• Investigate misuse of the Gmail Integration or other email functionality;
• Detect and respond to spam, phishing, prompt-injection attacks, and abuse of the AI Advisor.

4.5 To Comply with Legal and Regulatory Obligations

• Respond to lawful requests from public authorities, including subpoenas, court orders, and similar legal process;
• Comply with tax, accounting, and record-keeping obligations;
• Comply with consumer-protection, child-protection, and other applicable laws;
• Establish, exercise, or defend legal claims;
• Cooperate with regulators investigating complaints.

4.6 For Corporate Transactions

• Evaluate, negotiate, and complete mergers, acquisitions, financings, restructurings, asset sales, or similar transactions involving Super Apply, subject to the protections in Section 9.5.

4.7 For Other Purposes with Your Consent

We may use Personal Information for other purposes not listed above only with your specific consent or as required or permitted by law.

5. Legal Bases for Processing (EEA, UK, and Similar Jurisdictions)

If you are located in the EEA, UK, or another jurisdiction that requires a legal basis under GDPR-style law, our legal bases for processing Personal Information are:

1. Performance of a contract (GDPR Art. 6(1)(b)): processing necessary to provide the Service you have asked us to provide, including delivering AI Advisor responses you have prompted, drafting emails you have asked to be drafted, maintaining your Application Board, and processing payments.
2. Legitimate interests (GDPR Art. 6(1)(f)): processing necessary for our legitimate interests in operating, securing, debugging, improving, and personalizing the Service; preventing fraud and abuse; conducting analytics; communicating about service features; and managing our business — provided those interests are not overridden by your rights and freedoms. You have the right to object to processing on this basis (Section 13).
3. Consent (GDPR Art. 6(1)(a); Art. 9(2)(a) where applicable to special-category data): processing where we have asked for and obtained your specific, informed consent (for example, enabling the Gmail Integration, sending marketing emails in jurisdictions where consent is required, processing Sensitive Personal Information where applicable, or using non-essential cookies). You may withdraw consent at any time without affecting the lawfulness of prior processing.
4. Compliance with legal obligation (GDPR Art. 6(1)(c)): processing necessary to comply with our legal obligations, including tax records, responding to lawful requests, and child-protection requirements.
5. Vital interests (GDPR Art. 6(1)(d)): processing necessary to protect the vital interests of you or another person (used only in rare safety-critical situations).
6. Parental consent for children (GDPR Art. 8): for Users below the age of digital consent in their jurisdiction, processing is conditional on the consent of, or authorization by, the holder of parental responsibility.

6. AI Features and Automated Processing

6.1 How AI is Used in the Service

The Service uses artificial intelligence — including large language models provided by third parties (currently expected to include [OpenAI, Anthropic, and/or Google AI services — confirm at launch]) — to generate AI Advisor responses, drafts of cold emails to professors, summaries of university web pages, scholarship match suggestions, AI-generated to-do lists, and similar Service Output. To deliver these features, we transmit your prompts and the limited context needed to respond (which may include selected portions of your academic profile, your Application Board entries, your saved searches, and, where the Gmail Integration is enabled and you initiate a draft, relevant email content) to those third-party AI providers, who act as our sub-processors.

6.2 Training Data Policy

Subject to the more-specific Gmail rules in Section 8.6:

• We do not use the content of your private AI Advisor chats, application essays, statements of purpose, email drafts, or other personal application materials to train publicly available or generalized AI models, except for de-identified or aggregated data as permitted by applicable law, or where you give us your specific, separate consent (for example, by opting in to a research program).
• We may use the fact of usage (e.g., aggregated counts of messages, types of features used, error rates) to improve the Service.
• We may use specific prompts and responses to investigate and remediate abuse, errors, or safety issues.
• Where our third-party AI providers offer enterprise or "zero data retention" / "no training" configurations, we make reasonable efforts to operate the Service under those configurations. The current data-handling commitments of our AI sub-processors are listed at [govidhya.com/subprocessors] (or, until that page exists, available on request from hello@govidhya.com).

