Privacy Policy

Last updated: March 2026

1. Introduction

The Student Blueprint ("we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, store, and protect information when you access or use our platform, website, APIs, and associated services (collectively, the "Service").

By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with the practices described herein, you should not use the Service. This policy applies to all users, including students, parents, agency administrators, and any other individuals who interact with the Service.

2. Information We Collect

We collect and process the following categories of information:

2.1 Information You Provide Directly

  • Account Information: Name, email address, phone number, organization name, job title, and role when you create an agency or admin account.
  • Student Assessment Data: Information students provide during the assessment, including but not limited to: full name, email address, parent/guardian email, date of birth, current grade level, school name, home address, GPA and academic records, standardized test scores (PSAT, SAT, ACT, AP, IB), extracurricular activities, leadership positions, competition history, career aspirations, research experience, summer program participation, special talents and abilities, family context (parent professions, sibling information, legacy connections), financial aid needs, personality traits, personal stories and challenges, and time availability.
  • Payment Information: Billing name, billing address, and payment card details. Payment information is collected and processed directly by Stripe, our PCI-compliant payment processor. We do not store, access, or retain full credit card numbers or CVV codes on our servers.
  • Communications: Emails, support requests, feedback, and any other information you provide when contacting us.

2.2 Information Collected Automatically

  • Usage Data: Pages visited, features used, buttons clicked, time spent on pages, assessment completion progress, and navigation patterns.
  • Device and Browser Information: IP address, browser type and version, operating system, device type, screen resolution, language preferences, and referring URLs.
  • Log Data: Server logs including access times, error logs, API call records, and administrative action audit trails.
  • Cookies and Similar Technologies: Session cookies to maintain your login state and preferences. We use essential cookies only and do not use third-party advertising or tracking cookies.

2.3 Information Generated by Our Service

  • AI-Generated Analysis: Student archetypes, competitiveness scores, personalized roadmaps, college recommendations, career analysis, and all other outputs produced by our AI engine based on student-provided data.
  • Aggregate and De-identified Data: Anonymized, aggregated statistical data derived from user interactions and assessment results, which cannot be used to identify any individual.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Service Delivery: To provide, operate, maintain, and improve the assessment platform, generate personalized student roadmaps and recommendations, and deliver downloadable PDF reports.
  • Account Management: To create and manage your account, authenticate your identity, and enforce access controls.
  • Payment Processing: To process payments, manage subscriptions, apply coupons, and handle billing-related communications.
  • Communications: To send transactional emails including assessment results, OTP verification codes, resume codes, invitation links, account updates, billing notifications, and report regeneration alerts. We do not send unsolicited marketing emails.
  • Customer Support: To respond to your inquiries, troubleshoot issues, and provide technical assistance.
  • Security and Fraud Prevention: To detect, investigate, and prevent fraudulent transactions, unauthorized access, abuse, and other harmful activities.
  • Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
  • Analytics and Improvement: To analyze usage patterns, monitor platform health, and improve the quality and accuracy of our AI analysis and overall Service.

4. Data Sharing and Third-Party Service Providers

We share your data with the following categories of third-party service providers, solely to operate and deliver the Service:

  • Supabase (Database & Infrastructure): Provides PostgreSQL database hosting with row-level security, data storage, and backend infrastructure. Data is stored on servers in the United States.
  • Stripe (Payment Processing): Processes all payment transactions. Stripe is a PCI DSS Level 1 certified payment processor. Payment card data is handled directly by Stripe and is not transmitted through or stored on our servers.
  • Anthropic (AI Analysis): Student assessment data is transmitted to Anthropic's Claude API for AI-powered analysis and report generation. Data sent to Anthropic is processed in accordance with Anthropic's usage policies and is not used to train their AI models. We transmit only the data necessary to generate the analysis.
  • Resend (Email Delivery): Handles transactional email delivery including assessment results, OTP codes, and notifications. Email addresses and message content are shared with Resend solely for delivery purposes.
  • Vercel (Hosting & CDN): Provides application hosting, edge network delivery, and domain management. Server-side code executes on Vercel's infrastructure.

