v1.0 DRAFTDieses Dokument ist ein Entwurf, der auf rechtliche Prüfung wartet. Zuletzt aktualisiert: 2026-04-27.

Privacy Policy

Last updated: 2026-04-21. Version: 1.1 (draft, pending legal review).

This policy explains what personal data Accepted processes, why, and on what basis. For school-licensed deployments, the licensing school is the data controller and this policy operates alongside the school's own privacy information and Data Processing Agreement.

1. Who is responsible for your data

Direct-to-student subscriptions (individual users): Sunny Soft LTD (trading as Accepted) is the data controller. Registered at Racho Dimchev 2 str., Sofia, Bulgaria.

School-licensed deployments: the licensing school is the data controller. Sunny Soft LTD acts as data processor under a signed Data Processing Agreement with the school.

Contact for data-protection matters: hello@getaccepted.io

2. What we collect

Account data

  • Email address and a hashed password
  • Display name and role (student, parent, counsellor)

Educational profile (students)

  • IB subjects and predicted grades
  • Extended Essay, Theory of Knowledge, and CAS information
  • Career interests, language proficiencies, extracurricular activities
  • Target country and budget preferences

Application data

  • University shortlists, applications and their status
  • Deadlines, tasks, documents created in Accepted (personal statements, motivation letters, CV content)
  • Offers received and their conditions
  • Counsellor notes (visible only to assigned counsellors)

Family preferences (parents) — budget, preferred countries, free-text notes about family priorities

Technical

  • Login session metadata
  • Your chosen language preference, stored locally in your browser so the site loads in the same language on future visits. This is strictly necessary technical storage and does not require consent under EU rules.
  • Page-view analytics and product-usage events via Google Analytics 4 (pages visited, time on page, and key in-product actions to help us understand and improve the product). For users who are logged in and have accepted analytics cookies, a pseudonymous account identifier is associated with analytics events. The identifier is a randomly generated reference — not a name, email, or other personal information — and cannot on its own identify you. It is used solely to understand product usage across visits and improve the service. IP addresses are anonymised before transmission. You can change your cookie choice at any time via the Cookie preferences link in the footer.
  • Subscription metadata for direct-to-student users (plan, renewal dates, payment-processor IDs — no card numbers)

We do not collect: passport scans, financial information beyond subscription billing metadata, health data, biometric data, or social-media accounts.

3. Why we process your data

  • Contract performance (Art. 6(1)(b)): to provide the service you subscribed to or were invited to by your school
  • Consent (Art. 6(1)(a)): product analytics cookies — set only when you accept via the cookie banner; you can withdraw at any time using the Cookie preferences link in the footer
  • Legitimate interest (Art. 6(1)(f)): service improvement, fraud prevention, security monitoring
  • Legal obligation: financial records required by the Bulgarian Accountancy Act

We do not use your data for marketing. The platform sends only transactional emails (deadline reminders, invitations, password reset) — no newsletters, no promotional campaigns.

4. Sub-processors

We use these sub-processors:

  • Anthropic (US — Data Privacy Framework certified) — AI text generation. 30-day default retention; zero-retention enterprise agreements available for school partnerships. No model training on API data.
  • Voyage AI (US) — vector embeddings. We send (a) static university and programme data, and (b) at query time, short anonymised profile summaries for semantic search (predicted IB total, subjects, career-interest keywords). No names, contact details, or free-text essays are sent.
  • Google Cloud Platform (europe-west1, Belgium) — hosting for PostgreSQL, Cloud Run application server, and Cloud Storage for files.
  • Google Analytics 4 (Google LLC, US — Google Analytics Terms of Service) — page-view and product-event analytics. Cookies are set only after you accept analytics in our cookie banner. Pseudonymous account ID for logged-in users is transmitted on each event when consent is granted. Anonymised IPs only. Data is processed by Google in the EU and US under Standard Contractual Clauses. You can withdraw consent at any time via the Cookie preferences footer link.
  • MongoDB Atlas (on GCP, europe-west1) — document storage (essays, drafts, timelines).
  • Google (Gmail SMTP relay) (Google LLC, US — Data Privacy Framework certified; EU Data Boundary) — transactional email delivery (deadline reminders, invitations, password reset). No marketing email data.
  • Paddle (EU entity — direct-to-student subscriptions only) — subscription billing as Merchant of Record; PCI-compliant, handles VAT.

International transfers to Anthropic and Voyage AI use Standard Contractual Clauses.

5. Retention

  • Active account data: kept while your account is active
  • After account deletion: 30 days, then purged
  • Financial records (subscriptions): retained for periods required by the Bulgarian Accountancy Act — typically 5 years for invoices and 10 years for accounting registers
  • Server logs: 90 days
  • Contact-form messages: 2 years, then purged
  • Audit log of data access: 2 years

6. Your rights

Under GDPR (and UK GDPR for UK users) you have the right to:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure — delete your account and data
  • Portability — receive your data in a structured format (JSON)
  • Restriction — suspend processing
  • Objection — object to processing based on legitimate interest
  • Withdrawal of consent — where processing is based on consent (where applicable)
  • Cookie preferences: You can accept or reject analytics cookies at any time using the Cookie preferences link in the footer. Withdrawal of consent is as easy as giving it. Necessary cookies (login session, language) cannot be disabled because they are required for the service to function.

Contact hello@getaccepted.io to exercise any of these rights. You may also complain to the Bulgarian Commission for Personal Data Protection (cpdp.bg), the UK Information Commissioner's Office (ico.org.uk), or your own national supervisory authority.

7. Minors

Accepted is designed for IB students, typically aged 16–19. Users under 16 must have a parent or guardian consent before registering. We do not knowingly collect data from children under 13. In school-licensed deployments, the licensing school is responsible for obtaining any parental consent required under its policies before issuing invitations.

8. Parental access

Students aged 16 and over may invite a parent to view a read-only summary of their applications, deadlines, offers, documents, costs, and career report. A school counsellor may request parental access on behalf of a student; in that case, the student must explicitly confirm before the invitation is sent. Students can revoke parental access at any time; revocation takes immediate effect.

Parents do not see: counsellor-only notes, private counsellor-student communications, or data about any student other than the one who invited them.

9. Security

  • TLS encryption in transit for all traffic
  • Encryption at rest provided natively by GCP and MongoDB Atlas for all production data
  • Role-based access control with four roles (student, parent, counsellor, admin), enforced via JWT authentication
  • Audit logging of profile and document access
  • Rate limiting on authentication and AI endpoints
  • Independent third-party security review commissioned before school pilot deployments

10. Cookies

We use browser localStorage to keep you logged in and remember UI preferences (language, filter state). The cookie banner stores your consent choice in a small first-party cookie (cc_cookie). When you accept analytics cookies, Google Analytics 4 sets two cookies (_ga and _ga_<measurement-id>) used to recognise return visits and stitch sessions; without consent, no analytics cookies are set and Google Analytics operates in cookieless ping mode (aggregate data only). For users who are logged in and have accepted analytics cookies, a pseudonymous account identifier is associated with analytics events to support analysis of product usage across visits. We do not use advertising trackers or set advertising cookies.

11. Changes

We will email notice 30 days before any material change to this policy. The version number and "Last updated" date above are authoritative.