1. Who We Are
This Privacy Policy describes how Nabu ("we," "our," or "us") collects, uses, discloses, and protects personal information when you use our research opportunity matching platform (the "Service").
Legal Entity: Sole proprietorship
Jurisdiction: Massachusetts, United States
Contact: projectnabu.support@gmail.com
Definitions: "Personal Information" means any data that identifies, relates to, describes, or could reasonably be linked to an identifiable individual.
This Policy applies to all users of our Service, including undergraduate and graduate students, postdoctoral researchers, and other academic professionals. By using the Service, you acknowledge you have read and understood this Policy.
2. What We Collect
2.1 Information You Provide Directly
| Category | Examples | Purpose |
|---|---|---|
| Account Data | Name, email address, password hash | Account creation, authentication |
| Profile Data | Academic background, research interests, CV/resume, transcripts | Generating fit reports, matching |
| Preferences | Notification settings, research area filters | Personalizing your experience |
| Payment Data | Billing name, billing address (processed via Stripe) | Subscription management |
| Communications | Messages sent via support channels | Customer support |
2.2 Information Collected Automatically
| Category | Examples | Purpose |
|---|---|---|
| Usage Data | Pages visited, time on page, feature interactions | Service improvement, analytics |
| Device Data | IP address, browser type, operating system | Security, diagnostics |
| Log Data | API calls, error events, request timestamps | Infrastructure monitoring |
2.3 Information from Third Parties
| Source | Example Data | Purpose |
|---|---|---|
| Google / GitHub OAuth | Name, email, profile picture (upon login) | Social authentication |
| Public research databases | Lab directory listings, faculty profiles | Aggregating research opportunity data |
2.4 Sensitive Data
We do not intentionally collect sensitive personal information (race, religion, health data, biometrics, or political opinions). CVs/resumes you upload may contain such data at your discretion — you should avoid including sensitive information in uploaded documents if you do not wish it to be processed.
2.5 Children's Data
Our Service is not directed at individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we discover such data was collected inadvertently, we will delete it promptly. Users aged 13–17 may use the Service only with parental or guardian consent where required by applicable law.
2.6 Academic Records & FERPA
Nabu allows you to voluntarily upload transcripts, CVs, and other academic records to generate personalized research fit reports. These documents are submitted directly by you — they are not obtained from your educational institution. The Family Educational Rights and Privacy Act (FERPA) governs how educational institutions handle student records; it does not directly apply to third-party services like Nabu that receive data from students themselves. However, we handle all academic records with the same care as other personal data under this Policy, including the security commitments in Section 10 and the retention timelines in Section 11.
3. How We Collect Information
We collect information through three channels:
- Voluntary Provision: You provide information when you create an account, upload documents, complete forms, submit support requests, or communicate with us.
- Automatic Collection: Our servers and analytics tools automatically record interactions when you access or use the Service. This includes log files, Vercel Analytics (privacy-preserving, no cookies), and JavaScript tracking.
- Third-Party Sources: We receive information from authentication providers (Google, GitHub) and public research databases used to populate our lab directory.
4. Purposes & Lawful Basis (GDPR)
For users in the European Economic Area (EEA) and the United Kingdom, we process personal data under the following lawful bases (Article 6 GDPR):
| Processing Purpose | Data Categories | Lawful Basis |
|---|---|---|
| Account creation & management | Account Data | Contract necessity (Art. 6(1)(b)) |
| Service delivery (fit reports, matching) | Profile Data, Uploaded Documents | Contract necessity (Art. 6(1)(b)) |
| Payment processing | Payment Data | Contract necessity (Art. 6(1)(b)) |
| Analytics & product improvement | Usage Data, Device Data | Legitimate interest (Art. 6(1)(f)) — to be assessed via LIA prior to EEA processing |
| Security & fraud prevention | Log Data, Device Data | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications | Email address | Consent (Art. 6(1)(a)) |
| Legal compliance (tax records) | Payment Data | Legal obligation (Art. 6(1)(c)) |
Right to Object (Article 21 GDPR): You have the right to object to any processing based on legitimate interests at any time by contacting projectnabu.support@gmail.com. If we cannot demonstrate compelling legitimate grounds for the processing, we will cease it upon your objection.
