Privacy Policy

We’re Unibuddy, and we’re made up of Unibuddy Limited (UK) and our affiliates (Unibuddy Limited (USA), and Unibuddy India Private Limited (India)) (Unibuddy, our, us, we). As well as bringing you a peer-to-peer platform, we’re here to provide transparency about your personal information – which is just what this privacy policy is for.

We’re registered with the UK Information Commissioner’s Office with reference ZA22171.

This privacy policy (together with our Cookie Policy, Terms of Use and where applicable, the Education Provider’s privacy policy), sets out the basis on which any Personal Data we collect from you in relation to services provided through our website at http://unibuddy.com/ (our Website) or use of the services offered via the Website, including:

• Unibuddy Community,
• Unibuddy Chat,
• Unibuddy Assistant,
• the Unibuddy Widget or Traffic Drivers on an Education Provider website, or
• the one of the Unibuddy Mobile Apps

Collectively known as the Platform.

Got questions? Just drop our friendly legal team a message at legal.team@unibuddy.com.

Ambassador means a person acting on behalf of an Education Provider as its representative and interacting with End Users via the Platform.

Business and Service Provider have the same meanings as in the CCPA.

End User means any individual that has access to or engages with the Platform, including Prospective Students, Ambassadors, administrators and other Education Provider Staff.

Consumer means any End User, website visitor or job applicant.

Data Controller, Data Processor, Data Subject, and Supervisory Authority shall have the same meanings as in the Data Protection Laws.

Data Protection Laws includes Regulation (EU) 2016/679 (the GDPR), and applicable subordinate legislation and regulations implementing those including the Data Protection Act 2018 (the DPA), USA state-specific regulations including, but not limited to – the California Consumer Privacy Act of 2018 (the CCPA), California Privacy Acts Right of 2023 (the CPRA), the Virginia Consumer Data Protection Act of 2023 (the VCDPA), Connecticut’s Data Privacy Act (CTDPA), and the Utah Consumer Privacy Act (UCPA) and/or any applicable local implementation as amended from time to time.

Education Provider means an institution or entity which provides education, such as a college or University and which subscribes to a license to use the Platform.

Education Provider Staff means an employee or authorised representative of an Education Provider who has access to the Platform.

Partner means a third party that hosts the Unibuddy widget on their website or an entity that has an established commercial relationship with Unibuddy.

Personal Data means any information that identifies or relates to a particular individual and also includes information referred to as “personally identifiable information” or “personal information” under applicable Data Protection Laws.

Prospective Student means an individual who is interested in and/or applies for a place at the Education Provider.

Unibuddy Assistant means the product within the Platform that enables End Users to discover content from the Education Provider website, through a simple chat interface.

Unibuddy Chat, including Widget and Traffic Drivers, means the product within the Platform that enables End Users to explore the Education Provider website which is embedded with Ambassadors and Education Provider Staff profiles on the Education Provider website to allow End Users to engage in communications with the Education Provider selected Ambassadors and Education Provider Staff.

Unibuddy Community means a product within the Platform that enables End Users, Ambassadors and Education Provider Staff to engage in communications in an openforum, coordinated by the Education Provider.

Unibuddy Events Recording means a feature of Unibuddy Event that will allow for Education Providers to record their event’s livestream and live sessions, and download them to share and reuse as they see fit. For the avoidance of doubt, the recording will only contain the presenter’s video and other presentation material when the presenter’s screen is shared.

With respect to Personal Data of individuals/consumers collected when you apply for a role at Unibuddy, we will be the Data Controller and certain aspects of this privacy policy will apply to our processing of your personal information.

Minimum User Age 

End Users must be at least 13 years old to use our Platform or such greater age as required in your country or territory to register for or use our Platform without parental approval. Some of our Platform features may only be available to users who are above 18 years old. End Users may be required to submit their date of birth for age verification purposes. Where there is a justifiable reason to use the Platform below the relevant age of consent, parental consent will be required for such use.

You will be asked to provide us with your information when you:

• fill in forms on our Website, Platform, or correspond with us by phone, email or otherwise,
• register to use our Platform (creating a Unibuddy account),
• use the Platform,
• report a problem with our Platform, or
• complete any optional surveys we ask you to fill in.

Where you enter any details relating to a third party, you must have obtained clear permission from the individuals whose data you provide us with before sharing that data with us.

For the avoidance of any doubt, any reference in this privacy policy to your data shall include data about other individuals that you have provided us with.

Unibuddy acting as an Independent Data Controller

Platform and Website Users

When Unibuddy collects Personal Data for the purposes of creating a Prospective Student Unibuddy account, Unibuddy is an Independent Data Controller of the Personal Data and will determine how the Personal Data will be used to best provide the Platform to the End User. In our capacity as an Independent Data Controller, we comply with all applicable requirements of the Data Protection Laws.

