← Back to Conari

Privacy Policy

Effective date: May 14, 2026·Last updated: May 14, 2026

This policy applies to conari.ai and all subdomains.

1. Who we are

Conari (“Conari”, “we”, “our”, or “us”) operates the AI-powered college admissions platform at conari.ai. We are the data controller of the personal information described below (under EU/UK GDPR terminology) and the business that collects it (under California CCPA/CPRA terminology).

Our service is designed for prospective undergraduate, masters, and PhD applicants applying to universities in the United States, United Kingdom, and elsewhere.

We do not currently have a designated Data Protection Officer (DPO) because our processing volume does not yet require one under GDPR Article 37. For privacy questions, contact [email protected] with the subject Privacy Request.

2. Information we collect

We collect the categories of personal information listed below. These map to the CCPA/CPRA personal-information categories noted in parentheses.

Account information (identifiers; customer records)

Name, email address, hashed password, account creation date, plan tier. If you sign in with Google, we receive your name, email address, profile picture URL, and Google account ID (the OAuth sub claim).

Profile & application data (professional/employment information; education information; inferences)

Academic information you provide (GPA, test scores, activities, awards, work experience, target field of study), your list of target universities, essays, supplemental responses, recommender details, scholarship applications, and AI-derived inferences (recommended schools, fit scores, narrative themes).

Usage data (internet/network activity)

Which AI tools you use, how many AI requests you make per day, navigation paths within the dashboard, feature interactions. We use this to enforce plan limits and improve the service.

Device & technical data (internet/network activity; geolocation — country-level only)

IP address, browser type and version, operating system, device type, approximate country (derived from IP at our CDN edge; we do not collect precise geolocation), referrer URL, request timestamps. Captured in standard server logs and CDN edge logs.

Payment information (commercial information)

We use Stripe for payment processing. We store only your subscription plan status, billing cycle anchor, and Stripe customer/subscription IDs — we never store full credit-card numbers, CVVs, or bank details. Stripe’s privacy policy applies to payment data.

Communications (customer records)

Emails or messages you send us (e.g., support inquiries to [email protected]), and our replies.

Sensitive personal information

We do not intentionally collect “sensitive personal information” as defined by CPRA Cal. Civ. Code §1798.140(ae) (precise geolocation, racial or ethnic origin, religious or philosophical beliefs, genetic data, biometrics, health data, or contents of mail/email/messages not addressed to us). However, the essays you write and submit may, at your option, mention sensitive topics. We treat that content with the same security as the rest of your account data and do not separately process it as sensitive information.

3. How we use your information & the legal basis

Under GDPR Article 6 we must identify a legal basis for each processing purpose. For users in the EU, UK, EEA, Switzerland, and Brazil, our bases are:

  • Contract (Art. 6(1)(b)) — providing the platform, processing essays through AI, managing your subscription, sending transactional emails (welcome, verification, password reset, billing notices, account-deletion confirmation).
  • Consent (Art. 6(1)(a)) — analytics cookies (Google Analytics 4), preference-based emails (deadline reminders, onboarding nudges). Consent is opt-in via the cookie banner and the dashboard email-preferences settings, and is freely revocable.
  • Legitimate interest (Art. 6(1)(f)) — security monitoring, abuse prevention (rate limiting, anti-fraud), aggregate product analytics, debugging. Balanced against your rights; you may object via [email protected].
  • Legal obligation (Art. 6(1)(c)) — retention of payment-related records as required by tax and accounting law, responding to lawful requests from authorities.

4. AI processing

When you use AI features (essay feedback, school recommendations, narrative audit, etc.), the relevant content is sent to our AI inference provider for processing. Our provider is contractually bound to (i) process API content solely to return responses to us, (ii) not use API content to train its models, and (iii) process data in the United States. Cross-border transfers from the EU/UK/EEA/Switzerland are made under EU Standard Contractual Clauses (SCCs). The specific provider name, DPA, and SCCs are available on request — see Section 16.

We do not sell your essays or personal statements to any party. AI responses are generated synchronously, returned to you, and stored only where you choose to save them in your profile.