Note on Vercel Analytics: Vercel Analytics operates without cookies and collects only aggregate, anonymized data (page views, referrers, device type). No personal identifiers are tracked. For GDPR purposes, this processing falls under legitimate interest with minimal privacy impact.
5. Data Sharing & Third Parties
5.1 Subprocessors
| Subprocessor | Service | Data Shared | Location |
|---|---|---|---|
| Supabase Inc. | Database, authentication, file storage | Account Data, Profile Data, Uploaded Documents | US |
| Stripe Inc. | Payment processing | Payment Data (we do not store full credit card numbers) | Global |
| Vercel Inc. | Hosting, deployment, analytics | Usage Data, Log Data (anonymized) | US |
| Google LLC | AI/LLM report generation (Gemini API) | Profile data (personal identifiers minimized where possible) | US |
5.2 Other Disclosure Circumstances
- Legal Obligations: We may disclose data to law enforcement, regulators, or courts where required by applicable law.
- Corporate Transactions: In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you of any change in ownership.
- With Your Consent: We may share data for other purposes with your explicit consent.
5.3 Sale or Sharing of Personal Information
We do not sell personal information for monetary consideration. We do not share personal information for cross-context behavioral advertising. If this practice changes, we will update this Policy and provide a "Do Not Sell or Share My Personal Information" mechanism.
6. GDPR Rights (EEA & UK Users)
If you are located in the EEA or the UK, you have the following rights under the GDPR (Articles 15–22):
| Right | Description | How to Exercise |
|---|---|---|
| Right of Access (Art. 15) | Obtain confirmation of whether we process your data and a copy of that data | Submit DSAR via projectnabu.support@gmail.com |
| Right to Rectification (Art. 16) | Correct inaccurate or incomplete personal data | Edit in account settings or email us |
| Right to Erasure (Art. 17) | Request deletion of your personal data ("right to be forgotten") | Submit request via account settings or email. Exceptions: legal obligations, establishment of legal claims |
| Right to Restriction (Art. 18) | Limit processing of your data (storage allowed, use restricted) | Submit request via email |
| Right to Data Portability (Art. 20) | Receive your data in a structured, commonly used, machine-readable format (JSON/CSV) | Submit request via email |
| Right to Object (Art. 21) | Object to processing based on legitimate interests or direct marketing | Via account settings (marketing) or email (other objections) |
| Rights re: Automated Decisions (Art. 22) | Not to be subject to solely automated decisions with legal/significant effects | Request human review of AI-generated reports |
Response Time: We respond to all requests within 30 calendar days (Article 12(3)). We may extend by up to 60 additional days where necessary due to complexity or volume — we will inform you of any extension.
Identity Verification: We may request additional information to verify your identity before fulfilling a request. This is a security measure to ensure personal data is not disclosed to unauthorized persons.
Complaint to Regulator: You have the right to lodge a complaint with your local data protection authority (DPA). Contact details for European DPAs are available at edpb.europa.eu.
EU Representative (GDPR Article 27): As a sole proprietor based outside the EEA, we may be required under Article 27 GDPR to designate a representative in the EU for data protection matters. We believe we qualify for the small-scale exception under Article 27(2) given the current scope of our processing activities. As our user base in the EEA grows, we will appoint an EU representative and update this Policy accordingly.
