Data Handling Policy

1. Identity & Contact Details

The data controller responsible for the personal data you provide to this platform is:

Aruksworld LLC
United States of America
Email: privacy@aruksworld.com
Data Protection Contact: dpo@aruksworld.com

For EU/UK GDPR purposes Aruksworld LLC acts as the data controller. For processing activities carried out on our behalf by third parties, those parties act as data processors.

2. Scope & Applicable Laws

This policy applies to all personal data processed through the Aruksworld website, mobile interfaces, APIs, and any associated services (collectively, the "Platform"). It addresses obligations under:

GDPR EU General Data Protection Regulation (Regulation 2016/679)
UK GDPR UK General Data Protection Regulation & Data Protection Act 2018
LGPD Brazil Lei Geral de Proteção de Dados (Law 13,709/2018)
PIPEDA Canada Personal Information Protection and Electronic Documents Act
PDPA Singapore / Thailand Personal Data Protection Act
POPIA South Africa Protection of Personal Information Act
APPI Japan Act on the Protection of Personal Information
CCPA/CPRA California Consumer Privacy Act / California Privacy Rights Act
FERPA Family Educational Rights and Privacy Act
COPPA Children's Online Privacy Protection Act
CAN-SPAM Controlling the Assault of Non-Solicited Pornography and Marketing Act
VCDPA Virginia Consumer Data Protection Act
CPA Colorado Privacy Act
CTDPA Connecticut Data Privacy Act
Meta DSP Meta Platform Developer Policies and Data Use Policy

Where the requirements of multiple laws overlap, we apply the most protective standard.

3. Personal Data We Collect

3.1 Data You Provide Directly

Account data — name, email address, username, password (hashed), country, and user type (student / professional / admin)
Profile data — academic background, study interests, target degree level, preferred countries
Communication data — messages sent via contact forms, live chat, or support tickets
Payment data — billing name and address; card details are tokenised by Stripe and never stored on our servers
Newsletter & consent data — email subscription status and marketing preferences

3.2 Data Collected Automatically

Log data — IP address, browser type, operating system, referring URL, pages visited, timestamps
Device data — device identifiers, screen resolution, language settings
Analytics data — session duration, click-stream, search queries entered on the Platform
Ad interaction data — advertisement impressions, clicks, and deduplication tokens (per-IP, TTL 30 min)
Cookie data — see Section 17

3.3 Data from Third Parties

Social login (Meta / Google) — when you authenticate via a social provider we receive the profile fields you have authorised: user ID, name, email address, and profile picture. We do not receive passwords or private posts.
Public academic data — university names, programme details, rankings, and tuition information sourced from publicly available databases and institutional websites

We do not collect special-category (sensitive) personal data such as racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data.

4. Legal Basis for Processing

We rely on the following legal bases under GDPR Article 6 (and equivalent provisions in other applicable laws):

Purpose	Legal Basis
Creating and managing your account	Contract (Art. 6(1)(b))
Providing the core education discovery service	Contract (Art. 6(1)(b))
Processing payments for consulting services	Contract (Art. 6(1)(b))
Sending transactional emails (receipts, alerts)	Contract (Art. 6(1)(b))
Marketing communications & newsletters	Consent (Art. 6(1)(a)) — you may withdraw at any time
Analytics & service improvement	Legitimate interests (Art. 6(1)(f)) — subject to your right to object
Fraud prevention & click-fraud protection	Legitimate interests (Art. 6(1)(f))
Legal compliance & responding to lawful requests	Legal obligation (Art. 6(1)(c))
Advertising personalisation (where enabled)	Consent (Art. 6(1)(a))

For users in Brazil (LGPD), the equivalent bases are contract performance, legitimate interest, legal obligation, and consent. For users in Canada (PIPEDA), we rely on express or implied consent as applicable.