End Users

In respect of all End Users, with regard to each of your visits to our Website or use of the Platform, we may automatically collect the following information:

• device-specific information, such as your hardware model, operating system version, unique device identifiers, and mobile network information;
• technical information about your computer, including where available, your IP address, operating system and browser type, for system administration and analytical purposes; and
• details of your visits to our Website, including the full Uniform Resource Locators (URL) clickstream to, through and from our Website (including date and time), length of visits to certain pages, and page interaction information (such as scrolling, clicks, and mouse-overs), details of whether you are using
  the Website or the Platform.

Except in the limited circumstances set out above, Unibuddy will process the Personal Data in its capacity as a Data Processor and Service Provider. The Education Provider is a Data Controller and Business.

Unibuddy acting as a Data Processor

With respect to End Users of the Platform we collect contact information set out below in the table (HOW WE USE YOUR INFORMATION AND JUSTIFICATION OF USE). We work with Education Providers to determine what Personal Data we will collect from End Users and how it will be used. We operate as a Data Processor of the Personal Data collected where the Education Provider is the Data Controller. Where Education Providers provide us with the Personal Data of their Ambassadors and End Users, Unibuddy acts as a Data Processor of such Personal Data. Such Personal Data may include but is not limited to:

• Contact information such as telephone numbers or addresses,
• IP address,
• Country of origin,
• Field of study,
• Personal interests,
• Education level,
• Any relevant Personal Data collected and provided by the Education Provider, or
• Any other Personal Data, including conversation data, voluntarily provided by End Users through the use of the Platform including but not limited to the widget, and Unibuddy Events.

Unibuddy does not solicit special category Personal Data in the provision of the Platform. While there is the potential for such data to be disclosed in open text communications, Unibuddy discourages such disclosures.

When using our Platform, we may collect certain information about you in order to enable your use of the Platform from the following sources:

• Education Providers. Unibuddy receives the Personal Data as set out below to enable End Users to access the Platform.
• Service Providers. For example, we may use analytics Service Providers to analyse how you interact and engage with the Platform, or third parties may help us provide you with customer support. We also use customer experience companies who conduct user interviews, for example, who may share your Personal Data with us when we want to find out more about your opinion and experience of using our services. You will be notified by those third parties before they share your Personal Data with us. Our product is built and served from recognised cloud service providers as detailed on our sub-processors page.
• Social networks connected to the services. If you provide your social network account credentials to us via the bio field or otherwise sign in to the Platform through a third party site or service, you understand some content and/or information in those accounts may be transmitted into your account with us.
  Partners. If you sign up to access Unibuddy through a third party partner website, Unibuddy and/or our partner may indicate that certain data will be shared with that third party.

Use of personal information under certain data protection laws must be justified under one of a number of legal basis and the Education Provider is required to set out the basis in respect of each use of your Personal Data in their privacy policy. These are the principal grounds that justify the use of your Personal Data:

• Consent. Where you have consented to the use of your information (you are providing explicit, informed, freely given consent, in relation to any such use and may withdraw your consent in the circumstance detailed below by notifying us or the Education Provider),
• Contract performance. Where your information is necessary to enter into or perform a contract with you,
• Legal obligation. Where we need to use your information to comply with legal obligations,
• Legitimate interests. Where we use your information to achieve the Education Provider’s legitimate interest and the reasons for using it outweigh any prejudice to your data protection rights, and
• Legal claims. Where your information is necessary to defend, prosecute or make a claim against you or a third party.

In respect of the use of the Platform, Unibuddy (whether acting as Independent Data Controller or Data Processor) uses information held about you (and information about others that you have provided us with) in the following ways:

We will not share your Personal Data (or any other data you provide us with) to third parties for any purpose other than those listed in our sub-processors page. We will not sell your data to any third parties.

Your Personal Data is maintained, processed and stored by us and our authorised Service Providers in Europe, the UK, India and the US. Your Personal Data may also transit other locations as reasonably necessary for the proper performance and delivery of our global Platform, or as may be required by law.

Whenever we transfer, transit, or store your personal data outside of the UK or the EU, we do so in compliance with UK and EU GDPR, which permits international transfers once one of the following safeguards is in place. We ensure that at least one of the mechanisms outlined below is implemented before such actions are taken:

• We will only transfer your personal data to countries that have been recognised by the European Commission or the UK’s Information Commissioner Office as providing an adequate level of protection for personal data.

• When using certain service providers, we may put in place contracts approved under UK data protection laws, ensuring your personal data receives the same level of protection as it would under UK law. For further details, please refer to the European Commission’s Model Contracts for Data Transfers to Third Countries and the UK Information Commissioner Office guidance on UK Standard Model Clauses.