7. CCPA/CPRA Rights (California Residents)
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you the following rights:
| Right | Description | Details |
|---|---|---|
| Right to Know | Request disclosure of categories and specific pieces of personal information collected, sources, purposes, and third parties | Covers the 12 months preceding your request |
| Right to Delete | Request deletion of personal information held by us and our service providers | Subject to exceptions (complete transactions, detect security incidents, legal compliance) |
| Right to Correct | Request correction of inaccurate personal information | We will use commercially reasonable efforts |
| Right to Opt Out | Opt out of the sale or sharing of personal information for cross-context behavioral advertising | We do not sell or share PI. If this changes, we will provide a "Do Not Sell or Share My Personal Information" link |
| Right to Limit Use of Sensitive PI | Limit use of sensitive personal information to purposes authorized by regulation | We do not collect sensitive PI for purposes beyond those authorized (see Section 2.4) |
| Right to Non-Discrimination | No denial of services, price differences, or different quality for exercising rights | We will not discriminate against you for exercising your CCPA/CPRA rights |
Categories of Personal Information Collected in the Last 12 Months: Identifiers (name, email), professional/educational information (CV, research interests), internet/electronic activity (usage data), geolocation data (IP-based approximate), inferences (research fit scores).
Categories of Personal Information Disclosed for a Business Purpose: Identifiers, professional/educational information (to Supabase for storage, to Google LLC (Gemini API) for report generation).
Response Time: 45 calendar days (extendable by an additional 45 days with notice).
Do Not Track / Global Privacy Control (GPC): We honor Global Privacy Control (GPC) signals transmitted by your browser as an opt-out request. Our Service currently does not respond to traditional Do Not Track (DNT) signals because no uniform standard exists. If a DNT standard is established, we will update our practices.
Authorized Agent: You may designate an authorized agent to submit requests on your behalf. We require proof of authorization (signed permission) and identity verification of both you and the agent.
8. PIPEDA Rights (Canadian Users)
If you are located in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) governs our handling of your data through its 10 Fair Information Principles:
| # | Principle | Our Commitment |
|---|---|---|
| 1 | Accountability | We designate a Privacy Officer responsible for PIPEDA compliance. We are responsible for personal data under our control, including data transferred to third parties. |
| 2 | Identifying Purposes | We identify the purposes of collection before or at the time of collection (see Section 4 above). |
| 3 | Consent | We obtain meaningful consent for collection, use, and disclosure. Express consent is required for sensitive data; implied consent may be used for routine operational data. |
| 4 | Limiting Collection | We collect only the personal information necessary for the identified purposes. |
| 5 | Limiting Use, Disclosure, and Retention | We use and disclose data only for the purposes for which it was collected, unless you provide new consent. We retain data only as long as necessary (see Section 11). |
| 6 | Accuracy | We keep personal data as accurate, complete, and up-to-date as necessary for its intended purposes. |
| 7 | Safeguards | We implement security safeguards appropriate to the sensitivity of the data (see Section 10). |
| 8 | Openness | This Privacy Policy and related practices are readily available for your review. |
| 9 | Individual Access | You may access and challenge the accuracy of your personal information upon request. |
| 10 | Challenging Compliance | You may challenge our compliance with PIPEDA principles. Complaints are investigated and responded to in writing. |
Breach Notification: If a data breach poses a real risk of significant harm to an individual, we will notify the Office of the Privacy Commissioner of Canada (OPC) and affected individuals as soon as feasible. We maintain records of all breaches, regardless of severity.
Privacy Officer: Nabu / projectnabu.support@gmail.com
9. International Transfers
Your personal information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws different from those of your jurisdiction.
When we transfer personal data from the EEA, UK, or Canada to the United States, we rely on the following measures:
- Standard Contractual Clauses (SCCs): We commit to entering into the European Commission's Standard Contractual Clauses (Decision 2021/914) with our subprocessors (Supabase, Vercel, Google LLC (Gemini API), Stripe), all of whom offer DPA/SCC adoption through their dashboards. These agreements will be executed before processing EEA/UK user data at scale.
- UK Safeguards: For UK-originating transfers, we will use the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs.
- Canadian Transfers: Transfers from Canada rely on contractual protections and the comparable-level-of-protection framework under PIPEDA.
Key Locations: Our cloud infrastructure is hosted primarily in the United States (via Supabase on AWS and Vercel on Google Cloud). Data may also be transmitted to Google LLC (US) for AI report generation via the Gemini API.
Questions about transfers? Contact projectnabu.support@gmail.com.