4.1 What We Do Not Do

  • We do not sell, rent, lease, or trade personal information to any third party for any purpose.
  • We do not share personal information with advertisers or ad networks.
  • We do not use personal information for targeted advertising.
  • We do not allow third-party service providers to use your data for their own purposes beyond providing the contracted services to us.

4.2 Agency Access

In our multi-tenant architecture, agency administrators have access only to student data within their own organization. Agency administrators can view assessment responses, AI-generated reports, and student contact information for students enrolled under their agency. Agencies cannot access data belonging to other organizations.

4.3 Legal Disclosures

We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or when we believe in good faith that disclosure is necessary to: (a) protect our rights, property, or safety; (b) protect the rights, property, or safety of our users or the public; (c) detect, prevent, or address fraud, security, or technical issues; or (d) comply with a court order, subpoena, or other legal obligation.

4.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, asset sale, or similar business transaction, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on our website before your information becomes subject to a different privacy policy.

5. Data Security

We implement industry-standard technical and organizational security measures to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS/SSL (HTTPS) protocols.
  • Encryption at Rest: Database records are stored on encrypted storage volumes.
  • Password Security: Account passwords are hashed using bcrypt with salt before storage. We never store plaintext passwords.
  • Access Controls: Role-based access controls (RBAC) restrict data access to authorized users. Row-level security (RLS) policies in our database enforce tenant isolation, ensuring that agencies can only access their own data.
  • Audit Logging: Administrative actions are logged for security monitoring and accountability.
  • Rate Limiting: API endpoints are rate-limited to prevent abuse, brute-force attacks, and denial-of-service attempts.
  • Secure Headers: Our application enforces security headers including HTTP Strict Transport Security (HSTS), X-Frame-Options, X-Content-Type-Options, and Content Security Policy directives.
  • Input Validation: All user inputs are validated and sanitized, including AI prompt injection protection, to prevent malicious data from being processed.

While we take reasonable precautions to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, and you acknowledge that you provide your information at your own risk.

6. Data Retention

  • Active Accounts: Assessment data, student records, and AI-generated reports are retained for as long as the associated account (student or agency) remains active.
  • Post-Termination: Upon account cancellation or termination, your data is retained for up to 90 days to facilitate account recovery, resolve disputes, or comply with legal obligations. After the retention period, your data will be permanently and irreversibly deleted from our primary systems.
  • Backup Systems: Data may persist in encrypted backup systems for up to an additional 30 days beyond the primary retention period, after which backups are rotated and overwritten.
  • Legal Hold: We may retain data beyond the standard retention period if required by law, regulatory requirement, or ongoing legal proceedings.
  • Aggregate Data: Anonymized, aggregate statistical data that cannot identify any individual may be retained indefinitely for analytics and service improvement purposes.
  • Email Logs: Email delivery logs (recipient, template, success/failure status) are retained for up to 12 months for troubleshooting and deliverability monitoring.

7. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

  • Right of Access: You may request a copy of the personal information we hold about you.
  • Right of Correction: You may request that we correct inaccurate or incomplete personal information.
  • Right of Deletion: You may request that we delete your personal information, subject to certain exceptions (e.g., legal obligations, fraud prevention).
  • Right to Data Portability: You may request a copy of your data in a structured, commonly used, machine-readable format.
  • Right to Restrict Processing: You may request that we limit the processing of your personal information under certain circumstances.
  • Right to Object: You may object to our processing of your personal information for certain purposes.
  • Right to Withdraw Consent: Where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

Agency administrators can manage student data (view, export, delete) through their admin dashboard. For individual requests or requests that cannot be fulfilled through the dashboard, contact us at hello@thestudentblueprint.com. We will respond to verified requests within 30 days.

8. Children's Privacy

The Service is designed for students in grades 8 through 12, which may include users under the age of 18. We take the privacy of minors seriously.

