Privacy Policy

Quick summary

• We collect what you give us (essay drafts, profile, Insight Question answers) plus basic usage data to run the Service.
• We send your essays to Google Gemini to generate AI feedback. Gemini does not use your data for training under its enterprise API terms.
• We do not sell your data to advertisers, data brokers, or third parties.
• You can delete your account and all its data at any time from the Profile page.
• We take reasonable security steps (encryption in transit, row-level database access controls, authenticated APIs), but no system is perfectly secure.

Details follow below.

1. What we collect

You give us, when you sign up:

• Email address and password (password is hashed; we never see it in plain text)
• Your full name
• Age confirmation (13+) and optional indication of whether you are under 18

You give us, when you use the Service:

• Academic profile: GPA, SAT/ACT scores, AP classes, extracurriculars, awards
• College list (which schools you're applying to)
• Essay drafts, revisions, and all content you type into the essay editor
• Insight Question reflections (private brainstorming notes)
• AI guidance history (feedback we've generated for you)
• Invitations and comments (if you invite a counselor or parent to review)

We automatically collect:

• Session information (when you log in, which pages you use, how often)
• Usage metrics (AI feedback request counts, for rate limiting and budgeting)
• Technical data (browser type, IP address, errors) through our hosting provider, used for debugging and security

If you subscribe:

• Payment information is handled by Stripe. We receive a subscription status and a Stripe customer ID; we do not store your card number.

2. How we use your information

We use your information to:

• Provide the Service — store your work, show it back to you, transmit it to our AI subprocessor for feedback generation
• Personalize AI feedback by drawing on your profile and Insight Question context
• Enforce usage limits, prevent abuse, and detect fraud
• Email you operational notices (subscription receipts, security alerts, significant product changes)
• Improve the Service (aggregated, de-identified analytics about which features are used; we never use your essays themselves for this)

We do not use your essays, Insight Question answers, or profile to train AI models — neither our own, nor our subprocessors'. We do not sell or rent your data to advertisers or data brokers. We do not use your content to generate content shown to other users.

3. Who we share it with (subprocessors)

We rely on trusted third parties to operate the Service. Each processes data only on our instructions and has its own privacy commitments:

• Supabase (database, auth) — stores all your essays, profile data, and authentication records. US-hosted.
• Google Gemini API — receives your essay content + context at the moment of AI feedback generation. Under Google's enterprise API terms, inputs and outputs are not used for training.
• Vercel (web hosting) — serves the web application and handles API requests. Logs technical metadata (IP, request path).
• Stripe (payments) — processes subscription billing. Stores payment card details on their systems; we never see them.
• Resend (email) — delivers transactional email (invitation emails, system notices). Receives recipient email + email body.
• Upstash (rate limiting, usage tracking) — stores counters keyed by your user ID; does not store essay content.

We will only change subprocessors without notice in an emergency. For non-emergency changes, we will update this list and, where we think it matters to you, notify you by email or through the Service.

4. How we protect your information

• All traffic between your browser and our servers is encrypted via HTTPS
• Database rows are protected by row-level security — User A cannot read User B's essays or Insight Question answers even at the database level
• Authentication uses signed session tokens; passwords are hashed (we never see them)
• AI feedback calls are rate-limited and bounded by monthly usage caps
• Internal access to user data is restricted and logged

No system is perfectly secure. If we ever discover a breach affecting your personal information, we will notify you within the time required by law and take appropriate remedial steps.

5. How long we keep your information

We keep your content for as long as your account is active. If you delete your account (from the Profile page), we delete your essays, essay versions, Insight Question answers, college list, activities, awards, AI guidance history, subscription record, and sign-in record. This is immediate and cannot be undone.

We may retain minimal records of a deleted account (e.g., email address + a deletion timestamp) to comply with legal obligations or fraud prevention. We do not retain your essay content, Insight Questions, or profile after deletion.

Backup systems may retain deleted data for up to 30 days before they are overwritten on their normal cycle.

6. Your rights

Regardless of where you live, you have the right to:

• Access — see what we have about you (much of it is visible in the app; you can also email us for a full export)
• Correct — fix inaccurate information about you
• Delete — remove your account and all associated data
• Object or restrict — ask us to stop or limit certain processing of your data

If you are in California

Under the California Consumer Privacy Act (CCPA/CPRA), you have rights to know, delete, correct, and opt out of sale/sharing (we don't sell or share your data, so opt-out is automatic). You also have the right to be free from discrimination for exercising these rights.

If you are under 18 in California, you have an additional right to request removal of content you have posted (the "Eraser Button" law). The account deletion option on the Profile page satisfies this; or email us.

How to exercise your rights

For most requests, use the Profile page (to edit or delete) or email privacy@my-vantage.app. We will respond within 30 days and may need to verify your identity before honoring requests about sensitive data.

7. Cookies and tracking

We use cookies that are necessary to operate the Service — primarily to keep you logged in. We do not use third-party advertising cookies or cross-site tracking cookies.

We may use privacy-preserving analytics to count things like total monthly active users or which features are used, with no personally identifiable information transmitted.

8. Users under 18

Vantage is intended for students aged 13 and older, with a focus on high school students preparing for college. We collect the minimum age information we need (13+ confirmation) and do not ask for a precise birth date unless required for a specific feature.

If you are under 18, we encourage you to review this policy and our Terms of Service with a parent or guardian. Paid subscriptions require that a parent or guardian authorize the purchase on your behalf.

We do not knowingly collect personal information from children under 13. If you are a parent and believe your child under 13 has created an account or submitted information to us, contact privacy@my-vantage.app and we will delete the account.

9. International users

Vantage is operated from the United States. If you access the Service from outside the US, your information will be transferred to and processed in the US, where privacy laws may differ from your home country. By using the Service, you consent to this transfer.

10. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the "Effective" date above. For material changes — especially changes to what we collect or how we share it — we will notify you through the Service or by email before they take effect.

11. Contact us

Questions, concerns, or data requests? Email privacy@my-vantage.app.