Data Protection

Privacy
Policy.

We take your privacy seriously. This policy explains how we collect, store, and protect your personal data in compliance with the EU General Data Protection Regulation (GDPR).

GDPR COMPLIANT|LAST UPDATED: MARCH 26, 2026

1. Data Controller

The data controller responsible for your personal data is YourWeg, operating at https://www.yourweg.com.

For all data protection matters, please contact us at: [email protected]

2. What Personal Data We Collect

We collect the following categories of personal data:

  • Account data: Email address, display name, profile photo.
  • Academic profile: IELTS/TOEFL/GRE scores, GPA, degree type, field of study, institution name and country, years of work experience, study budget.
  • Uploaded documents: APS certificates, degree certificates, academic transcripts, IELTS/TOEFL score reports, and other documents you choose to upload.
  • Application data: Saved programmes, application status per programme, personal notes on programmes, checklist progress.
  • Preferences: Preferred intake period, preferred field, notification preferences.
  • Usage data: Pages visited, features used, and interactions with the platform (collected only with your consent — see Section 7).
  • Payment data: Subscription status and plan. Payment card details are processed exclusively by Dodo Payments and never stored by YourWeg.

3. Lawful Basis for Processing

We rely on the following lawful bases under GDPR Article 6:

  • Contract performance (Article 6(1)(b)): Processing your account data, academic profile, uploaded documents, saved programmes, and checklist is necessary to provide the programme-matching and application-tracking service you signed up for.
  • Consent (Article 6(1)(a)): We send marketing and platform update emails only when you have opted in via your notification preferences. We run product analytics (PostHog), web analytics (Vercel Analytics), and — if configured — Google Analytics / Google Tag Manager only when you have accepted analytics cookies via our consent banner.
  • Legitimate interests (Article 6(1)(f)): We process minimal security and server logs to detect fraud, abuse, and service faults. We have assessed that this interest is not overridden by your rights and freedoms.
  • Legal obligation (Article 6(1)(c)): We retain payment transaction records for 7 years to comply with German commercial law (HGB §257).

4. How We Use Your Data

  • Match your academic profile against German university programmes.
  • Generate ranking and match estimates using the profile details and programme/scholarship data available in our systems.
  • Display and track your application status and deadlines.
  • Store documents you upload securely for your own access.
  • Send transactional emails (account verification, deadline reminders, subscription receipts).
  • Send marketing emails if you have opted in.
  • Improve the platform using aggregated, anonymised analytics.
  • Process and manage subscription payments.

Our matching outputs are informational and decision-support only. They do not guarantee admission, scholarship awards, visa approval, or any specific outcome from universities, scholarship bodies, or government authorities.

YourWeg uses profile and preference data to generate programme and scholarship recommendations. These recommendations are support signals for your review and are not fully automated decisions that produce legal or similarly significant effects for you.

Because programme and scholarship criteria can change over time, users are responsible for checking official university and scholarship-provider pages before relying on any recommendation.

5. Data Retention

  • Account and profile data: Retained until you delete your account.
  • Uploaded documents: Retained until you delete each document or close your account.
  • Payment records: Retained for 7 years (HGB §257, German commercial law).
  • Analytics events (PostHog): Retained for 12 months, then automatically deleted.
  • Web analytics (Google / Vercel): Retention follows each provider's default settings in your Google Analytics / Tag Manager and Vercel projects.
  • Email delivery logs (Resend): Retained for 30 days.
  • Authentication session cookies: Session lifetime and a 7-day refresh window (Supabase default).

When you delete your account, we permanently erase your account, profile, degrees, documents, saved programmes, and all associated data from our systems within 30 days, except where a longer retention period is required by law.

6. Data Sharing and Sub-processors

We do not sell your personal data. We share data only with the following trusted sub-processors who provide infrastructure essential to the service. Each sub-processor is bound by a Data Processing Agreement (DPA):

If you redeem an institution-specific partner discount, limited account details (for example display name, email, plan and redemption timestamp) may be visible to that institution in a restricted, read-only partner reporting dashboard for programme administration and reconciliation.