• If we transfer personal data to US-based providers, we may rely on the EU-US Data Privacy framework, which mandates that these providers offer protection equivalent to that required for personal data shared between Europe (including theUK) and the United States.

Education Providers based outside the EEA may be subject to local data privacy legislation. A full list of our third party Service Providers and details of their privacy policies can be found here, which will be updated from time to time. By using our Platform you agree with the Service Providers we use as listed in our Sub-processors. Where we have made changes and have provided you with an updated list of our Service Providers, we will provide you with a notification and 30 days’ notice to determine whether you agree with the changes and continue to use our Platform or alternatively you can discontinue using our Platform.

We will hold the above information for as long as is necessary in order to provide you with the ability to use our Platform, deal with any specific issues that may arise, or otherwise as is required by law or any relevant regulatory body. 

Where Unibuddy acts as a Data Controller, you may delete your account at any time, following which your Personal Data will be immediately and securely deleted.

Some Personal Data may need to be retained for longer to ensure Unibuddy can comply with applicable laws and internal compliance procedures, including retaining your email address for marketing communication suppression if you have opted not to receive any further marketing. If information is used for two purposes, we will retain it until the purpose with the latest period expires but we will stop using it for the purpose with a shorter period when that period expires.

We restrict access to your personal information to those persons who need to use it for the relevant purpose(s). Our retention periods are based on legal requirements and/ or business needs and your information that is no longer needed is either irreversibly anonymised (and the anonymised information may be retained) or securely destroyed.

General Data Protection Regulation (GDPR and GDPR UK)

Under the GDPR and DPA, you have various rights in relation to your Personal Data.

Ambassadors, Education Provider employees and Students should contact the Education Provider in the first instance as their Data Controller. 

All other End Users should contact Unibuddy in the first instance as their Data Controller at legal.team@unibuddy.com.

The Data Controller is primarily responsible for ensuring you can exercise these rights and the Data Processor, shall assist the Data Controller to effectively exercise your rights.

You have the following rights in relation to your Personal Data.

You also have a right to lodge a complaint with your national data protection supervisory authority at any time. 

In the UK, the supervisory authority for data protection is the ICO (https://ico.org.uk/global/contact-us/). Although you have a right to contact your supervisory authority at any time, we kindly ask that you please attempt to resolve any issues with us first.  

For any other queries or complaints not relating to data protection, please refer to “How can you contact us?” at the bottom of this page.

Unibuddy will not ordinarily charge you in respect of any requests we receive to exercise any of your rights detailed above; however, if you make excessive, repetitive or manifestly unfounded requests, we may charge you an administration fee in order to process such requests or refuse to act on such requests. Where we are required to provide a copy of the Personal Data undergoing processing this will be free of charge; however, any further copies requested may be subject to reasonable fees based on administrative costs.

Requests to stop processing your Personal Data or deleting your Personal Data will likely mean that you are no longer able to use Unibuddy’s Platform, or at least those aspects of the Platform which require the processing of the types of Personal Data you have asked us to delete, which may result in you no longer being able to use the Platform.

Where you exercise any of your rights above, the Data Controller may notify third parties to whom such Personal Data has been disclosed of such request. However, such third parties may have the right to retain and continue to process such Personal Data in its own right.

If you are a resident of the State of California, USA, you have the rights outlined in this section. Please see the “Exercising Your Rights” section below for instructions regarding how to exercise these rights. If there are any conflicts between this section and any other provision of this Policy and you are a California resident, the portion that is more protective of Personal Data shall control to the extent of such conflict. If you have any questions about this section or whether any of the following applies to you, please contact us at legal.team@unibuddy.com.

You have the following rights under the USA state-specific legislation:

Rights	Details
Right to access	You have the right to access Personal Data held by the Business, including a description of your data. Essential Personal Data held by the Business can be found in the profile section of your Unibuddy account, while further information is available on request. The categories of sources from which Personal Data was collected. The business or commercial purpose for collecting your Personal Data. The categories of third parties with whom we have shared your Personal Data. The specific pieces of Personal Data that we have collected about you. If we have disclosed your Personal Data for a business purpose over the past 12 months, we will identify the categories of Personal Data shared with each category of third party recipient.
Right to correct inaccurate information	You have the right to rectify any details to ensure that your personal information is accurate. In order to assist with this, you should notify the Business of any changes to the personal information that you have provided by sending a request to rectify your Personal Data where you believe the Personal Data collected is inaccurate or incomplete.
Right of deletion	Asking the Business to delete all of your Personal Data will result in the deletion of Personal Data held by that Business without undue delay (unless your Personal Data is required to provide you with the Platform or complete a transaction or other action you have requested). If your deletion request is subject to one of these exceptions, your deletion request may be denied, in which case you will be informed of this in writing.
Right to know what data is being sold  or shared and to whom	We do not sell personal information to any third parties.
Right to Opt-out of Sale and data sharing	You have the right to request that the Business does not sell or share your Personal Data to third parties.
Right to Opt-out of automated decision making	We do not utilise automated decision making.
Right to limit disclosure and use of sensitive information	You have the right, at any time, to direct the Business that collects sensitive personal information about you to limit its use of your sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services.
Right of no retaliation	We will not discriminate against you for exercising your rights. We will not deny you our goods or services, charge you different prices or rates, or provide you a lower quality of goods and services if you exercise your rights under the CCPA and CPRA.

