Privacy Policy

Who We Are

App Name: UniStart App
Available on: Apple App Store, Google Play Store
Legal Entity: ALLCAMPUS UK LIMITED
Company Number: 11659728
Registered Address: Unit 7 Landmere Lane, Edwalton, Nottingham, England, NG12 4DG
Contact Email: support@unistart.app

For the purposes of UK data protection law (UK GDPR), ALLCAMPUS UK LIMITED is the "data controller" for personal data collected through:

• The UniStart mobile application (iOS and Android)
• The unistart.app website
• All related services

Information We Collect

1. Information You Provide Directly

• Account Information: name, email address, and phone number when you create an account or complete a form.
• Profile preferences (study interests, location preferences, career goals).
• Authentication data (when using Apple Sign-In or Google Sign-In).
• Communication history: messages you send us via in-app forms, email, or direct contact, plus notes we add after calls.
• Quiz answers and course preferences you save in the app.
• Application progress: saved courses, favourites, and application status.
• Funding calculator inputs and results.

2. Information Collected Automatically (Mobile App)

• Device information: device model, operating system and version, app version, device language, and timezone settings.
• Unique device identifiers (for analytics and crash reporting).
• Usage data: features you use, time spent on screens, app crashes, and performance data.
• Aggregated, anonymized analytics via our analytics provider.

3. Local Storage

The app stores certain data locally on your device (using AsyncStorage), including:

• Login session tokens (encrypted)
• Your quiz progress and answers
• Recently viewed courses
• App preferences and settings

4. Permissions We Request

Required Permissions:

• Internet Access (Android) - to load course data and communicate with our servers
• Network State (Android) - to detect when you're online or offline

Optional Permissions (not currently used):

• We do not request camera, microphone, location, photos, or contacts access
• We do not collect precise geolocation data
• We do not access your device's files or storage beyond app-specific data

5. Third-Party Sign-In Data

• Apple Sign-In: we receive your name (if you choose to share it), email address, and a unique Apple user ID.
• Google Sign-In: we receive your name, email address, profile picture (if available), and a unique Google user ID.
• These providers may share limited data with us as per their own privacy policies.

6. What We Do NOT Collect

• GPS or precise geolocation data
• Photos, camera access, or files from your device
• Uploaded documents or identity papers
• Special category data (health, ethnicity, religion, biometric data)
• Children's data (our service is only for users 18+)
• Financial information (credit cards, bank details)

How We Use Your Data

Service Delivery

• To create and manage your UniStart account
• To respond to your enquiries about UK university courses
• To provide personalized course recommendations via our quiz system
• To schedule calls and keep records of the guidance we provide
• To remember your progress and preferences across sessions

Communication

• To contact you with updates about your enquiry or application
• To send important service announcements (security alerts, policy changes)
• To provide customer support and respond to your questions
• To send marketing communications only if you opt in

Analytics and Improvement

• To understand how users interact with the app and which features are most useful
• To identify and fix bugs, crashes, and performance issues
• To improve app usability and add new features
• To generate aggregated, anonymized statistics (never sold or shared with advertisers)

Legal and Security

• To prevent fraud, abuse, or unauthorized access
• To comply with legal obligations and respond to lawful requests
• To enforce our Terms and Conditions
• To protect the rights and safety of UniStart, our users, and the public

Legal Basis for Processing (UK GDPR)

• Article 6(1)(b) - Contractual necessity: when we process your data to provide our services, manage your account, respond to enquiries, and help with university applications.
• Article 6(1)(a) - Consent: when you opt in to receive marketing emails or push notifications, when you authorize us to share your details with a partner university, and when you use optional features like the quiz or funding calculator.
• Article 6(1)(f) - Legitimate interests: for analytics and service improvement (anonymized where possible), to prevent abuse and ensure platform security, and to keep records of advice given.

You can withdraw consent at any time by contacting us or adjusting your in-app settings.

Sharing Your Information

Service Providers (Data Processors)

• Cloud hosting provider (Supabase) - stores your account data and app content
• Email service provider - sends transactional and marketing emails (if you opt in)
• Analytics provider - helps us understand app usage (anonymized data)
• Crash reporting tool - helps us identify and fix bugs (if implemented)

All service providers are bound by data processing agreements (DPAs) and are required to protect your data.

Partner Universities and Education Providers

• We share your details with universities only after you've discussed your options with us and explicitly agreed to proceed.
• You control which universities receive your information.
• Universities are independent data controllers for the data they receive.

Analytics and App Store Reporting

• Google Analytics (if used) - aggregated, anonymized usage statistics
• Apple App Analytics (if enabled) - app performance and crash data (anonymized)
• Google Play Console (if enabled) - install metrics and user feedback (anonymized)

We do not sell your personal data, share your data with third-party advertisers, or use your data for unrelated purposes without consent.

Legal Requirements

We may disclose your data if required by law, court order, or government request, or to comply with legal obligations, protect rights and safety, or prevent fraud and security threats.

International Data Transfers

Your data may be transferred outside the UK because some of our service providers operate globally.

Supabase (Database and Hosting):

Data is stored on servers that may be located in the European Economic Area (EEA) or other regions. Supabase complies with GDPR and provides appropriate safeguards for international transfers.

Safeguards:

• Standard Contractual Clauses (SCCs) approved by UK authorities
• Service providers certified under privacy frameworks (where applicable)
• Encryption in transit and at rest

If you have questions about where your data is stored, contact us at support@unistart.app.

Data Retention

We retain personal data only as long as necessary for the purposes described above.

Inactive Accounts:

If you haven't logged in for 2 years, we'll send a reminder email. If you don't respond within 30 days, we may delete your account and data.