Automated decision-making & profiling

Some features make automated suggestions (recommended schools, fit scores, application-readiness scores). These are decision-support tools, not decisions with legal or similarly significant effect on you under GDPR Article 22 — you remain in control of which schools to apply to, which essays to submit, and what to do with the suggestions. You may always request human review of any AI output by emailing [email protected].

5. Email communications

Account-related emails are sent from [email protected] via our transactional email delivery provider (DKIM-signed from the conari.ai domain).

Transactional emails (legal basis: contract — required for the service)

  • Welcome email after signup
  • Email-address verification (one-time link, plus on-request resend)
  • Password reset (only when you request it)
  • Password change confirmation
  • Subscription confirmation, cancellation confirmation, failed-payment notice
  • Account deletion confirmation

These cannot be disabled while your account is active because they are necessary to operate the service securely.

Preference-based emails (legal basis: consent — opt-in)

  • Application deadline reminders (30 / 14 / 7 / 1 days before each tracked school’s deadline)
  • Onboarding nudges on day 3 and day 7 if your profile is incomplete

You can disable these at any time from Dashboard → Settings → Email notifications. Every preference-based email also includes a one-click link to that page.

Bounce & complaint handling

We monitor bounce and complaint feedback from our email provider. If your email permanently bounces or you mark a message as spam, your address is added to a suppression list and we stop sending email to it. Suppression entries are retained as long as your account is active to protect deliverability reputation. Contact us at [email protected] if you believe an address was suppressed in error.

6. Third-party processors & data locations

We use third-party providers to operate the platform. Each is bound by contract (Data Processing Agreement and/or Standard Contractual Clauses) to use personal information only for the agreed purpose and to maintain appropriate security. We disclose the categories of providers below; the names of two consumer-facing providers (Stripe for payments, Google for optional sign-in and consent-gated analytics) are listed because you interact with their interfaces directly. The specific identities of other providers are available on request — see Section 16.

CategoryPurposeLocation
AI inference providerGenerating essay feedback, recommendations, and other AI featuresUnited States
Stripe (payments)Subscription & payment processingUnited States (global)
Transactional email delivery providerWelcome, verification, password reset, billing notices, deadline remindersUnited States
Cloud hosting & database providerApplication servers, PostgreSQL database, encrypted backupsUnited States
CDN, DNS, & security providerEdge caching, TLS termination, DDoS protection, country-level geolocationGlobal edge network
Google (OAuth)Optional sign-in via your Google accountUnited States (global)
Google (Tag Manager + Analytics 4)Aggregate site analytics — loads only after you accept analytics cookiesUnited States (global)
Google Ads, LinkedIn Insight Tag, Meta Pixel (Facebook/Instagram)Advertising — measure campaign performance, attribute signups to ad clicks, build retargeting audiences. Loads only after you accept analytics/marketing cookies; clicking Reject all / Essential only blocks all of these.United States (global)

We add new categories of processors only when needed and update this list when we do. Significant additions (e.g. a new AI provider for a different feature, a new advertising channel) are notified in advance via email or a banner.

7. International data transfers

Our infrastructure and most processors are located in the United States. If you are accessing Conari from the EU, UK, EEA, Switzerland, Brazil, or another country with data-export restrictions, your personal information will be transferred to and processed in the United States.

We rely on the following safeguards for these transfers:

  • EU–U.S. Data Privacy Framework (DPF) — for transfers to processors that self-certify under the DPF (this includes Stripe, Google, and the majority of our other US providers). The DPF is the successor to Privacy Shield, recognized by the EU Commission’s adequacy decision of July 2023.
  • Standard Contractual Clauses (SCCs) — incorporated into our Data Processing Agreements with processors that are not DPF-certified, providing the contractual safeguards the EU Commission has approved.
  • Supplementary measures — TLS encryption in transit, encryption at rest, access controls, and least-privilege defaults across our processors.

You may request a copy of the relevant transfer mechanism (DPF certificate, SCCs, or both) by emailing [email protected].

