Privacy Policy

Introduction

UniTru Inc., a Delaware corporation headquartered in Lancaster, Pennsylvania ("UniTru," "We," "Us," or "Our") respects your privacy and is committed to protecting it through our compliance with this Privacy Policy.

This Policy describes the types of information we collect from you or that you may provide when visiting the website theunitru.com (the "Website") and our practices for collecting, using, maintaining, protecting, and disclosing that information.

Please read this Policy carefully to understand our policies and practices regarding your information. By accessing or using the Website, you agree to the terms of this Policy. This Policy may change from time to time (see "Changes to Our Privacy Policy"). Your continued use of the Website after we make changes is deemed to be acceptance of those changes, so please check the Policy periodically for updates.

Age Restriction: The Website is not intended for users under the age of 13. We do not knowingly collect personal information from children under 13. If you are under 13, please do not use the Website or provide any information through the Website. For users between 13 and 18 years of age, parental or institutional consent may be required for certain services, consistent with applicable laws including COPPA and FERPA.

Information We Collect and How We Collect It

Information You Provide Directly to Us

We collect information that you voluntarily provide to us, including:

• Account Information: When you sign in using Google OAuth, we receive your name and email address from your Google account.
• High School Request Form: If you choose to fill out our high school request form, we collect your name, high school name, and high school location (state or country). This information is voluntary and only collected when you submit the form.
• Guide Requests: If you request a tour guide for a university, we may collect the university name, location, and any preferences you provide (such as guide major, interests, or language background).
• Correspondence: If you contact us via email, we collect your email address and any information you include in your message.

Information Collected Automatically

As you navigate through and interact with the Website, we automatically collect certain information:

• Usage Information: Details of your visits to the Website, including traffic data, pages viewed, time spent on pages, and the resources you access.
• Device Information: Information about your computer or mobile device, including your IP address, operating system, browser type, and device identifiers.
• Session Information: We use browser session storage to track AI feature usage (such as the number of AI requests made) and to remember your page preferences during your browsing session.

Cookies and Tracking Technologies

We use the following technologies to collect information:

• Authentication Cookies: We use cookies provided by NextAuth.js to maintain your login session. These cookies are essential for the Website to function properly.
• Analytics Cookies: We use PostHog, a web analytics service, which places cookies on your device to collect information about how you use the Website. This helps us understand Website usage and improve our services.
• Browser Storage: We use browser session storage (not persistent storage) to temporarily store your preferences and AI usage tracking during your browsing session. This data is automatically cleared when you close your browser.

You can control cookies through your browser settings. However, if you disable cookies, some features of the Website may not function properly, including the ability to sign in and maintain your session.

Data Processing and Storage Location

All data we collect is processed and stored in the United States. By using our Website, you consent to the transfer and processing of your information in the United States.

Third-Party Services

We use the following third-party services that may collect or process your information:

• Google OAuth: We use Google OAuth for authentication. When you sign in, Google provides us with your name and email address. Google's use of your information is governed by Google's Privacy Policy.
• PostHog: We use PostHog for web analytics to understand how users interact with our Website. PostHog may collect information about your use of the Website, including pages visited and interactions. For more information, see PostHog's Privacy Policy.
• SendGrid: We use SendGrid to send email notifications (such as booking confirmations). When we send you an email, SendGrid processes your email address. SendGrid's use of your information is governed by SendGrid's Privacy Policy.
• Hosting Services: Our Website is hosted on Vercel (frontend) and Render (backend), and our database is hosted on PostgreSQL. These services may have access to your information as necessary to provide hosting services.

We do not use advertising services or share your information with advertisers, ad networks, or ad servers.

How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Website and our services;
• Create and manage your account;
• Process and manage tour bookings between students and tour guides;
• Communicate with you about your bookings, guide requests, or other inquiries;
• Send administrative emails (such as booking confirmations and notifications);
• Respond to high school requests by contacting you or your counselor;
• Understand how users interact with our Website through analytics;
• Detect, prevent, and address technical issues or security concerns;
• Comply with legal obligations.

Note: Currently, we use your information solely for internal purposes to provide and improve our services. We do not use your information for marketing or promotional purposes. If we change this practice in the future, we will update this Policy and provide you with options to opt out of any such communications.

