Privacy Policy

1. Who we are

Studify Pty Ltd (ABN XX XXX XXX XXX), trading as Studify, operates the study-abroad platform at studify.au. We are the data controller for personal data collected through our services.

For privacy enquiries contact our Privacy Officer at privacy@studify.au.

2. Data we collect

We collect information you provide directly, information generated by your use of our services, and information from third parties.

Information you provide

Account data: name, email address, password (hashed), phone number.
Identity documents: passport number (encrypted at rest with AES-256), passport expiry date, date of birth, nationality.
Academic records: qualifications, GPA, test scores, transcripts.
Application data: course preferences, statements of purpose, letters of recommendation.
Payment data: billing address, payment method tokens (we never store full card numbers; payments are processed by Stripe or Khalti).
Communication data: messages sent through our platform.

Information generated automatically

IP address and approximate geolocation.
Browser type, device type, operating system.
Pages visited, features used, time spent (analytics).
Cookies and similar tracking technologies (see Section 7).

Information from third parties

Education agents who register you on our platform.
Partner universities who provide application status updates.
Social login providers (Google, if enabled).

3. How we use your data

Purpose	Legal basis (GDPR Art. 6)
Create and manage your account	Contract performance
Process university applications	Contract performance
Verify your identity and prevent fraud	Legitimate interests / Legal obligation
Process payments	Contract performance
Send transactional emails (application updates, visa reminders)	Contract performance
Send marketing communications (newsletters, promotions)	Consent — opt-in only
Improve our platform and develop new features	Legitimate interests
Comply with legal obligations (tax, regulatory reporting)	Legal obligation
Analytics and platform performance monitoring	Legitimate interests

4. Data sharing

We share your data only as described below and never sell it to third parties.

Partner universities and institutions — application data required to process your enrolment.
Education agents — agents you explicitly connect with see your profile and application status.
Service providers — Supabase (database hosting, EU/US), Vercel (hosting, US), Stripe (payments, US), Resend (email, US), Anthropic (AI services, US). All are bound by data processing agreements.
Regulators and law enforcement — when required by law, court order, or to protect rights.
Business transfers — if Studify is acquired or merges, data may be transferred as a business asset, subject to the same privacy protections.

5. International transfers

We operate globally. Your data may be transferred to and processed in countries outside your residence including the United States and Australia. Where we transfer data from the EEA or UK, we use Standard Contractual Clauses (SCCs) approved by the European Commission, or rely on adequacy decisions where available.

6. Data retention

Account and profile data: retained while your account is active and for 2 years after closure for legal and audit purposes.
Application data: retained for 7 years (regulatory / tax obligation).
Communication logs: retained for 3 years.
Marketing consent records: retained until you withdraw consent plus 3 years.
Payment records: retained for 7 years (financial regulation).
If you request account deletion, we anonymise your profile within 30 days. Data retained for legal reasons is kept in an anonymised or pseudonymised form.

7. Cookies

We use cookies and similar technologies to operate our services and, with your consent, to analyse usage. You can manage your preferences via the cookie banner or your browser settings.

Category	Description	Basis
Essential	Session authentication, CSRF protection, preference storage.	Strictly necessary
Analytics	Google Analytics 4 — page views, user journeys, performance metrics.	Consent
Marketing	Retargeting pixels (Facebook Pixel, Google Ads) if enabled.	Consent

8. Security

Passport numbers are encrypted at rest using AES-256 (via PostgreSQL pgcrypto) with a key stored separately from the database.
All data in transit is encrypted using TLS 1.2 or higher.
Our database has Point-in-Time Recovery (PITR) enabled for disaster recovery.
Access to production systems is restricted to authorised personnel via role-based access controls and MFA.
We conduct regular security audits including row-level security reviews.

9. Your rights

Depending on your location, you have the following rights regarding your personal data:

Access — request a copy of all personal data we hold about you (GDPR data export available in your account settings).
Rectification — correct inaccurate or incomplete data via your profile page.
Erasure ("right to be forgotten") — request deletion of your account and associated data via your account settings.
Restriction — request that we limit processing of your data in certain circumstances.
Portability — receive your data in a machine-readable format (JSON export available in settings).
Objection — object to processing based on legitimate interests or for direct marketing.
Withdraw consent — withdraw marketing consent at any time via the unsubscribe link in emails or your account settings.

To exercise any right, email privacy@studify.au. We will respond within 30 days. If you are in the EEA, you may also lodge a complaint with your local Data Protection Authority.

10. Children's data

Our services are intended for users aged 16 and above. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us immediately.

11. Changes to this policy

We may update this policy to reflect changes in our practices or applicable law. We will notify you of material changes by email or a prominent notice on our website at least 14 days before the change takes effect. Continued use after that date constitutes acceptance of the updated policy.

12. Contact us

Studify Pty Ltd

ABN: XX XXX XXX XXX

Privacy Officer: privacy@studify.au

1. Who we are

Studify Pty Ltd (ABN XX XXX XXX XXX), trading as Studify, operates the study-abroad platform at studify.au. We are the data controller for personal data collected through our services.