6.3 Solely Automated Decisions

The Service does not make decisions that produce legal effects concerning you or that similarly significantly affect you solely on the basis of automated processing. Specifically:

• Admissions decisions are made by Educational Institutions, not by us;
• Scholarship awards are made by awarding organizations, not by us;
• Visa decisions are made by government authorities, not by us;
• AI Advisor recommendations are advisory in nature; you remain in control of all decisions about your applications, your communications, and your education.

Where in future we introduce a feature that could be considered solely automated decision-making with significant effects under GDPR Article 22, we will provide additional notice, obtain consent or another lawful basis as required, and offer the right to obtain human review.

6.4 AI Output Accuracy

AI Output can be inaccurate, incomplete, outdated, or fabricated. See the AI provisions in our Terms (Section 8 of the Terms) for full disclosures. From a privacy standpoint, this means:

• AI Output may include incorrect statements about you (for example, mistakenly attributing a course or credential to you). You have the right under applicable law to correct inaccurate Personal Information held about you (Section 13).
• AI Output may include incorrect statements about third parties (for example, a misattributed paper for a professor). If you become aware of such inaccuracies in content the Service has stored, please notify us.

7. Cookies, Tracking Technologies, and Analytics

7.1 Categories of Cookies and Similar Technologies

We use the following categories:

• Strictly necessary cookies and local storage, required for the Service to function (e.g., session cookies, authentication tokens, CSRF tokens, load-balancer cookies, the cookie that records your cookie choices). These cannot be turned off in our cookie banner because the Service will not work without them.
• Functional cookies and local storage, used to remember preferences (e.g., dark mode, language, last-viewed Kanban column).
• Analytics cookies and SDKs used to understand aggregate usage of the Service (e.g., [Plausible, PostHog, Mixpanel, Google Analytics 4, or other — confirm]). Where required by law, we obtain consent before placing these.
• Performance and error-monitoring tools (e.g., [Sentry, Datadog RUM, or other — confirm]).
• No advertising cookies. We do not currently use cookies to deliver targeted advertising on the Service or to share Personal Information with advertising networks.

7.2 Cookie Consent and Choices

Where required by applicable law (including the EU ePrivacy Directive, UK PECR, and similar regimes), we present a cookie banner at first visit through which you can accept, reject, or manage non-essential cookies. You can change your choices at any time through the "Cookie Settings" link in the footer of govidhya.com.

You can also control cookies through your browser settings, including deleting existing cookies and blocking new ones. If you do so, parts of the Service may not function correctly.

7.3 Do Not Track and Global Privacy Control

Our Service does not respond to browser "Do Not Track" signals at this time, because there is no consensus standard for interpreting them. We do recognize Global Privacy Control (GPC) signals as opt-out-of-sale / opt-out-of-sharing requests for users in jurisdictions where GPC is recognized as a legally effective opt-out mechanism (including California). When we detect a valid GPC signal from your browser, we treat it as an opt-out of "sale" and "sharing" as defined under the CCPA/CPRA for that browser.

8. Gmail Integration — Google API Limited Use Disclosure

This Section 8 supplements the rest of this Policy with respect to data received through Google APIs.

8.1 Scopes Requested

If you choose to enable the Gmail Integration, Vidhya requests OAuth scopes from your Google account to allow the Service to draft, read context for, and send emails on your behalf. The exact scopes requested are presented to you on Google's consent screen at the time you authorize. Common scopes used include those that allow the Service to compose, read, send, and modify messages necessary to perform the email-drafting features (for example, gmail.compose, gmail.send, gmail.modify, and gmail.readonly, or the more limited subset enabled at any given time).

You can review and revoke these permissions at any time by visiting your Google account at https://myaccount.google.com/permissions.