How We Share Your Information

We may share your information in the following circumstances:

• With Tour Guides: When you book a tour with a tour guide, we share your name and email address with the tour guide so they can communicate with you about the scheduled tour.
• Service Providers: We may share your information with third-party service providers who perform services on our behalf, such as hosting (Vercel, Render), email delivery (SendGrid), and analytics (PostHog). These service providers are contractually obligated to use your information only for the purposes we specify and to protect your information.
• Legal Requirements: We may disclose your information if required by law, regulation, or legal process, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business Transfers: If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, subject to the same privacy protections.

We do not:

• Sell your personal information to third parties;
• Share your information with advertisers or for advertising purposes;
• Share your information with universities or other educational institutions (except as necessary to facilitate tour bookings).

Data Retention and Deletion

We retain your personal information for as long as necessary to provide our services and fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law.

Retention Periods:

• Account Data: Retained until account deletion, or up to 7 years if legally required (e.g., financial records for tax purposes)
• Request Data: Retained until request is fulfilled, then up to 2 years
• Booking Data: Retained until booking completion, then up to 2 years
• Analytics Data: PostHog retains analytics data for 90 days
• Session Storage: Automatically cleared when browser closes
• Server Logs: Retained for 30 days, then automatically purged

When you close your browser, information stored in browser session storage (such as AI usage tracking and page preferences) is automatically cleared. Authentication cookies remain on your device according to your session settings but can be cleared through your browser settings.

Data Deletion and Export:

You have the right to request deletion or export of your personal information at any time by contacting us at contact@theUniTru.com. We will respond to your request within 30 days. We will delete your data to the extent feasible and required by law, though some information may be retained if legally required (such as financial records for tax purposes). You can also request a copy of all data we hold about you in a machine-readable format.

Your Rights and Choices

You have the following rights regarding your personal information:

• Access: You can request access to the personal information we hold about you by contacting us at contact@theUniTru.com.
• Correction: You can request that we correct any inaccurate personal information we hold about you.
• Deletion: You can request that we delete your personal information. We will accommodate your request to the extent feasible and required by law. Note that we may retain certain information as necessary for legal or business purposes.
• Opt-Out of Analytics: You can opt out of PostHog analytics by disabling cookies in your browser settings or by contacting us.
• Opt-Out of Communications: If we begin sending marketing or promotional communications in the future, you will be able to opt out by following the unsubscribe instructions in those communications or by contacting us.

To exercise any of these rights, please contact us at contact@theUniTru.com. We will respond to your request within a reasonable timeframe.

Data Security

We have implemented measures designed to secure your personal information from accidental loss and from unauthorized access, use, alteration, and disclosure.

Technical Safeguards:

• Encryption: All data is encrypted in transit using HTTPS/SSL (TLS 1.2+), and our database uses encryption at rest.
• Secure Authentication: We use secure JWT-based authentication through NextAuth.js with Google OAuth.
• Access Controls: Database and administrative access is restricted to authorized UniTru personnel only.
• Network Security: Our hosting providers (Vercel and Render) implement firewalls, DDoS protection, and other network security measures.
• Secure Credentials: All sensitive information (API keys, secrets) is stored in secure environment variables, never in code.

Data Hosting:

• Our frontend is hosted on Vercel (United States)
• Our backend API and database are hosted on Render (United States)
• All data is processed and stored in the United States

Disaster Recovery:

We maintain automated daily backups of our database through Render. In the event of data loss, we can restore from backups within 24 hours. All code is version-controlled in GitHub, allowing for quick recovery and rollback if needed.

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security. Any transmission of personal information is at your own risk.

Where we have given you (or where you have chosen) a password for access to certain parts of our Website, you are responsible for keeping your account credentials confidential.

Student Data & Education Privacy

UniTru is committed to protecting student privacy and complies with applicable education privacy laws:

• COPPA (Children's Online Privacy Protection Act): The Website is not intended for users under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information promptly.
• FERPA (Family Educational Rights and Privacy Act): Where applicable, we comply with FERPA requirements regarding student education records. We do not share student information with third parties except as necessary to provide our services (such as sharing contact information with tour guides for scheduled bookings) or as required by law.

For users between 13 and 18 years of age, parental or institutional consent may be required for certain services, consistent with applicable laws.

If you are a parent, guardian, or school official and have questions about student data privacy or believe your student's information has been collected inappropriately, please contact us at contact@theUniTru.com.

Changes to Our Privacy Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Last modified" date at the top of this page. If we make material changes to how we treat your personal information, we will notify you by email to the email address associated with your account, or through a notice on the Website homepage.

You are responsible for ensuring we have an up-to-date, active, and deliverable email address for you, and for periodically visiting our Website and this Privacy Policy to check for any changes.