Privacy Notice

1. Data controller and scope

School Fit Finder operating team acts as the data controller for School Fit Finder. This notice explains how personal data is processed when a visitor uses the assessment, creates an account, unlocks a protected result, or explicitly requests partner-school contact.

This document should be reviewed together with the public support and terms pages so visitors can understand the difference between public guidance, member-only features, and optional lead sharing.

2. Data categories

• Account data: full name, email address, password hash, verification records, session and security logs.
• Assessment data: intake answers, assessment answers, calculated result, saved schools, and member-side history.
• Partner-lead data: explicit partner-sharing consent, marketing preference, verified account email, and lead verification records.
• Technical data: IP-derived security logs, browser/session identifiers, analytics events, page paths, and referrer information.

3. Purposes of processing

• To provide the assessment, create and protect member accounts, and display the locked result only after sign-in.
• To store the member result, respond to support requests, prevent misuse, and maintain system security.
• To share verified lead data with partner schools only after separate and explicit consent plus lead-email verification.
• To measure conversion and product quality through analytics and conversion tracking.

4. Legal basis and collection method

Personal data is collected electronically through forms, cookies or similar technologies, security telemetry, and authenticated platform activity. The legal basis depends on the processing purpose and may include contract performance, legitimate interests, legal obligations, and explicit consent where required.

Partner-school sharing and optional marketing communication are separated from the basic account and result flow. They are not bundled into a single checkbox.

5. Recipients and transfers

Verified partner-lead data may be transferred to verified partner schools within the scope described in the consent layer. Infrastructure vendors, analytics providers, and email service providers may also receive limited data strictly as processors or service providers where required for operations.

If cross-border data transfer is involved, additional contractual or legal safeguards should be documented before production launch.

6. Retention

• Account and security records are retained while the account remains active and for a reasonable follow-up period required for legal, audit, or security obligations.
• Partner leads are retained according to the active lead-retention policy and may be deleted earlier after a valid erasure request when no overriding legal obligation applies.
• Analytics events are retained in aggregated or event-level form only for the operational window defined by the operator.

7. Data subject rights

• Request information about whether personal data is processed.
• Request access, correction, deletion, restriction, objection, or portability where applicable.
• Withdraw explicit consent for partner-school sharing or marketing without affecting prior lawful processing.

8. Contact and response handling

Privacy requests should be sent to privacy@schoolfitfinder.org. Operational help can be requested through support@schoolfitfinder.org. Terms-related notices can be sent to legal@schoolfitfinder.org.

Target first response window: within 2 business days.

Document version: 2026-04-05