Privacy Policy

EuroDesk OS ("we", "our", or "us") is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, store, and share information when you use our platform at eurodesk.io.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your email address, name, and agency name. Authentication is handled by Supabase Auth. We do not store passwords directly — they are hashed and managed by Supabase.

1.2 Student Data

As an agency user, you may upload student information including names, email addresses, nationalities, target countries, and academic transcripts. This data is stored in a PostgreSQL database hosted by Supabase and is scoped to your agency account using Row Level Security (RLS).

1.3 Uploaded Documents

Transcript files (PDF, PNG, JPG) and visa-related documents are stored in private Supabase Storage buckets. Files are organized by agency ID and student ID and are only accessible to authenticated users within the same agency.

1.4 Usage Data & Cookies

We use cookies and may collect anonymous usage analytics to improve our platform, including page views, feature usage patterns, and performance metrics. This data does not identify individual users. You can manage your cookie preferences at any time through the Cookie Preferences page in your dashboard settings. Necessary cookies for authentication and security are always enabled.

2. How We Use Your Information

• Provide and maintain the EuroDesk OS platform
• Process uploaded transcripts using AI (Google Vertex AI) to extract academic data
• Convert grades and credits to the European ECTS system
• Match students to universities based on their academic profile
• Monitor visa requirements and alert you to policy changes
• Manage your agency account and user access
• Improve our platform and develop new features
• Communicate with you about service updates, billing, and support

3. AI Processing and Third-Party Services

3.1 Google Vertex AI

When you upload a transcript, the file is sent to Google Vertex AI for parsing. The AI extracts course names, grades, credits, and GPA information. Google processes this data as a sub-processor under our agreement. Uploaded files are not stored by Google and are only used for the purpose of parsing. We may update the underlying AI model from time to time to improve accuracy and performance.

3.2 Supabase

Supabase provides our database, authentication, and file storage infrastructure. All data is encrypted in transit and at rest. Supabase operates under SOC 2 Type II compliance.

3.3 Vercel

Our frontend application is hosted on Vercel. Vercel may collect standard server logs for operational purposes.

3.4 Google Cloud Run

Our backend API is hosted on Google Cloud Run. Standard infrastructure logs are collected for monitoring and debugging purposes.

4. Data Security

We implement industry-standard security measures to protect your data:

• All data is encrypted in transit (HTTPS/TLS) and at rest
• Row Level Security (RLS) ensures agencies can only access their own data
• Private storage buckets with agency-scoped access paths
• Service role keys are used only server-side and never exposed to the frontend
• Rate limiting on AI processing endpoints to prevent abuse
• CORS restrictions to authorized domains only
• File type validation and size limits (10 MB maximum)

4.1 Data Breach Notification

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible. We will also notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

5. Data Sharing and Disclosure

We do not sell, trade, or rent your personal data. We may share data only in the following circumstances:

• With your consent: When you explicitly authorize us to share data
• With service providers: Supabase, Google Cloud, and Vercel as described in Section 3
• For legal compliance: If required by law, regulation, or legal process
• To protect rights: To protect the safety, rights, or property of EuroDesk OS or others

6. Data Retention

We retain your data for as long as your agency account is active. You may delete student records, transcripts, and documents at any time through the platform. You may delete your entire agency account and all associated data at any time through the Settings page in your dashboard. Alternatively, contact us at support@eurodesk.io. Upon termination, all data is deleted within 30 days, with backup copies removed within 90 days.

7. Your Rights

Depending on your location, you may have the following rights:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data ("right to be forgotten")
• Portability: Request a machine-readable copy of your data
• Objection: Object to processing of your data for certain purposes

7.1 Exercising Your Rights

You can exercise your rights directly through the platform:

• Data Export: Go to Settings → Data Export → "Export My Data" to download all your data in JSON format
• Account Deletion: Go to Settings → Danger Zone → "Delete Account" to permanently remove all your data
• Cookie Preferences: Go to Settings → Cookie Preferences to manage your consent choices

To exercise any of these rights via email, contact us at support@eurodesk.io. We will respond within 30 days.

8. GDPR Compliance

EuroDesk OS is a global platform available to agencies worldwide, specializing in European university admissions, ECTS requirements, and European visa compliance. We comply with the General Data Protection Regulation (GDPR) and apply its principles to all users regardless of location. We act as a data processor for the student data you upload, while you (the agency) act as the data controller. Our legal basis for processing is the performance of our service agreement with you. See our Data Processing Agreement for full details.

9. Children's Privacy

EuroDesk OS is a B2B platform intended for use by authorized agency personnel. We do not knowingly collect personal data from children under 16. Student data processed through our platform is provided by agencies in the course of their professional services. Agencies are responsible for obtaining proper consent from students (or their parent/guardian if under 16) before uploading their data.

10. International Data Transfers

The majority of your data is processed and stored within the European Economic Area (EEA) — specifically in Frankfurt, Germany. This includes your database, authentication, file storage, frontend hosting, and backend API.

Limited data transfers outside the EEA occur only for:

• Google Vertex AI: Transcript files are sent to Google's AI infrastructure (United States) for parsing. Files are not stored and are used solely for parsing.
• PayPal: Payment transaction data is processed in the United States.

For all transfers outside the EEA, we ensure appropriate safeguards:

• Standard Contractual Clauses (SCCs): We rely on the EU Standard Contractual Clauses approved by the European Commission for transfers to countries without an adequacy decision
• Supabase: Privacy Policy
• Google Cloud: Compliance certifications and SCCs
• Vercel: Privacy Policy
• Resend: Legal (EU region: Ireland)

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a new "Last updated" date. We encourage you to review this policy periodically.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

• Email: support@eurodesk.io
• Website: https://www.eurodesk.io
• Data Processing Agreement: View DPA