5. How We Use Personal Data

Operating, maintaining, and improving the Platform
Personalising university and programme recommendations based on your stated interests
Delivering AI-powered study-abroad guidance and consultation services
Processing payments securely via Stripe
Sending service notifications (account events, application alerts)
Sending newsletters and promotional emails (with your consent)
Detecting and preventing fraudulent ad interactions (click-fraud protection)
Monitoring platform performance and diagnosing technical issues
Complying with legal obligations and responding to lawful authority requests
Enforcing our Terms of Service

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you without your explicit consent.

6. Data Sharing & Disclosure

We share personal data only in the following circumstances:

6.1 With Your Consent

When you request information from a university or programme, we may share your name and contact details with that institution at your explicit direction.

6.2 With Data Processors

We engage third-party service providers who process data on our behalf (see Section 7). These providers are contractually bound to process data only as instructed and to implement appropriate security measures.

6.3 Business Transfers

If Aruksworld LLC is involved in a merger, acquisition, or sale of all or part of its assets, your data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Platform before any such transfer, and you will have the right to object.

6.4 Legal Obligations

We may disclose personal data where required by law, regulation, court order, or other legal process. See Section 16 for our detailed policy on government requests.

6.5 We Do Not Sell Personal Data

Aruksworld does not sell personal data to third parties for their own commercial purposes. This applies to all users globally, including California residents under CCPA/CPRA.

7. Data Processors & Service Providers

The following entities act as data processors on our behalf. Each has been assessed for adequate security and data protection standards, and we maintain a Data Processing Agreement (DPA) or equivalent contractual safeguard with each.

Processor	Purpose	Data Accessed	Location
Stripe, Inc.	Payment processing for consulting services	Billing name, email, payment instrument tokens	United States / EU
Google LLC (Analytics, AdSense)	Audience analytics; display advertising	Pseudonymous usage data, IP address (anonymised), cookie identifiers	United States / Global
Meta Platforms, Inc.	Social login; social sharing features	Meta user ID, name, email, profile picture (only authorised fields)	United States / EU
Mailgun / Email Provider	Transactional & newsletter email delivery	Email address, name, email content	United States / EU

We review our processor list at least annually and update this policy to reflect any changes. Upon written request, we can provide a more detailed list of processors and the relevant DPAs.

8. Meta / Social Platform Data

Meta DSP GDPR Art. 28

8.1 What Platform Data We Receive

When you choose to log in or connect your account via Meta (Facebook/Instagram) we receive only the permissions you explicitly authorise, which may include: your Meta user ID, public name, email address, and profile picture. We do not receive your password, private messages, friend lists, or any data you have not specifically granted.

8.2 How We Use Platform Data

To authenticate you and create or link your Aruksworld account
To pre-populate your profile fields (with your consent)
We do not use Meta Platform Data for ad targeting, third-party sharing, or any purpose beyond the authenticated session

8.3 Data Controller Responsibility

The legal entity responsible for all Meta Platform Data shared with Aruksworld is: Aruksworld LLC, United States of America. As controller, we determine the purposes and means of processing this data in accordance with Meta's Platform Terms and applicable data protection law.

8.4 Sub-processors with Access to Platform Data

No sub-processors receive raw Meta Platform Data. Our hosting infrastructure has indirect access to all application data as the platform on which our database runs; this is governed by our hosting provider's Data Processing Agreement.

8.5 Deletion of Platform Data

You may disconnect your Meta account at any time via your Aruksworld profile settings, which will remove the stored Meta user ID and associated token. You may also request full deletion under Section 12.

9. International Data Transfers

GDPR Ch. V UK GDPR

Aruksworld is based in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction with data-transfer restrictions, your data may be transferred to and processed in the United States and other countries that may not provide the same level of data-protection law as your home country.

We safeguard such transfers using one or more of the following mechanisms:

EU Standard Contractual Clauses (SCCs) — adopted in agreements with EU-based processors
UK International Data Transfer Agreement (IDTA) — for transfers to and from the UK
Adequacy decisions — where the European Commission or UK ICO has recognised the destination country as providing adequate protection
Data Privacy Framework (DPF) — we work preferentially with US processors certified under the EU-US DPF and UK Extension

You may obtain a copy of the relevant transfer safeguards by contacting privacy@aruksworld.com.