  • Supabase Inc. — Database, authentication, and file storage. Data hosted in India (Mumbai, ap-south-1 region). DPA: supabase.com/dpa. International transfer safeguard: Standard Contractual Clauses (SCCs).
  • Resend Inc. — Transactional email delivery (verification emails, deadline reminders). Your email address is shared. Data processed in the US. Transfer safeguard: SCCs.
  • PostHog Inc. — Product analytics (page views, feature interactions). Personal identifiers are not sent. Data hosted in the EU (Frankfurt). DPA: posthog.com/dpa. Only active with your consent.
  • Dodo Payments — Subscription and payment processing. Your email and display name are shared during checkout. Transfer safeguard: SCCs.
  • Vercel Inc. — Website hosting and edge delivery. Processes request metadata. Data processed in the US. DPA: vercel.com/legal/dpa. Transfer safeguard: SCCs.
  • Google Ireland Limited — Web and marketing measurement (Google Analytics 4, Google Tag Manager) when enabled. May process online identifiers and usage data. Typically US/EU operations; transfer safeguards per Google's advertising and measurement terms and SCCs. Only active with your analytics consent. Privacy: policies.google.com/privacy.

A full list of sub-processors with data locations and transfer mechanisms is available at /legal/data-processing.

We will disclose personal data to law enforcement or other authorities only when required to do so by applicable law.

7. Cookies and Analytics

We use the following cookies:

  • Authentication cookie (essential): Set by Supabase to maintain your login session. This cookie is strictly necessary for the service to function and does not require consent.
  • Consent cookie (yw_consent): Records your cookie preference. Expires after 12 months.
  • Analytics cookies (PostHog, Google Analytics / Tag Manager, Vercel Analytics, optional): Set only when you accept analytics via our consent banner. Used for product and traffic measurement. You can change your preference at any time by clearing cookies or contacting us.

8. International Data Transfers

Your data is stored in India (Supabase Mumbai region) and the EU (PostHog EU cloud). Certain sub-processors (Resend, Vercel, Dodo Payments) process data in the United States. India does not have an EU adequacy decision; all transfers are safeguarded by Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46(2)(c).

9. Data Security

We implement the following security measures to protect your data:

  • All data is encrypted in transit (TLS) and at rest (AES-256 via Supabase).
  • Uploaded documents are stored in a private bucket; access requires authenticated signed URLs that expire after 1 hour.
  • Row-Level Security (RLS) is enforced at the database layer — each user can only access their own data.
  • Authentication uses one-time passwords (OTP) delivered via email — no passwords are stored.
  • Service-role database keys are never exposed client-side.

10. Your Rights under GDPR

Under Articles 15–22 of the GDPR, you have the following rights:

  • Right of access (Article 15): Request a copy of all personal data we hold about you. Use the "Download your data" feature in Settings → Plan & data.
  • Right to rectification (Article 16): Correct inaccurate or incomplete data via your profile settings, or by emailing us.
  • Right to erasure (Article 17): Delete your account and all associated data. Use the "Delete Account" option in Settings → Account, or email us.
  • Right to data portability (Article 20): Receive your data in a machine-readable format. Use the "Download your data" feature in Settings → Plan & data.
  • Right to restriction of processing (Article 18): Request that we restrict processing of your data in certain circumstances.
  • Right to object (Article 21): Object to processing based on legitimate interests, including direct marketing.
  • Right to withdraw consent (Article 7(3)): Withdraw analytics consent by clearing the yw_consent cookie, or marketing email consent via Settings → Notifications.
  • Right to lodge a complaint: If you believe your data is being mishandled, you have the right to lodge a complaint with the German supervisory authority: Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI).

To exercise any of these rights, please email [email protected]. We will respond within 30 days as required by GDPR Article 12.

11. Children

YourWeg is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us data, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy when we change how we process data. We will notify you of material changes by email (if you have an account) and by updating the "Last Updated" date at the top of this page. Continued use of YourWeg after a change constitutes acceptance of the updated policy.