For privacy enquiries contact our Privacy Officer at privacy@studify.au.

2. Data we collect

We collect information you provide directly, information generated by your use of our services, and information from third parties.

Information you provide

Account data: name, email address, password (hashed), phone number.
Identity documents: passport number (encrypted at rest with AES-256), passport expiry date, date of birth, nationality.
Academic records: qualifications, GPA, test scores, transcripts.
Application data: course preferences, statements of purpose, letters of recommendation.
Payment data: billing address, payment method tokens (we never store full card numbers; payments are processed by Stripe or Khalti).
Communication data: messages sent through our platform.

Information generated automatically

IP address and approximate geolocation.
Browser type, device type, operating system.
Pages visited, features used, time spent (analytics).
Cookies and similar tracking technologies (see Section 7).

Information from third parties

Education agents who register you on our platform.
Partner universities who provide application status updates.
Social login providers (Google, if enabled).

3. How we use your data

Purpose	Legal basis (GDPR Art. 6)
Create and manage your account	Contract performance
Process university applications	Contract performance
Verify your identity and prevent fraud	Legitimate interests / Legal obligation
Process payments	Contract performance
Send transactional emails (application updates, visa reminders)	Contract performance
Send marketing communications (newsletters, promotions)	Consent — opt-in only
Improve our platform and develop new features	Legitimate interests
Comply with legal obligations (tax, regulatory reporting)	Legal obligation
Analytics and platform performance monitoring	Legitimate interests

4. Data sharing

We share your data only as described below and never sell it to third parties.

Partner universities and institutions — application data required to process your enrolment.
Education agents — agents you explicitly connect with see your profile and application status.
Service providers — Supabase (database hosting, EU/US), Vercel (hosting, US), Stripe (payments, US), Resend (email, US), Anthropic (AI services, US). All are bound by data processing agreements.
Regulators and law enforcement — when required by law, court order, or to protect rights.
Business transfers — if Studify is acquired or merges, data may be transferred as a business asset, subject to the same privacy protections.

5. International transfers

6. Data retention

Account and profile data: retained while your account is active and for 2 years after closure for legal and audit purposes.
Application data: retained for 7 years (regulatory / tax obligation).
Communication logs: retained for 3 years.
Marketing consent records: retained until you withdraw consent plus 3 years.
Payment records: retained for 7 years (financial regulation).
If you request account deletion, we anonymise your profile within 30 days. Data retained for legal reasons is kept in an anonymised or pseudonymised form.

7. Cookies

We use cookies and similar technologies to operate our services and, with your consent, to analyse usage. You can manage your preferences via the cookie banner or your browser settings.

Category	Description	Basis
Essential	Session authentication, CSRF protection, preference storage.	Strictly necessary
Analytics	Google Analytics 4 — page views, user journeys, performance metrics.	Consent
Marketing	Retargeting pixels (Facebook Pixel, Google Ads) if enabled.	Consent

8. Security

Passport numbers are encrypted at rest using AES-256 (via PostgreSQL pgcrypto) with a key stored separately from the database.
All data in transit is encrypted using TLS 1.2 or higher.
Our database has Point-in-Time Recovery (PITR) enabled for disaster recovery.
Access to production systems is restricted to authorised personnel via role-based access controls and MFA.
We conduct regular security audits including row-level security reviews.

9. Your rights

Depending on your location, you have the following rights regarding your personal data:

Access — request a copy of all personal data we hold about you (GDPR data export available in your account settings).
Rectification — correct inaccurate or incomplete data via your profile page.
Erasure ("right to be forgotten") — request deletion of your account and associated data via your account settings.
Restriction — request that we limit processing of your data in certain circumstances.
Portability — receive your data in a machine-readable format (JSON export available in settings).
Objection — object to processing based on legitimate interests or for direct marketing.
Withdraw consent — withdraw marketing consent at any time via the unsubscribe link in emails or your account settings.

To exercise any right, email privacy@studify.au. We will respond within 30 days. If you are in the EEA, you may also lodge a complaint with your local Data Protection Authority.

10. Children's data

11. Changes to this policy

12. Contact us

Studify Pty Ltd

ABN: XX XXX XXX XXX

Privacy Officer: privacy@studify.au

1. Who we are

2. Data we collect

Information you provide

Information generated automatically

Information from third parties

3. How we use your data

4. Data sharing

5. International transfers

6. Data retention

7. Cookies

8. Security

9. Your rights

10. Children's data

11. Changes to this policy

12. Contact us

Ask an Expert

Privacy Policy

1. Who we are

2. Data we collect

Information you provide

Information generated automatically

Information from third parties

3. How we use your data

4. Data sharing

5. International transfers

6. Data retention

7. Cookies

8. Security

9. Your rights

10. Children's data

11. Changes to this policy

12. Contact us