10. Retention & Deletion

Data Category	Retention Period	Basis
Account & profile data	Duration of account + 3 years after deletion request	Contract; legal obligation
Transaction & payment records	7 years from transaction date	US tax & accounting law; EU VAT Directive
Communication records (support)	3 years from last interaction	Legitimate interests (dispute resolution)
Server & access logs	90 days rolling	Security & fraud prevention
Ad click deduplication tokens	30 minutes (auto-purged)	Fraud prevention
Analytics data (aggregated)	26 months (Google Analytics default)	Legitimate interests
Email marketing consent records	Duration of consent + 3 years	Legal compliance (consent evidence)

At the end of each retention period, data is securely deleted or anonymised so it can no longer be linked to an individual.

11. Security Measures

We implement technical and organisational measures appropriate to the risk, including:

Encryption in Transit

All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS enforced).

Encryption at Rest

Database storage is encrypted at rest. Passwords are stored as bcrypt hashes; plaintext passwords are never stored.

Access Controls

Role-based access control (RBAC) restricts data access to authorised personnel only. Admin actions are logged.

Fraud & Abuse Prevention

Rate limiting, CSRF protection, click-fraud deduplication, and real-time alert systems are in place.

Breach Response

We maintain an incident response plan. Data breaches affecting your rights will be reported to relevant supervisory authorities within 72 hours (GDPR Art. 33) and to you without undue delay where required.

Regular Audits

Security assessments, dependency audits, and policy reviews are conducted at least annually.

12. Your Data Rights

Depending on your location, you may have some or all of the following rights. To exercise any right, contact privacy@aruksworld.com. We will respond within 30 days (extendable by a further 60 days for complex requests, with notice).

Right of Access

Request a copy of the personal data we hold about you. GDPR UK GDPR

Right to Rectification

Correct inaccurate or incomplete personal data. GDPR UK GDPR

Right to Erasure

Request deletion of your personal data where there is no compelling reason for continued processing. GDPR UK GDPR CCPA

Right to Restriction

Request that we restrict processing of your data in certain circumstances. GDPR

Data Portability

Receive your data in a structured, machine-readable format. GDPR UK GDPR

Right to Object

Object to processing based on legitimate interests, including direct marketing. GDPR UK GDPR

Opt Out of Sale/Sharing

We do not sell data, but you may opt out of any data sharing for cross-context behavioural advertising. CCPA/CPRA

Withdraw Consent

Withdraw previously given consent at any time without affecting the lawfulness of prior processing. GDPR

We will not discriminate against you for exercising any of these rights. We may need to verify your identity before processing your request.

13. California Residents — CCPA / CPRA

CCPA CPRA

If you are a California resident, the California Consumer Privacy Act (as amended by CPRA) provides you with specific rights regarding your personal information:

Categories of Personal Information Collected (Cal. Civ. Code § 1798.100)

Identifiers — name, email address, IP address, account ID
Internet or other electronic network activity — browsing history on the Platform, search queries, ad interactions
Geolocation data — country inferred from IP (coarse; not precise GPS)
Commercial information — consulting services purchased
Inferences — educational preferences drawn from your profile and search history

Your CCPA Rights

Right to Know — request disclosure of the categories and specific pieces of personal information collected, the sources, the business purpose, and the categories of third parties with whom it is shared
Right to Delete — request deletion of personal information we have collected from you
Right to Correct — request correction of inaccurate personal information
Right to Opt Out — opt out of the sale or sharing of personal information (we do not sell data)
Right to Limit Use of Sensitive Personal Information — limit use of sensitive PI to what is necessary for the service
Right to Non-Discrimination — we will not penalise you for exercising any CCPA right

To submit a verifiable consumer request, email privacy@aruksworld.com with the subject line "CCPA Request". We respond within 45 days, extendable by a further 45 days where necessary.

You may designate an authorised agent to make a request on your behalf. We will require written proof of authorisation and may verify your identity directly.

14. Children's Privacy (COPPA)

COPPA

The Platform is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you are under 13 years old, please do not use the Platform or submit any personal information.