8. Cookies & tracking

We use the following cookies and similar local-storage technologies:

Name / keyTypePurposeDuration
next-auth.session-tokenStrictly necessaryKeeps you signed in30 days
next-auth.csrf-tokenStrictly necessaryProtects forms from CSRFSession
conari_unlockStrictly necessaryPre-launch site-password gate30 days
conari_cookie_consent_v1Strictly necessary (localStorage)Stores your cookie choiceUntil cleared
_ga, _ga_*Analytics (consent-only)Google Analytics 4 — page views, navigation2 years
_gcl_*, IDE, NIDAdvertising (consent-only)Google Ads — conversion attribution, retargetingUp to 24 months
li_sugr, AnalyticsSyncHistory, UserMatchHistoryAdvertising (consent-only)LinkedIn Insight Tag — campaign measurement, retargetingUp to 30 days
_fbp, frAdvertising (consent-only)Meta Pixel (Facebook/Instagram) — conversion measurement, retargetingUp to 90 days

Strictly necessary cookies cannot be disabled without breaking the product. Analytics and advertising cookies load only after you click Accept all in the cookie banner — there is no pre-checking and no scripts fire before consent. Clicking Reject all / Essential only blocks all analytics and ad pixels including Google Ads, LinkedIn Insight Tag, and Meta Pixel.

On your first visit a banner asks you to choose. Your choice is stored locally in your browser. You can change or revoke it at any time:

9. California residents (CCPA / CPRA)

Under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), California residents have the rights below. The categories of personal information we collect are listed in Section 2 with the corresponding CCPA category labels.

  • Right to know — what categories of personal information we collect, sources, purposes, and the categories of third parties we disclose to. (See Sections 2, 3, 6.)
  • Right to delete — request deletion of your personal information.
  • Right to correct — request correction of inaccurate information we hold about you.
  • Right to portability — receive a copy of your personal information in a structured, machine-readable format. The dashboard’s essay export is one such mechanism.
  • Right to opt out of sale or sharing — we do not sell your personal information for money. We do, however, allow Google Analytics 4 and the advertising platforms below (Google Ads, LinkedIn Insight Tag, Meta Pixel) to receive identifiers and behavioral data when you accept analytics/marketing cookies, which CPRA treats as “sharing” for cross-context behavioral advertising. The Reject all / Essential only button in our cookie banner exercises this right and prevents all of those tags from loading.
  • Right to limit use of sensitive personal information — we do not collect sensitive personal information as defined by CPRA, so this right does not apply in practice.
  • Right of non-discrimination — we will not deny service, charge different prices, or provide a different level of service because you exercised any of these rights.

How to exercise these rights

Click Reject all in the cookie banner (or use Manage cookie preferences above) for opt-out of sharing. For know, delete, correct, or portability requests, email [email protected] with the subject CCPA Request. We will respond within 45 days as required by CCPA. If we cannot verify your identity from your account email, we may request additional information sufficient to confirm you are the consumer whose data is at issue.

Authorized agents

You may designate an authorized agent to make requests on your behalf. We will require written proof of the agent’s authority and may verify directly with you.

Disclosure of personal information for business purposes (12-month look-back): Identifiers (Stripe for billing, our email delivery and hosting providers), customer records (Stripe), internet activity (our security/CDN provider, Google Analytics 4 — consent-only), education information (our AI inference provider). Sharing for cross-context behavioral advertising (consent-only): identifiers and behavioral data shared with Google Ads, LinkedIn Insight Tag, and Meta Pixel when the user has accepted marketing cookies. No sale of personal information for monetary consideration in the past 12 months.

10. EU, UK, EEA, Switzerland, Brazil rights

If you are located in the EU, UK, EEA, Switzerland, or Brazil, you have the rights below under the applicable law (GDPR / UK GDPR / Swiss FADP / Brazilian LGPD). To exercise any right, email [email protected] with the subject Privacy Request. We will respond within 30 days.