  • COPPA Compliance: We do not knowingly collect personal information from children under the age of 13 without verifiable parental consent. If you are a parent or guardian and believe your child under 13 has provided personal information to us without your consent, please contact us immediately at hello@thestudentblueprint.com, and we will take steps to delete such information.
  • Parental Involvement: We encourage parents and guardians to be involved in their children's use of the Service. The assessment allows students to provide a parent email address for notification purposes.
  • Data Minimization: We collect only the information necessary to provide the assessment and generate the student's personalized roadmap. We do not collect information beyond what is needed for the Service.
  • No Behavioral Advertising: We do not use children's personal information for behavioral advertising, profiling for commercial purposes, or any purpose unrelated to the educational Service.

9. International Data Transfers

Our Service is operated from the United States, and our data is stored on servers located in the United States. If you access the Service from outside the United States, you understand and consent to the transfer, processing, and storage of your information in the United States, where data protection laws may differ from those in your jurisdiction.

For users in the European Economic Area (EEA), United Kingdom (UK), or other jurisdictions with data transfer restrictions, we rely on standard contractual clauses and/or other lawful transfer mechanisms approved by relevant authorities to transfer data to the United States.

10. Jurisdiction-Specific Disclosures

10.1 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including:

  • The right to know what personal information we collect, use, disclose, and sell (we do not sell personal information)
  • The right to delete your personal information, subject to certain exceptions
  • The right to opt out of the sale or sharing of personal information (not applicable — we do not sell or share personal information for cross-context behavioral advertising)
  • The right to correct inaccurate personal information
  • The right to limit the use and disclosure of sensitive personal information
  • The right to non-discrimination for exercising your CCPA/CPRA rights

To exercise these rights, contact us at hello@thestudentblueprint.com. We will verify your identity before processing your request.

10.2 European Economic Area and United Kingdom (GDPR)

If you are located in the EEA or UK, we process your personal data under the following legal bases:

  • Contract Performance: Processing necessary to provide the Service you have requested
  • Legitimate Interests: Processing for fraud prevention, security, and service improvement, where these interests are not overridden by your rights
  • Consent: Where we have obtained your explicit consent for specific processing activities
  • Legal Obligation: Processing necessary to comply with our legal obligations

You have the right to lodge a complaint with your local data protection authority if you believe your privacy rights have been violated.

10.3 India (DPDPA)

If you are a resident of India, we process your personal data in compliance with the Digital Personal Data Protection Act, 2023 (DPDPA). You have the right to access, correct, and erase your personal data, as well as the right to nominate a person to exercise your rights in the event of your death or incapacity. For requests, contact us at hello@thestudentblueprint.com.

11. Cookies and Tracking Technologies

We use essential cookies to maintain your session state, authentication status, and user preferences. These cookies are strictly necessary for the operation of the Service and cannot be opted out of while using the platform.

We do not use:

  • Third-party advertising cookies or tracking pixels
  • Cross-site tracking technologies
  • Social media tracking widgets
  • Analytics cookies that track individual user behavior across websites

12. AI Data Processing Practices

When generating student assessments and reports, we transmit student-provided data to Anthropic's Claude AI API. The following practices govern this data processing:

  • Only the data necessary for analysis is transmitted; we do not send entire database records or unrelated personal information.
  • Data sent to the AI provider is processed for the sole purpose of generating the student's assessment report and is not used to train, improve, or fine-tune AI models.
  • We apply input sanitization and prompt injection protection to prevent manipulation of the AI analysis.
  • AI-generated outputs are stored in our database and associated with the student's assessment record.
  • We do not use student data for our own AI training, model development, or any purpose beyond delivering the requested Service.

13. Third-Party Links

The Service may contain links to third-party websites, resources, or services that are not owned or controlled by The Student Blueprint. We are not responsible for the privacy practices, content, or security of any third-party sites. We encourage you to review the privacy policies of any third-party sites you visit.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Notify registered users via email for material changes that affect how we use or share personal information
  • Post a prominent notice on our website

Your continued use of the Service after changes are posted constitutes your acceptance of the updated Privacy Policy. We encourage you to review this page periodically.

15. Data Protection Officer

For privacy-related questions, data access requests, complaints, or concerns, please contact our data protection team:

The Student Blueprint — Privacy Team
Email: hello@thestudentblueprint.com
Website: thestudentblueprint.com

We will acknowledge your request within 5 business days and provide a substantive response within 30 days. If we need additional time, we will notify you of the reason and expected timeline.