8.2 Compliance Statement

Vidhya's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

8.3 What We Do with Google User Data

We use Google user data only to provide and improve the user-facing Gmail Integration features that are prominent in the Vidhya interface. Specifically:

• We may read messages in your inbox only as needed to provide context for features you have requested (for example, to detect prior correspondence with a professor you are drafting to, to identify deadlines mentioned in admissions emails, or to organize emails by university), and only as needed at the moment of use.
• We draft outbound messages on your behalf based on your prompts and the context you supply, and present those drafts to you for review.
• We send messages only when you explicitly click "Send" or an equivalent confirmation action in the Vidhya interface. We do not send mail autonomously.
• We display Gmail-derived content (such as message previews and thread context) inside the Service only to the User who owns the underlying Google account.

8.4 What We Do Not Do with Google User Data

• We do not sell Google user data;
• We do not transfer Google user data for purposes other than providing the Vidhya features you have asked for, except: (i) to specific sub-processors strictly necessary to deliver those features (for example, our AI provider for the limited purpose of producing your requested draft); (ii) for security investigations of suspected abuse; (iii) to comply with applicable law or valid legal process; or (iv) as part of a merger, acquisition, or sale of assets, in which case we will provide notice and continue to honor the Limited Use commitments;
• We do not use Google user data to serve advertising, including any retargeted, personalized, or interest-based advertising;
• We do not allow humans to read Google user data, except: (i) with your specific affirmative consent; (ii) for security investigations of suspected abuse; (iii) where required by applicable law; or (iv) where the data has been aggregated and de-identified and is being used for internal operations;
• We do not use Google user data to develop, improve, or train generalized or non-personalized artificial-intelligence or machine-learning models, including by sending it to AI providers for training purposes. AI processing of Google user data occurs solely as needed to produce the user-facing feature you are using at that moment.

8.5 Sub-processors of Google User Data

Where it is necessary to share Gmail content with a sub-processor to produce the user-facing feature you have requested (for example, to ask an AI provider to draft an email), we do so only with sub-processors that have committed to data-handling terms consistent with the Limited Use requirements, including no-training and limited-retention commitments where available. The current list of such sub-processors is available at [govidhya.com/subprocessors] or on request from hello@govidhya.com.

8.6 Retention of Google User Data

We retain Google user data only as long as needed to provide the requested feature. Drafts you create are retained until you delete them or until your Account is terminated. Cached message context is retained only as long as needed to deliver the feature and is purged according to our retention schedule. You can revoke our access to your Google account at any time, after which we will cease processing of new Google user data and delete cached Google user data within a reasonable period, subject to legal-retention requirements.

8.7 Revoking Gmail Access

You can revoke Vidhya's access to your Google account at any time by: (a) disconnecting the integration within Vidhya's Account settings; or (b) visiting https://myaccount.google.com/permissions and removing Vidhya. Revocation does not affect emails already sent from your Gmail account.

8.8 No Advertising

Vidhya does not show advertising in the Service and does not use Google user data for advertising purposes of any kind.

9. How We Share Personal Information

We share Personal Information only as described in this Section 9. We do not sell Personal Information for money. Whether certain sharing (e.g., analytics involving cross-context behavioral signals) constitutes a "sale" or "share" under the CCPA/CPRA is addressed in Section 15.

9.1 Service Providers and Sub-processors

We share Personal Information with vendors who process it on our behalf, under contracts that restrict their use of the data and require appropriate safeguards. Categories include:

• Cloud hosting and storage (e.g., [AWS, GCP, Azure, Vercel, or other — confirm]);
• Database and search infrastructure (e.g., [Postgres host, search index host — confirm]);
• AI model providers (e.g., [OpenAI, Anthropic, Google AI — confirm]), for processing your prompts and producing AI Output as described in Section 6;
• Payment processors (e.g., [Stripe — confirm]) to handle billing;
• Email and notification delivery (e.g., [Postmark, SendGrid, Resend, or other — confirm]) for transactional and (where opted in) marketing email;
• Analytics and error monitoring (e.g., [PostHog, Sentry, or other — confirm]);
• Customer support tools (e.g., [Intercom, HelpScout, Linear, or other — confirm]);
• Identity and authentication (e.g., [Google Sign-In, Auth0, Clerk, or other — confirm]);
• Fraud prevention and bot protection (e.g., [Cloudflare, hCaptcha, or other — confirm]);
• Legal, accounting, audit, and tax advisers.

