Privacy Policy
Last updated: May 27, 2026
scholgo (“we”, “us”) helps students find, tailor, and submit scholarship applications. This page explains what data we collect, why we collect it, who we share it with, and how to delete it. We’ve written this in plain English because legalese hides things; if anything is unclear, email [email protected].
1. Who this applies to
Anyone who signs up for scholgo via our website (scholgo.com) or our iOS / Android apps. By creating an account, you agree to this policy and to our Terms of Service.
2. Data we collect
We only collect what we actually need to make the product work.
Account data
- Email address — used as your login + to send verification, password reset, and scholarship-match alerts you opt into.
- Password hash — we never see or store your raw password. We use bcrypt to hash it before writing to the database.
- Apple Sign-in token (if you used Sign in with Apple) — Apple gives us a stable opaque identifier; we never receive your raw Apple ID password.
Profile + application data
- CV files you upload — stored encrypted at rest on our server in Germany. We extract text from them locally to power tailoring; we do not send raw CVs to any third party except the LLM provider listed in section 4.
- Scholarship preferences — country, level (Bachelor / Master / PhD), field of study, demographic eligibility flags you choose to share. Used by the matcher to filter the feed; never sold.
- Application history — which scholarships you started, prepared, submitted. Used to deduplicate (so we don’t resurface the same one) and to show you the status timeline.
Technical data
- IP address + user-agent — captured per request in our access logs, kept for 30 days, used only for abuse detection and rate-limiting. Logs are then rotated and deleted.
- Device push token (mobile only) — required by Apple / Google to deliver scholarship-match notifications you opt into. Stored on our server keyed by your account; we never share it externally.
We do not use cookies for tracking. The only cookie we set is the first-party session cookie used to keep you signed in on the web.
3. How we use it
- To match scholarships against your profile (the core product).
- To tailor your CV and cover letter to each scholarship using AI.
- To auto-fill and submit application forms when you ask us to.
- To send transactional emails (verification, password reset, deadline reminders).
- To detect and block abuse (brute-force sign-in attempts, scraping, etc.).
We do not use your data for advertising, lead generation, or any purpose unrelated to running scholgo.
4. Third parties we share data with
We share the absolute minimum needed for these vendors to do their job. We have data processing agreements (DPAs) in place with each.
- SMTP provider (Resend or equivalent) — receives the recipient email address and the message body when we send you a transactional email.
- LLM provider (currently OpenAI; subject to change) — receives the tailoring prompt + your CV text + the scholarship description when you tap “Tailor”. The provider does not retain prompts for training.
- Hosting (Hetzner Online, Germany) — physically runs the servers. Subject to German + EU data protection law.
- Cloudflare — sits in front of our servers for DNS, TLS, and DDoS protection. Sees request metadata but not your CV contents (those go to our origin server over an encrypted tunnel).
We do not sell your data, ever. We do not share it with advertisers, data brokers, scholarship sponsors, or universities. If we ever change this list, we will notify you by email at least 30 days before the change takes effect.
5. Your rights (GDPR / CCPA)
You have the right to:
- Access — see everything we have on you. Hit Settings → Export my data and we’ll generate a JSON archive of every row in our database tied to your account.
- Delete — wipe your account and all associated data. Hit Settings → Delete account. Deletion is irreversible and propagates to backups within 30 days.
- Object to processing — email [email protected] and we’ll honour it within 7 days.
- Lodge a complaint with your local data protection authority. In the EU that’s your national DPA; in the UK it’s the ICO.
6. How long we keep your data
- Account + profile: kept while your account is active. Deleted on request.
- CV files: kept until you delete them in Settings → CV or close your account.
- Application history: kept while your account is active.
- Access logs: 30 days, then rotated and deleted.
- Backups: encrypted, 30-day rolling. Deletions in the live DB propagate within 30 days.
7. How we secure your data
- TLS 1.2+ for every connection between you and our servers.
- Bcrypt password hashes (never plaintext).
- Access tokens rotate every 15 minutes; refresh tokens are stored in your device’s OS-level keychain.
- Backups encrypted at rest using zstd + AES-256.
- Production database is on a private network, not reachable from the public internet.
8. Children
scholgo is intended for users aged 13 and over (the typical earliest age for serious scholarship discovery). If you are under 13, please don’t use scholgo and email us so we can delete your account if one was created.
9. Changes to this policy
We’ll update the “last updated” date at the top of this page when we make material changes. For significant changes (new third-party sharing, new data types collected, etc.), we’ll also email you at least 30 days before the change takes effect so you can decide whether to keep using scholgo.
10. Contact
Privacy questions: [email protected]
General support: [email protected]