Privacy Policy

Effective Date: March 6, 2026 · Last Updated: March 6, 2026

1. Introduction

Studiously LLC ("Studiously," "we," "us," or "our") operates the Studiously Connect platform (the "Platform"). This Privacy Policy describes how we collect, use, store, and protect personal information when you use our Platform.

Studiously provides alumni engagement services to educational institutions ("Schools"). Schools act as the data controller for personal data provided to us, and Studiously acts as the data processor. The specific terms governing our processing of personal data on behalf of each School are set out in a Data Processing Agreement ("DPA") between Studiously and the School.

This Privacy Policy applies to all users of the Platform, including students, alumni, and school administrators.

2. Information We Collect

2.1 Information Provided by Your School

Your School provides us with alumni directory information to populate the Platform. This may include:

• Name
• Email address
• Graduation year
• College or university attended
• Major or field of study
• Current employer and role/title
• Location (city/state)
• Biographical summary

For students, your School provides your name, email address, graduation year, and school affiliation.

2.2 Information Generated Through Platform Use

When you use the Platform, we may generate or collect:

• Authentication tokens (via Google or Microsoft OAuth)
• Alumni profile enrichment data (industry classification, seniority level, company type) generated through AI-powered analysis
• Search embedding vectors used to power alumni discovery
• Message content and metadata exchanged through the Platform (see Section 4.5 regarding School administrator access)
• Engagement data (outreach activity, response rates, calendar bookings)
• Platform usage logs for security and operational purposes

2.3 Information We Never Collect

We do not collect or process: grades, transcripts, GPA, test scores, disciplinary records, health records, financial information, Social Security numbers, government-issued identification numbers, biometric data, or any special categories of personal data as defined under GDPR Article 9.

3. How We Use Your Information

We use personal information solely to provide and operate the Platform. Specifically, we use your information to:

• Provide and maintain the alumni directory and search functionality;
• Facilitate messaging between students and alumni, and among alumni;
• Enrich alumni profiles with industry and seniority classifications to improve search quality;
• Provide engagement analytics to School administrators;
• Enable calendar integration for scheduling meetings;
• Maintain platform security, prevent abuse, and troubleshoot technical issues;
• Fulfill our obligations under our agreements with your School.

We do not use your information for advertising, marketing, behavioral profiling, or any purpose other than providing the Services described above.

4. How We Protect Your Information

4.1 Data Isolation

Each School's data is isolated at the database level through three independent enforcement layers: Row Level Security (RLS) policies on every table, server-side school identification derived from authenticated tokens, and database triggers validating school ownership on every write. No School's data is accessible to other Schools or unauthorized users.

4.2 Email Anonymity

Students and alumni never see each other's personal email addresses. All communications are routed through platform addresses (e.g., {school}@connect.studiously.ai). This is an architectural design enforced at the infrastructure level.

4.3 Encryption

All data in transit is encrypted using TLS/HTTPS. All data at rest is encrypted using AES-256 encryption via AWS RDS.

4.4 Authentication

Authentication is handled via Supabase Auth with PKCE flow. Tokens are signed using ES256 (ECDSA P-256) and verified against rotating JWKS keys on every API call. Only pre-approved users may access the Platform; there is no open registration.

4.5 Access Control

Role-based access control (student, alumni, admin) is enforced at both the application and database levels. Studiously platform administrators may access school-level aggregated metrics and message metadata solely for platform operations, abuse investigation, legal obligations, or at the School's request. All internal access is authenticated, role-verified, and logged.

School administrators designated by each School have access to message content exchanged between students and alumni within their institution through the administrative dashboard. This access enables Schools to monitor engagement quality, provide student support, and ensure appropriate use of the Platform. School administrators do not have access to data belonging to other Schools.

5. Third-Party Sub-processors

We use the following categories of third-party service providers to operate the Platform:

• Cloud infrastructure and database hosting (Amazon Web Services, Supabase)
• Application hosting (Vercel)
• Email delivery (Resend)
• Authentication (Google, Microsoft)
• AI-powered enrichment and search (OpenAI)

Alumni profile data processed via the OpenAI API includes names, companies, roles, locations, and biographical summaries only. No email addresses, contact information, or student data is sent to OpenAI. Processing is API-only with zero data retention; data is not used for model training.

All sub-processors are located in the United States. A complete list of authorized sub-processors and their specific purposes is maintained in the DPA between Studiously and each School.

6. Data Retention and Deletion

We retain personal data only for as long as necessary to provide the Services under our agreement with your School. When a School's agreement with Studiously terminates, we will, at the School's election, either return all personal data in a machine-readable format (such as CSV) or permanently delete all personal data within thirty (30) days.

We do not retain School data after the termination of our relationship. Platform usage logs are retained for seven (7) days for security and operational purposes and are automatically deleted thereafter.

7. Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing

Because Studiously acts as a data processor on behalf of your School, requests to exercise these rights should be directed to your School in the first instance. If you contact us directly, we will notify your School and coordinate with them to fulfill your request.

7.1 Alumni Opt-Out

Alumni may indicate a "do not contact" preference through the Platform at any time. This preference is enforced at the platform level, preventing students from initiating outreach to that alumni member.

8. Children's Privacy

The Platform is designed and intended for use by students in their junior and senior years of high school and above (typically ages 16–18+). We do not knowingly collect personal information from children under the age of 13. If a School permits access to students under 13, the School is solely responsible for obtaining verifiable parental consent under COPPA prior to the student's use of the Platform.

9. FERPA Compliance

The Platform is designed to process alumni directory and professional networking information only. We do not process Education Records as defined under FERPA (20 U.S.C. § 1232g). The data categories we process are limited to information that Schools typically share through alumni directories and networking programs.

To the extent any data provided constitutes "directory information" under FERPA, it is the School's responsibility to designate such information appropriately and provide required notice to students.

10. State Privacy Laws

Studiously complies with applicable state privacy laws, including the California Consumer Privacy Act (CCPA/CPRA) and state student privacy laws such as SOPIPA and equivalent legislation. We do not sell personal information, use student data for targeted advertising, or create advertising profiles of students.

11. International Data Transfers

Our infrastructure is located in the United States (AWS us-east-1 region). If personal data originating from the European Economic Area, United Kingdom, or Switzerland is transferred to us, appropriate safeguards (such as Standard Contractual Clauses) will be put in place as detailed in the DPA between Studiously and the School.

12. Data Breach Notification

In the event of a personal data breach, we will notify the affected School without undue delay, and in any event within seventy-two (72) hours of becoming aware of the breach. We will provide details of the nature of the breach, the data affected, the likely consequences, and the measures taken to address it.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify Schools through their designated point of contact. The "Last Updated" date at the top of this policy indicates when revisions were last made.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

Studiously LLC
howard@studiously.ai