The current list of sub-processors is available at [govidhya.com/subprocessors] (or on request).

9.2 With Advisors You Book

If you book an advisor session through the Service, we share with that advisor the information needed to deliver the session (your name, scheduling details, time zone, and the topic you provided at booking). If you share additional information during or before the session, the advisor will see that information. Advisors are contractually required to handle your information consistent with this Policy and applicable law.

9.3 With Email Recipients You Choose

When you send an email through the Gmail Integration, the recipient receives the content of the email and the headers (including your sender address). This is inherent to sending email and is not a "disclosure" by us — you are the sender.

9.4 With Authorities and for Legal Reasons

We may disclose Personal Information to courts, regulators, law-enforcement authorities, or other public authorities where we have a good-faith belief that disclosure is reasonably necessary to: (a) comply with a legal obligation or lawful request; (b) enforce our Terms; (c) protect our rights, property, or safety, or the rights, property, or safety of our Users or others; (d) detect, prevent, or address fraud, security, or technical issues; or (e) prevent or investigate suspected child exploitation, in coordination with child-safety hotlines and law-enforcement agencies (including the National Center for Missing & Exploited Children, where applicable).

Where legally permitted and not prohibited by the request itself, we will use commercially reasonable efforts to notify you of legal requests for your Personal Information.

9.5 In Connection with Business Transactions

If Super Apply is involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of assets, or transition of service to another provider, Personal Information may be transferred or disclosed as part of that transaction. We will notify you (e.g., via email and/or a prominent notice on the Service) of any change in ownership or material change in how Personal Information is processed, and of any choices you may have regarding your Personal Information.

9.6 With Your Direction

We share Personal Information at your direction or with your consent (for example, when you choose to connect a third-party integration, opt into a research program, or share content with another User in a community feature, if any).

9.7 Aggregated or De-identified Data

We may share aggregated or de-identified information that cannot reasonably be used to identify you. For example, we may publish statistics about how Users in different regions use the Service. Where required, we maintain such information in de-identified form and do not attempt to re-identify it.

10. International Data Transfers

Super Apply is established in [STATE/COUNTRY OF INCORPORATION], and the Service operates from infrastructure located in [PRIMARY REGION(S)]. Personal Information you provide may be transferred to, processed in, and stored in countries outside your country of residence — including the United States and other jurisdictions whose data-protection laws may differ from those of your jurisdiction.

10.1 Safeguards for EEA, UK, and Swiss Transfers

When we transfer Personal Information from the EEA, UK, or Switzerland to a country that has not been recognized as providing an adequate level of protection, we rely on appropriate safeguards, including: (a) the European Commission's Standard Contractual Clauses (SCCs) (Decision 2021/914) with any necessary supplementary measures; (b) the UK International Data Transfer Addendum issued by the UK Information Commissioner; (c) the Swiss data protection authority's equivalent mechanisms for Swiss transfers; and (d) where applicable, certifications under the EU-US Data Privacy Framework, the UK Extension, and the Swiss-US Data Privacy Framework by recipients that have self-certified.

10.2 Safeguards for Transfers from Other Jurisdictions

For transfers from other jurisdictions with cross-border restrictions (for example, certain Asia-Pacific or Middle Eastern jurisdictions), we rely on consent, contractual safeguards, and adequacy mechanisms as applicable.

10.3 Copies of Safeguards

You may request a copy of the safeguards relied on (with appropriate redactions for confidentiality and security) by writing to hello@govidhya.com.