To exercise the rights described above, you must send us a Subject Access Request/Valid Request that (1) provides sufficient information to allow us to verify that you are the person about whom we have collected Personal Data, and (2) describes your request in sufficient detail to allow us to understand, evaluate, and respond to it. Each request that meets both of these criteria will be considered a “Valid Request.” We may not respond to requests that do not meet these criteria. We will only use Personal Data provided in a Valid Request to verify you and complete your request. You do not need an account to submit a Valid Request.

“Authorised Agents”: you may submit a request to know or a request to delete your Personal Information through an Authorised Agent. If you do so, the agent must present signed written permission to act on your behalf and you may also be required to independently verify your identity and submit proof of residency with us. If you have submitted a request via Authorised Agents and have followed the prescriptions above, we shall count these requests as Valid Requests.

We will work to respond to your Valid Request within a 30-day period of receipt for all Valid requests under the GDPR and DPA and 45 days of receipt under CPPA/CPRA. We will not charge you a fee for making a Valid Request unless your Valid Request(s) is excessive, repetitive, or manifestly unfounded. If we determine that your Valid Request warrants a fee, we will notify you of the fee and explain that decision before completing your request.

You may submit a Valid Request by sending an email to legal.team@unibuddy.com; or by post to: Unibuddy Ltd, 5 New Street Square, London, United Kingdom, EC4A 3TW

Unibuddy and our third-party partners, such as our analytics partners, use cookies and other tracking technologies (e.g., web beacons, device identifiers and pixels) to provide functionality and to recognise you across different Services and devices. For more information, please see our Cookie Policy, which includes information on how to control or opt out of these cookies and tracking technologies.

Use of AI Tools

At Unibuddy, we rely on some limited third party vendors (as highlighted in our Sub-Processors list) that provide Artificial Intelligence (AI) tools as part of our services to enhance user experience, improve our offerings, and streamline various processes. These AI tools are selected after careful review and consideration of how these AI tools will use personal data provided to it through Unibuddy’s use. In addition, we work towards making sure that the AI tools process personal data in accordance with our Privacy Policy.

Unibuddy takes best endeavours in its vendor management, and it is important to note that the use of AI is continually evolving, and we are committed to ensuring transparency and compliance with applicable data protection laws.

If you have any questions or would like more information about how we use AI, please feel free to contact us. You may also request a copy of our AI policy by reaching out to your customer success manager. We are happy to provide you with further details on how AI tools are integrated into our services and how they may impact your data.

Security

Unibuddy is dedicated to ensuring the security of your Personal Data by regularly updating and strengthening our administrative, technical, and physical (often referred to in practice as “TOMs”) measures to prevent unauthorised access, loss, destruction, or modification. We implement a variety of security protocols, including firewalls, data encryption, access controls, multi-factor authentication (MFA), intrusion detection systems, and regular security and vendor audits. These measures are designed to safeguard your information and offer a level of protection appropriate to the potential risks associated with processing your Personal Data.

Unibuddy’s information security team collaborates closely with our legal team to ensure data security by upholding the confidentiality, integrity, and availability (the “CIA” principles) of your Personal Data, as defined under the UK and EU GDPR. These principles are outlined as follows:

• Confidentiality ensures that only authorised individuals have access to the Personal Data.
• Integrity guarantees that Personal Data is accurate, complete, and appropriate for its intended purpose.
• Availability ensures that authorised users can access the Personal Data when needed for legitimate and authorized purposes.

By adhering to these principles, we aim to protect your Personal Data throughout its lifecycle with us.

Our Website may, from time to time, contain links to third party websites. If you follow a link to any of those third party websites, please note that they have their own Privacy Policies and that we do not accept any responsibility or liability for their policies or processing of your personal information. Please check these policies before you submit any personal information to such third party websites.

Any changes we make to our privacy policy in the future will be posted on this page. When we make significant changes, we will make such changes clear on this page, or by some other means of contact such as email or notifications via the Platform. Your continued use of the Platform and the Website shall be deemed your acceptance of the varied privacy policy.

If you have any further questions or would like to exercise any of the rights set out above, please contact us at legal.team@unibuddy.com. We always welcome your comments or suggestions, including thoughts on how we can improve or clarify this privacy policy.