10. Data Security
We implement technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction:
| Category | Measures |
|---|---|
| Encryption at Rest | AES-256 encryption for all stored data (databases, file storage, backups) |
| Encryption in Transit | TLS 1.2+ for all network communications; HTTPS enforced site-wide |
| Access Control | Role-based access control (RBAC), multi-factor authentication (MFA) for all administrative access, least-privilege principle |
| Infrastructure | SOC 2-compliant hosting providers (Supabase, Vercel); automatic security patching; network segmentation |
| Monitoring | Intrusion detection; automated anomaly alerting; regular log review |
| Incident Response | Incident response procedures; notification within 72 hours where required by law (GDPR Art. 33) |
| Personnel | Limited data access on a need-to-know basis; documented access logging |
Security Reporting: If you discover a security vulnerability, please report it to projectnabu.support@gmail.com.
11. Data Retention
We retain personal information only as long as necessary to fulfill the purposes described in this Policy, or as required by law.
| Data Category | Retention Period | Rationale |
|---|---|---|
| Account Data (name, email, profile) | Duration of account + 90 days | Service delivery; recovery grace period |
| Uploaded Documents (CV, transcripts) | Duration of account | Core service functionality |
| Payment Records (invoices, billing history) | 7 years after transaction | Tax and accounting legal obligations |
| Usage Data (anonymized analytics) | 26 months | Industry standard |
| Support Tickets & Resolution History | 2 years after resolution | Quality assurance; dispute resolution |
| Server Logs (IP, timestamps, endpoints) | 90 days (rolling) | Security monitoring; incident investigation |
| Marketing Preferences & Consent Records | Duration of account + 2 years | Audit trail for consent |
Deletion Commitment: Upon account deletion, we commit to deleting your personal data within 90 days. Backup copies will be purged within the next backup cycle (maximum 30 additional days). We are actively implementing automated deletion workflows to meet this commitment.
Anonymization: Analytics data (Vercel Analytics) is aggregated and anonymized by design. It is no longer considered personal information and may be retained indefinitely.
12. Cookies & Tracking
12.1 How We Use Tracking
Nabu uses Vercel Analytics, which operates without cookies. It collects only anonymized, aggregate data (page views, referrer URLs, device type, browser, and geographic region at the city/country level). No individual identifiers, session IDs, or persistent tracking mechanisms are used.
No cookies are set by the Nabu platform for analytics or tracking purposes. Session cookies may be used strictly for authentication and platform security.
12.2 Cookie Categories
| Category | Examples | Purpose | Consent Required? |
|---|---|---|---|
| Strictly Necessary | Session cookie, CSRF token, auth token | Authentication, platform security, load balancing | No (ePrivacy Art. 5(3) exception) |
| Functional | — (not currently used) | User preferences | Yes — if added in future |
| Analytics | — (Vercel Analytics is cookieless) | Usage measurement | Not applicable (no cookies) |
| Marketing | — (none deployed) | Advertising | N/A |
12.3 Future Cookie Use
If we add any cookies beyond strictly necessary ones in the future, we will:
- Notify you via an updated Policy
- Deploy a cookie consent banner with granular controls
- Obtain prior consent before placing non-essential cookies (ePrivacy Directive)
- Provide "Accept All" and "Reject All" options with equal prominence
- Log consent records (timestamp, consent scope)
- Allow withdrawal of consent at any time
13. AI & Automated Decisions
Our Service uses artificial intelligence (Google LLC (Gemini API)) to generate research fit reports, recommendation scores, and action steps based on your profile.
13.1 AI Processing Details
| Aspect | Detail |
|---|---|
| AI Provider | Google LLC (Gemini API) |
| Data Sent to AI | Your profile data, research interests, uploaded documents (personal identifiers minimized where possible) |
| Training Data | Your data is not used to train or fine-tune AI models per Google's paid-tier API terms policy |
| Output | Research fit scores, personalized action steps, draft outreach emails |
13.2 AI Disclaimers
- AI-generated reports and recommendations are advisory only. They do not guarantee admission, placement, or acceptance.