11. Data Retention

11.1 General Approach

We retain Personal Information only for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law.

11.2 Specific Retention Periods

• Account information: retained while your Account is active and for up to [24 months] after termination, after which it is deleted or anonymized (subject to legal retention obligations).
• Application Board content, saved scholarships, AI Advisor chats, application materials: retained while your Account is active. You can delete individual items at any time. On Account termination, retained for up to [90 days] to allow for restoration if you change your mind, then deleted or anonymized.
• Gmail Integration cached content: retained only as long as needed to deliver the requested feature; purged on a rolling basis and within a reasonable period after you disconnect the integration.
• Email drafts: retained as long as your Account is active and the draft has not been deleted.
• Advisor session records: retained for [12 months] after the session, unless a longer period is needed for dispute resolution or required by law.
• Payment and billing records: retained for [7 years] or such longer period as is required for tax, accounting, and audit purposes.
• Support communications: retained for [36 months] after the conversation is closed.
• Marketing preferences and consent records: retained for as long as needed to honor your preferences and to demonstrate compliance.
• Security and audit logs: retained for [12 to 24 months] based on the log type, then deleted or anonymized.
• Data subject request records: retained for as long as needed to demonstrate compliance with the request and applicable law.
• De-identified or aggregated data: may be retained indefinitely, because it is no longer Personal Information.

11.3 Backups

Personal Information in encrypted backups is retained according to standard backup-rotation schedules (typically up to [35 days] for short-term backups). Backup data is overwritten in the ordinary course; if you exercise a deletion right, your data will be removed from production systems immediately and from backups within the next standard rotation cycle.

11.4 Legal Holds

Where Personal Information is subject to a legal hold (for example, due to anticipated litigation or a regulatory inquiry), we retain it for the duration of the hold and then dispose of it in accordance with this Policy.

12. Security

We implement administrative, technical, and physical safeguards designed to protect Personal Information against unauthorized access, alteration, disclosure, loss, or destruction. These include:

• Encryption of data in transit (TLS) and encryption at rest for Personal Information held in databases and storage;
• Role-based access controls and the principle of least privilege for employees and contractors;
• Multi-factor authentication for administrative access;
• Logging and monitoring of access to systems containing Personal Information;
• Periodic security reviews, vulnerability scanning, and (as we mature) penetration testing;
• Vendor due diligence and data-processing agreements with sub-processors;
• Incident-response procedures and breach-notification protocols;
• Training and confidentiality obligations for personnel.

No system is perfectly secure. While we work hard to protect Personal Information, we cannot guarantee absolute security. You are responsible for safeguarding your own credentials, using a strong unique password, enabling multi-factor authentication where offered, and notifying us promptly at hello@govidhya.com if you suspect any unauthorized access to your Account.

12.1 Data Breach Notification

If we suffer a data breach that compromises your Personal Information, we will notify you and applicable regulators as required by law (for example, within 72 hours of becoming aware where required by GDPR; without unreasonable delay where required by US state laws; in accordance with applicable Australian or Canadian breach-notification rules; and similar). Notice will be provided by email to the address on file and/or by a prominent notice on the Service.

13. Your Rights and Choices

Subject to the laws of your jurisdiction, you have a number of rights with respect to your Personal Information. Some rights are universal in spirit; others apply only in certain jurisdictions. The specific rights you can exercise depend on where you live. The rights described below apply at a minimum to Users in the EEA, UK, and Switzerland; California and other US states with comprehensive privacy laws; Canada; Australia; and increasingly, other jurisdictions.