  • Access (Art. 15) — get a copy of your personal data we hold
  • Rectification (Art. 16) — correct inaccurate information
  • Erasure / right to be forgotten (Art. 17) — request deletion of your data
  • Restriction of processing (Art. 18) — temporarily limit how we process your data while a dispute is resolved
  • Data portability (Art. 20) — export your data in a machine-readable format
  • Objection (Art. 21) — object to processing based on legitimate interests, including profiling
  • Withdraw consent (Art. 7(3)) — for any processing based on consent (analytics, preference emails). Withdrawal does not affect the lawfulness of processing before withdrawal.
  • Lodge a complaint (Art. 77) — with the data protection supervisory authority in your country (e.g., the ICO in the UK, the CNIL in France, the BfDI in Germany, the ANPD in Brazil). You can also write to us first; we’d prefer to resolve concerns directly.

We do not currently have an Article 27 EU representative. If our EU user base grows enough to require one, we will appoint one and update this policy.

11. Data retention

We retain personal information only as long as needed for the purposes described in this policy, or as required by law.

Data typeRetention
Account & profile data, essays, schools, recommendationsLifetime of your account; deleted on request within 30 days (plus up to 35 days in encrypted backups)
Payment records (Stripe IDs, plan history)7 years after last billing event (tax / accounting law)
Email-send logs (delivery status, bounce reasons)12 months
Email suppression list (bounced / complained addresses)Indefinite while account is active, to protect deliverability reputation
AI usage telemetry (counts, costs)12 months in aggregated form; per-call rows pruned after 90 days
Server / CDN access logs30 days
Backups35 days rolling, then deleted

You can request deletion of your account and personal data at any time from Dashboard → Settings → Delete account, or by emailing [email protected].

12. Data security

Our security measures include:

  • TLS 1.2+ encryption for all data in transit (terminated at our CDN edge)
  • Encryption at rest in our cloud database (provider-managed keys)
  • Passwords stored using bcrypt (cost factor 12)
  • Rate limiting on authentication and password-reset endpoints
  • Single-use, time-bound tokens for password reset and email verification
  • Webhook signature verification for Stripe and our email provider
  • Strict admin allowlist (ADMIN_EMAILS env) for internal dashboards
  • Access to production database limited to a small number of operators on a need-to-know basis

We are not currently SOC 2 or ISO 27001 certified. We will pursue certification when our customer base or contracts require it.

Breach notification: if we become aware of a personal-data breach affecting you, we will notify you and, where required, the relevant supervisory authority within 72 hours of becoming aware, in accordance with GDPR Art. 33–34 and applicable state breach-notification laws.

13. Children’s privacy

Conari is intended for users aged 16 and older. We do not knowingly collect personal information from children under 16.

Many of our users are high school students between 16 and 18. We strongly recommend that users in this age range involve a parent or guardian when reviewing university choices, financial-aid information, and essays.

Under COPPA (US), we do not knowingly collect personal information from children under 13. Under GDPR, the age of digital consent varies by member state from 13 to 16; we apply the higher 16 threshold globally for simplicity. If you believe a child under 16 has provided us information, please contact [email protected] and we will delete it promptly.

14. Changes to this policy

We may update this Privacy Policy. The Effective date at the top reflects the latest version. For material changes (e.g. new processing purposes, new data categories, changes to international transfers), we will notify you by email or a prominent banner at least 30 days before the change takes effect. Continued use of Conari after the effective date constitutes acceptance of the updated policy.

15. Governing law & severability

This policy is governed by the laws of the State of Delaware, United States, without regard to its conflict-of-laws principles. Statutory rights of consumers under the laws of their place of residence (including the GDPR, UK GDPR, CCPA/CPRA, and similar laws) apply regardless and are not waived by this clause.

If any part of this policy is found to be unenforceable, the remaining provisions remain in full effect.

16. Contact us

For privacy questions, data requests, or to exercise any of the rights above, email [email protected] with the subject Privacy Request (or CCPA Request for California-specific requests). We aim to acknowledge within 5 business days and respond fully within 30 days (45 for CCPA).