Account Deletion:

1. Your profile and personal data are permanently deleted within 30 days
2. Anonymized usage statistics may be retained for analytics
3. We keep financial and legal records for 7 years (regulatory requirement)

Your Rights Under UK GDPR

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object (including marketing)
• Right to withdraw consent
• Right to complain to the UK ICO

We would appreciate the chance to resolve your concerns first - please contact us before escalating to the ICO.

How to Exercise Your Rights

Email us at support@unistart.app with the subject line "Data Request".

Include:

• Your full name and account email
• The specific right you wish to exercise
• Any relevant details (which data you want to access or delete)

Response time: we respond within one month (may extend to two months for complex requests).

In-App Options:

• Delete Account: Settings -> Privacy and Legal -> Delete Account
• Export Data: Settings -> Privacy and Legal -> Download My Data (if available)
• Manage Notifications: Settings -> Notifications

Verification: we may ask for ID verification to prevent unauthorized access to your account.

Security Measures

Technical Safeguards

• Encryption in transit (HTTPS/TLS)
• Encryption at rest (database encryption)
• Secure authentication: OAuth 2.0 for social sign-ins, bcrypt for passwords
• Regular security audits and vulnerability assessments

Organizational Safeguards

• Access controls for authorized personnel only
• Employee training on data protection and privacy
• Incident response plan for data breaches

Mobile-Specific Security

• Session tokens stored securely using platform-specific secure storage
• Automatic logout after period of inactivity
• Biometric authentication support (Face ID, Touch ID, fingerprint - if enabled)

What We Can't Control

• The security of your device (use a strong passcode or PIN)
• Your account credentials (do not share your password)
• Public Wi-Fi networks (use a VPN on untrusted networks)

Data breach notification: if a breach affects your data, we'll notify you and the ICO within 72 hours as required by UK GDPR.

Children's Privacy (COPPA and AADC)

UniStart is not intended for children under 18 years old.

• We do not knowingly collect data from anyone under 18.
• Our Terms require users to confirm they are 18+.
• If we discover we've collected data from a minor, we'll delete it immediately.

Parents or guardians: if you believe your child has provided us with personal data, contact support@unistart.app and we'll delete it.

Cookies and Tracking Technologies

Mobile App

The app does not use traditional browser cookies. However, we use:

Local Storage (AsyncStorage):

• Stores login session, preferences, and cached data locally
• You can clear this data by logging out or uninstalling the app

Analytics SDKs:

• We may use mobile analytics (e.g., Google Analytics for Firebase)
• These tools collect anonymized data (device type, OS version, feature usage)
• You can opt out in Settings -> Privacy

Crash Reporting:

• Crash logs may be collected automatically to fix bugs
• These logs are anonymized and retained for 90 days

Website (unistart.app)

Our website uses cookies - see our website privacy policy for details.

Push Notifications

Service Notifications (cannot opt out)

• Critical account alerts (password reset, suspicious login)
• Application status updates
• Scheduled call reminders

Marketing Notifications (optional)

• Course recommendations
• New features and offers
• UniStart news and tips

Control Your Notifications:

• In-App: Settings -> Notifications
• Device-Level: iOS Settings -> Notifications -> UniStart / Android Settings -> Apps -> UniStart -> Notifications

When you enable notifications, your device generates a unique push token that we store to send messages. Disabling notifications removes this token from our systems.

Third-Party Links and Services

The app may contain links to external websites, university portals, or Student Finance England. These sites have their own privacy policies, and we are not responsible for their practices.

When you apply for funding through Student Finance England, you'll be redirected to gov.uk. SFE is a separate data controller - see their privacy policy for details.

Changes to This Privacy Policy

We may update this policy from time to time to reflect:

• Changes in our services or business practices
• New legal or regulatory requirements
• Improvements to data protection measures

How We'll Notify You:

• In-app alert: a banner when you next open the app
• Email notification if changes materially affect your rights
• Last updated date at the top of this policy

Significant changes (e.g., sharing data with new third parties) may require renewed consent. Using the app after policy updates constitutes acceptance of the new terms.

Contact Us

Email: support@unistart.app

Subject Line: "Privacy Enquiry" or "Data Request"

Post:

ALLCAMPUS UK LIMITED
Unit 7 Landmere Lane, Edwalton
Nottingham, NG12 4DG
United Kingdom

Response time: we aim to respond within 5 business days (up to 30 days for complex requests).

Regulatory Authority

UK Information Commissioner's Office (ICO)

Website: https://ico.org.uk

Helpline: 0303 123 1113

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

You have the right to lodge a complaint with the ICO if you're unhappy with how we handle your data. We'd appreciate the opportunity to resolve your concerns first.

App Store-Specific Disclosures

Apple App Store Privacy Nutrition Label

Data Linked to You:

• Contact info (name, email, phone)
• User content (quiz answers, course preferences)
• Identifiers (account ID, device ID)
• Usage data (feature interactions, time spent)

Data Not Linked to You:

• Crash data (anonymized)
• Analytics (aggregated)

Data Used to Track You:

None

Data Not Collected:

Precise location, photos, payment info, health data

Google Play Data Safety

• Data shared: contact details (with user consent) to partner universities
• Data encrypted: all data encrypted in transit
• Data deletion: users can request deletion via in-app settings
• COPPA and AADC: app is not directed at children under 13

Legal Framework

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Privacy and Electronic Communications Regulations (PECR)
• Apple App Store Guidelines (Section 5.1.1 - Data Collection and Storage)
• Google Play Policy (User Data, Device and Network Abuse)
• COPPA (Children's Online Privacy Protection Act - US)
• AADC (Age Appropriate Design Code - UK)