13.1 Universal Rights We Honor

• Access: You may request a copy of the Personal Information we hold about you, together with information about how we use it.
• Correction: You may request correction of Personal Information that is inaccurate or incomplete.
• Deletion / erasure: You may request that we delete Personal Information we hold about you, subject to legal exceptions (e.g., information we are required to retain).
• Withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Portability: You may request a copy of Personal Information you have provided to us in a structured, commonly used, machine-readable format, and (where technically feasible) ask us to transmit it to another controller.
• Object / restrict: You may object to or request restriction of processing where applicable law gives you that right.
• Opt out of marketing: You may opt out of marketing communications at any time using the unsubscribe link in any marketing email or in your Account settings.
• Complain to a regulator: You may lodge a complaint with the supervisory authority in your country of residence.

13.2 How to Exercise

To exercise any of these rights, email hello@govidhya.com with the rights you wish to exercise. We will respond within the timeframe required by applicable law (typically 30 days for GDPR, with possible extension; 45 days for CCPA/CPRA, with possible 45-day extension). We may need to verify your identity, typically by confirming control of the email address on file.

You may use an authorized agent to make a request on your behalf where applicable law permits. We may require the agent to demonstrate authority and may verify the identity of the underlying individual.

13.3 No Discrimination

We will not discriminate against you for exercising your privacy rights — for example, by denying you the Service, charging different prices, or providing a different level of quality, except where the difference is reasonably related to the value provided by the data (e.g., we cannot personalize features for an account that has deleted its profile).

13.4 Appeals

If we deny your request and you live in a jurisdiction that grants an appeal right (such as Virginia, Colorado, Connecticut, Texas, and several other US states), you may appeal by replying to our denial email or writing to hello@govidhya.com with "Privacy Appeal" in the subject line. We will respond within the timeframe required by applicable law.

14. Marketing and Communications Choices

• Transactional emails (receipts, password resets, security alerts, important Service announcements) are part of the Service and cannot be opted out of while you maintain an Account.
• Marketing emails can be turned off at any time via the unsubscribe link in any marketing email or via your Account settings.
• In-app notifications can be controlled in your Account settings.
• Push notifications (when the mobile app is available) can be controlled at the OS level.

15. Region-Specific Disclosures

15.1 United States — CCPA/CPRA (California) and Similar State Laws

This section addresses requirements under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and similar comprehensive US state privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, Oregon OCPA, Montana CDPA, and others coming into force).

Categories of Personal Information collected and disclosed:

In the preceding twelve (12) months, we have collected the categories of Personal Information described in Section 3, including: identifiers (name, email, IP address); customer records (account information); commercial information (subscription history); internet/network activity (usage data); geolocation (approximate); audio/visual information (only where you share documents with such content); professional/educational information (academic profile, applications); inferences; and Sensitive Personal Information only as described in Section 3.4.

We have disclosed each of these categories to the categories of recipients listed in Section 9 for the business purposes described in this Policy.

"Sale" and "Sharing":

• We do not sell Personal Information for monetary consideration.
• We do not "share" Personal Information for cross-context behavioral advertising as defined under CCPA/CPRA.
• We have no actual knowledge of selling or sharing the Personal Information of any Consumer under the age of 16 in California.

California Resident Rights: California residents have the rights to know, delete, correct, opt out of sale/sharing, limit the use of Sensitive Personal Information, and non-discrimination. To exercise these rights, see Section 13.2. We recognize Global Privacy Control (GPC) signals as opt-out signals as described in Section 7.3.

"Shine the Light" (California Civil Code § 1798.83): California residents may request information about disclosures of Personal Information to third parties for those third parties' direct-marketing purposes. We do not make such disclosures.

Sensitive Personal Information: We use Sensitive Personal Information only for the purposes permitted under CCPA/CPRA without offering a right to limit (such as providing the requested service, security, fraud prevention, and short-term transient use). If we use Sensitive Personal Information for other purposes, we will update this Policy and provide a "Limit the Use of Sensitive Personal Information" link.

Other US States: Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comparable laws have similar rights, exercisable through Section 13.

