Your privacy matters to us. This policy explains how we collect, use, and protect your data.
Last updated: May 26, 2026
At riftApply, your privacy is fundamental. We only collect what we need, we protect it rigorously, and we never sell it. This policy is written in plain language so you always know exactly what happens to your data.
riftApply ("we", "us", "our") operates the university admissions platform accessible at riftapply.vercel.app. We are committed to protecting the personal data and privacy of all users β students, agents, and university partners alike. This Privacy Policy explains what data we collect, why we collect it, how we use and protect it, and your rights regarding your data.
We collect the following categories of personal data: β’ Identity data: full name, date of birth, nationality, gender. β’ Contact data: email address, phone number, residential address, city, country. β’ Account data: username, encrypted password, role (student / agent / university), account status, registration date. β’ Academic data: transcripts, diplomas, academic certificates, language test scores (IELTS, TOEFL, PTE, DELF, etc.), personal statements, letters of recommendation, and study preferences. β’ Identity documents: passport copies, national identity cards (CNI), visas β uploaded solely for application purposes. β’ Company data (agents): business registration documents, company name, address, and agent type. β’ University data: institution name, accreditation documents, program lists, logos, website, and location. β’ Usage data: IP address, browser type, pages visited, session duration, login timestamps β collected automatically for security and analytics. β’ Communication data: messages sent through the Platform between users, agents, and administrators.
We use your personal data strictly for the following purposes: β’ To create and manage your account on the Platform. β’ To process and submit your university applications. β’ To verify the identity and eligibility of agents and universities. β’ To communicate with you about the status of your applications, account updates, and support requests. β’ To send email notifications including verification codes, application decisions, and important platform updates. β’ To detect and prevent fraud, document forgery, and unauthorised access. β’ To comply with legal obligations and respond to lawful requests from authorities. β’ To improve the Platform through aggregated, anonymised analytics. We will never sell your personal data to any third party.
All documents uploaded to riftApply β including passports, transcripts, identity cards, and certificates β are stored securely using Cloudinary, an industry-standard cloud storage provider with end-to-end encryption. Documents are: β’ Stored with AES-256 encryption at rest. β’ Transmitted over HTTPS/TLS encrypted connections. β’ Accessible only to authorised personnel and the universities you have applied to. β’ Never shared with third parties without your explicit consent, except as required by law. β’ Retained for a maximum of 36 months after your last activity, unless you request earlier deletion.
We process your personal data on the following legal bases: β’ Contractual necessity: to provide the services described in our Terms of Service. β’ Legitimate interests: to prevent fraud, ensure platform security, and improve our services. β’ Legal obligation: to comply with applicable laws and regulations. β’ Consent: for optional communications and marketing messages β you may withdraw consent at any time.
We share your data only with: β’ Partner universities you apply to β only the application data and documents required for that specific application. β’ Verified agents acting on your behalf β only with your authorisation. β’ Infrastructure providers: MongoDB (database), Cloudinary (file storage), Resend (transactional email), Render (server hosting) β all bound by strict data processing agreements. β’ Law enforcement or regulatory bodies β only when legally required. We do not sell, rent, or trade your personal data with any third party for marketing purposes.
We retain your personal data for as long as your account is active, plus a period of 36 months thereafter to comply with legal obligations. Unverified accounts (where email verification was not completed) are automatically deleted after 5 minutes. You may request deletion of your account and associated data at any time by contacting privacy@riftapply.com. Documents specifically uploaded for university applications may be retained for the period required by the receiving institution.
Depending on your jurisdiction, you have the following rights regarding your personal data: β’ Right of access: obtain a copy of the data we hold about you. β’ Right to rectification: correct inaccurate or incomplete data. β’ Right to erasure ("right to be forgotten"): request deletion of your data. β’ Right to restriction: request that we limit how we process your data. β’ Right to data portability: receive your data in a structured, machine-readable format. β’ Right to object: object to processing based on legitimate interests. β’ Right to withdraw consent: for any processing based on your consent. To exercise any of these rights, contact us at: privacy@riftapply.com
riftApply uses strictly necessary cookies for authentication (JWT tokens stored in localStorage) and session management. We do not use third-party advertising cookies or tracking pixels. Usage analytics are collected in an aggregated, anonymised form. You may clear cookies at any time through your browser settings.
The Platform is not intended for children under the age of 16. We do not knowingly collect personal data from persons under 16 without verifiable parental consent. If we discover that a minor has registered without consent, we will delete their account and associated data promptly.
Your data may be processed and stored on servers located outside your country of residence. By using riftApply, you consent to such transfers. We ensure that all international data transfers comply with applicable data protection laws through appropriate safeguards, including standard contractual clauses.
We implement the following technical and organisational security measures: β’ All passwords are hashed using bcrypt with salt rounds. β’ All API communications are encrypted via HTTPS/TLS. β’ Database access is restricted to authorised services only. β’ Rate limiting and brute-force protection on all authentication endpoints. β’ Automatic deletion of unverified accounts after 5 minutes. β’ Regular security audits and vulnerability assessments.
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify registered users via email or an in-Platform notice at least 14 days before any material changes take effect. The "Last updated" date at the top of this page always reflects the current version.
For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact: Email: privacy@riftapply.com Support: support@riftapply.com We aim to respond to all legitimate requests within 30 days.