- You should independently verify any AI-generated information before relying on it for academic decisions.
- Automated match scores are a suggestion tool and should be interpreted alongside human judgment.
13.3 Right to Human Review (GDPR Art. 22)
Our AI recommendations do not constitute fully automated decisions that produce legal effects concerning you or similarly significantly affect you. However, if you believe an AI-generated output has had a significant effect on your access to the Service or opportunities, you have the right to:
- Request human review of the AI-generated output
- Express your point of view
- Contest the decision
To request human review, contact projectnabu.support@gmail.com with the subject "AI Decision Review."
14. How to Exercise Your Rights
| Method | Details | Response Time |
|---|---|---|
| In-App | Account settings page for data update, deletion, or export | Immediate for self-service actions |
| projectnabu.support@gmail.com — specify the right you wish to exercise and your account email | 30 days (GDPR) / 45 days (CCPA) |
Identity Verification: We may request proof of identity (government ID, proof of address) to prevent unauthorized access to your data. We will use this only for verification and delete it afterward.
| Jurisdiction | Response Timeline | Extension | Fee Policy |
|---|---|---|---|
| GDPR (EEA/UK) | 30 calendar days | Up to 60 days for complexity | Free, unless manifestly unfounded or excessive |
| CCPA/CPRA (California) | 45 calendar days | Additional 45 days with notice | Free for first 2 requests in 12 months |
| PIPEDA (Canada) | 30 days | Up to 90 days with notice | Free |
| Other jurisdictions | 45 days | Reasonable extension | Free |
15. Children's Privacy (COPPA)
Our Service is not directed at children under 13. We comply with COPPA as follows:
- Age Gate: We do not knowingly collect personal information from children under 13.
- Parental Consent: If we learn we have inadvertently collected data from a child under 13 without verified parental consent, we will delete it immediately.
- Discovery Procedure: If you are a parent or guardian and believe your child has provided us with personal information, contact projectnabu.support@gmail.com. We will investigate and delete the data within 30 days.
- Student Users (13–17): Students aged 13–17 may use the Service with parental or guardian consent where required by applicable law. Users under 18 should review this Policy with a parent or guardian.
16. Third-Party Links
The Service may contain links to external websites, including research lab pages, university directories, and third-party tools. This Privacy Policy does not apply to those external sites. We are not responsible for the privacy practices of third-party services. We encourage you to review the privacy policies of any external site before providing personal information.
The lab directory data displayed in our Service is aggregated from publicly available sources. We do not control the accuracy or completeness of third-party directory data.
17. Policy Updates
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs.
| Type of Change | Notification Method | Timing |
|---|---|---|
| Material changes (new data uses, new subprocessors, new rights) | Email notification + in-app banner | At least 30 days before effective date |
| Minor changes (clarity improvements, formatting) | In-app notice + updated "Last Updated" date | Upon publication |
| Regulatory changes (new law compliance) | In-app banner + updated Policy | As required by law |
Re-consent: Where required by law (e.g., new processing purposes require consent under GDPR), we will obtain fresh consent before implementing the change.
Your Continued Use: Your continued use of the Service after the updated Policy takes effect constitutes your acceptance of the changes, where permitted by law.
Previous Versions: Archived versions of this Policy are available upon request at projectnabu.support@gmail.com.
18. Complaints & Regulator Contact
If you believe we have violated your privacy rights, you have the right to file a complaint with the relevant regulatory authority.
| Jurisdiction | Regulator | Contact |
|---|---|---|
| European Union | Your local Data Protection Authority (DPA) | edpb.europa.eu |
| California (US) | California Privacy Protection Agency (CPPA) | cppa.ca.gov |
| Canada | Office of the Privacy Commissioner (OPC) | priv.gc.ca |
Internal Complaint Process: Before filing with a regulator, we encourage you to contact us first at projectnabu.support@gmail.com. We will acknowledge receipt within 7 business days and provide a substantive response within 30 calendar days.