15.2 EEA, UK, and Switzerland — GDPR / UK GDPR / FADP

Users in the EEA, UK, and Switzerland have the rights described in Section 13.1, plus:

• Right to object to processing based on legitimate interests (Section 5(2));
• Right to object to direct marketing at any time;
• Right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (Section 6.3);
• Right to lodge a complaint with the supervisory authority in the EU/EEA member state of habitual residence, work, or alleged infringement; with the UK Information Commissioner's Office (ICO) for the UK; or with the Federal Data Protection and Information Commissioner (FDPIC) for Switzerland.

Where required, we will appoint and disclose an Article 27 representative for the EU and a representative for the UK.

15.3 Canada — PIPEDA and Provincial Laws

Users in Canada have rights under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, provincial laws (including Quebec's Law 25, BC PIPA, and Alberta PIPA). These include rights to access, correct, and withdraw consent. Complaints may be filed with the Office of the Privacy Commissioner of Canada or the applicable provincial commissioner.

15.4 Australia — Privacy Act / APPs

Users in Australia have rights under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), including rights of access and correction. Complaints may be filed with the Office of the Australian Information Commissioner (OAIC).

15.5 India — DPDP Act

Where the Digital Personal Data Protection Act applies to Users in India, we process Personal Information in accordance with the Act. Indian Users have rights to access, correction, completion, erasure, grievance redressal, and to nominate a person to exercise rights in case of death or incapacity.

15.6 Other Jurisdictions

If you reside in another jurisdiction with applicable data-protection laws (including but not limited to LGPD in Brazil, POPIA in South Africa, PIPL in mainland China, PDPA in Singapore, PDPA in Thailand, the UAE Data Protection Law, and the Saudi PDPL), you have the rights granted by those laws. To exercise them, contact us at hello@govidhya.com.

16. Children's and Minors' Privacy

The Service is intentionally designed to be usable by high-school students, many of whom are Minors. We take particular care with Personal Information of Minors.

16.1 Minimum Ages

• Globally: a minimum age of thirteen (13) to register, except where a higher digital-consent age applies in your jurisdiction;
• In EEA member states: the higher of 13 or the digital-consent age set by that member state (which varies between 13 and 16; 16 in many member states);
• In the United Kingdom: 13 under UK GDPR;
• In the United States: under COPPA, users under 13 require verifiable parental consent before we knowingly collect Personal Information; we do not knowingly collect Personal Information from children under 13 without such consent.

16.2 Parental and Guardian Consent

Where required by applicable law (including COPPA for US users under 13, GDPR Article 8 for users below the digital-consent age in their EEA member state, and similar regimes), we will obtain verifiable parental or guardian consent before collecting, using, or disclosing Personal Information from a Minor. Methods of verifiable consent may include credit-card verification, signed-consent forms, video conference confirmation, government-ID review (with deletion after verification), or other reasonable methods accepted under applicable law.

A parent or legal guardian may, at any time:

• Review the Personal Information collected from their child;
• Direct us to delete the Personal Information collected from their child;
• Refuse to allow further collection or use of the child's Personal Information;
• Withdraw consent previously given.

To exercise any of these rights, contact hello@govidhya.com from the parent/guardian email address on file (or other verifiable channel).

16.3 UK Age-Appropriate Design Code

For Minor Users in the UK, we design and operate the Service in a manner intended to be consistent with the principles of the UK Information Commissioner's Office's Age-Appropriate Design Code, including by:

• Defaulting privacy settings to the highest available level for Minor accounts;
• Collecting and retaining only the minimum data needed to provide the Service;
• Not using nudge techniques to encourage Minors to provide unnecessary Personal Information or to weaken privacy settings;
• Providing clear, age-appropriate explanations of how we use Personal Information;
• Not profiling Minor Users for marketing purposes;
• Limiting the use of geolocation for Minor Users to the minimum necessary.

16.4 No Targeted Advertising or Profiling of Minors

We do not target advertising to Minors. We do not engage in profiling Minors for purposes that would produce legal or similarly significant effects. We do not "sell" or "share" the Personal Information of Minors (as those terms are used under US state privacy laws).