If we learn that we have inadvertently collected personal information from a child under 13, we will delete that information promptly. If you believe we may have collected information from a child under 13, please contact us at privacy@aruksworld.com.

For users between 13 and 18 years old, we encourage parents and guardians to be involved in their online activities. Parental consent may be required for certain features.

15. Educational Records — FERPA

FERPA

The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records maintained by educational institutions. As a discovery platform — not an educational institution — Aruksworld does not directly maintain FERPA-protected records.

However, where users voluntarily share information about their educational background:

We treat such information with the same care as other personal data under this policy
We do not share academic background data with third parties without your consent
If you are a student whose institution uses Aruksworld under an institutional agreement, your institution remains the primary FERPA-responsible entity; we act as a service provider under their data use agreement

16. Government & Law-Enforcement Requests

16.1 Disclosure Record

In the preceding 12 months, Aruksworld has not shared the personal data or personal information of any user with public authorities in response to national security requests (i.e., requests not related to standard criminal-investigation search warrants or court orders).

16.2 Our Policies for Handling Authority Requests

When we receive any request from a government body or law-enforcement agency for user data, we apply the following policies:

Legal Review

Every request is reviewed for legal validity, jurisdiction, and proportionality before any data is disclosed. We require valid legal process (court order, subpoena, search warrant, or national security letter with judicial oversight where required).

Challenge of Unlawful Requests

We reserve the right to — and will where legally and practically possible — challenge requests that we believe to be overbroad, lacking proper legal authority, or otherwise unlawful. We will seek to narrow or quash such requests.

Data Minimisation

We disclose only the minimum personal information necessary to comply with a legally valid request. We will not provide broader access than what is specifically demanded by the legal process.

Documentation

We maintain internal records of all government requests received, including the nature of the request, the legal basis cited, the data disclosed (if any), and the legal reasoning for our response.

16.3 User Notification

Where legally permitted, we will notify affected users prior to disclosing their data in response to a government request, giving them an opportunity to seek legal protection. We will not notify users where we are legally prohibited from doing so (e.g., by a non-disclosure order), but we will record that a request was made.

17. Cookies & Tracking Technologies

We use cookies and similar technologies (local storage, session tokens) on the Platform. The categories we use are:

Category	Purpose	Consent Required?
Strictly Necessary	Session management, CSRF protection, authentication state	No — required for the service to function
Functional	Language preferences, saved search filters	No — legitimate interests
Analytics	Google Analytics (anonymised) — understanding how the Platform is used	Yes (EU/UK users)
Advertising	Google AdSense — serving and measuring contextual ads	Yes (EU/UK users)
Social	Meta Login button — set by Meta when you interact with social features	Yes

You can manage or withdraw cookie consent at any time via your browser settings or our consent manager. Blocking necessary cookies may impair Platform functionality.

18. Policy Changes

We may update this Data Handling Policy from time to time to reflect changes in our practices, legal obligations, or regulatory requirements. When we make material changes, we will:

Update the "Last Reviewed" date at the top of this page
Post a notice on the Platform for at least 30 days
Send a notification email to registered users where the change materially affects their rights or how their data is used

Your continued use of the Platform after notice of changes constitutes your acceptance of the revised policy. If you disagree with the revised policy, you may request account deletion before the effective date.

19. Contact & Complaints

Data Privacy Enquiries

For any questions, access requests, or complaints, contact our data privacy team:

Email: privacy@aruksworld.com

Subject line: "Data Handling / Privacy Request"

We will acknowledge your request within 5 business days and respond substantively within 30 days.

Supervisory Authority Complaints

If you are in the EEA and believe we have not handled your data in accordance with the GDPR, you have the right to lodge a complaint with your local data protection authority (e.g., the Irish Data Protection Commission if you are in Ireland, or the CNIL if you are in France). A full list of EEA supervisory authorities is available at edpb.europa.eu.

UK residents may contact the Information Commissioner's Office (ICO). California residents may also contact the California Privacy Protection Agency (CPPA).

Privacy Policy Terms of Service Back to Home