16.5 Payment Restrictions

Minors may not purchase Paid Plans using a payment method they are not legally entitled to use. Paid Plan purchases require the use of an Authorized Adult's payment method, and the Authorized Adult is responsible for the purchase. See the Terms (Sections 3 and 6).

16.6 Discovery of Unauthorized Minor Accounts

If we become aware that we have collected Personal Information from a child below the applicable minimum age without the required parental or guardian consent, we will take reasonable steps to delete that Personal Information. If you believe we may have such information, please contact hello@govidhya.com.

17. Links to Third-Party Sites

The Service contains links to third-party websites (for example, Educational Institution websites, scholarship organizations, government immigration pages, and our payment-processor pages). This Policy does not apply to those websites. We encourage you to review their privacy policies before providing them with Personal Information.

18. Email Recipients and Public Contact Information

The Service helps you draft and send emails to third parties (such as professors, admissions offices, and recommenders). Some of those recipients' contact details are extracted from publicly available pages (e.g., a university's faculty directory). With respect to recipient email addresses and other publicly listed contact details:

• We treat such addresses as Personal Information of the recipient and process them only as needed to facilitate the email you are sending and to provide related features;
• We do not market to recipients;
• We do not use recipient email addresses to train AI models;
• We rely on you to use the email functionality lawfully and respectfully (see Section 9 and 13 of the Terms).

If you are an academic or other professional who believes your contact details have been surfaced or used through the Service in a manner you object to, please email hello@govidhya.com and we will work with you in good faith to address your concern (which may include excluding you from the relevant index).

19. Automated Email Filtering, Anti-Spam, and Trust & Safety

To protect Users, recipients, and the Service from abuse, we apply automated filtering and trust-and-safety measures, which may include scanning prompt content and email drafts for indicators of spam, phishing, harassment, fraud, prompt injection, or other abuse. Where we detect potential abuse, we may delay, suspend, or block specific actions, suspend or terminate Accounts, notify recipients or platform providers (such as Google), and cooperate with law enforcement as appropriate.

20. Changes to This Policy

We may update this Policy from time to time. When we make material changes, we will provide notice by: (a) updating the "Last Updated" date at the top; (b) emailing Users where appropriate; and/or (c) presenting an in-app notice. Material changes will become effective no earlier than the notice period required by applicable law. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy. If you do not agree, you must stop using the Service and may terminate your Account.

Previous versions of this Policy are available on request from hello@govidhya.com.

21. Accessibility

We aim to make this Policy accessible. If you need this Policy in an alternative format (for example, large print or screen-reader friendly version), please contact hello@govidhya.com.

22. Contact Us

For any question, concern, complaint, or request relating to this Policy or to your Personal Information, please contact us:

• Email (all privacy matters, support, and rights requests): hello@govidhya.com
• Company: Super Apply LLC
• Website: govidhya.com
• Postal address: [REGISTERED ADDRESS — to be added]
• Data Protection Officer / Privacy contact: Reachable at hello@govidhya.com with subject line "Attn: Privacy"
• EU representative (Art. 27 GDPR): [To be appointed if/when required by Article 27 thresholds — contact details to be inserted]
• UK representative (Art. 27 UK GDPR): [To be appointed if/when required — contact details to be inserted]

If we are unable to resolve a complaint to your satisfaction, you have the right to lodge a complaint with the data-protection supervisory authority in your jurisdiction.

23. Acknowledgement

BY USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ THIS PRIVACY POLICY AND UNDERSTAND HOW WE COLLECT, USE, DISCLOSE, AND PROTECT YOUR PERSONAL INFORMATION. IF YOU ARE A MINOR, YOU CONFIRM THAT YOUR PARENT OR LEGAL GUARDIAN HAS REVIEWED THIS PRIVACY POLICY AND CONSENTED TO YOUR USE OF THE SERVICE AS DESCRIBED HERE.

End of Privacy Policy.