Privacy Policy

IvyScore ("we", "us", "our") operates the IvyScore platform at ivyscore.ai, including our website, mobile app, and API. We help students understand and improve their college application competitiveness using AI analysis. If you have questions about this policy, contact us at privacy@ivyscore.ai.

Account information: When you create an account, we collect your name, email address, hashed password, and role (student, parent, counselor). Application materials: If you upload documents, we extract the text content in your browser using PDF.js. Only the extracted text — never the raw PDF file — is transmitted to our servers for AI analysis. We do not permanently store this text beyond your analysis session unless you are a signed-in user with history enabled. Analysis results: We store your IvyScore results (scores, tips, college chances) so you can view your history. Free plan results are deleted after 7 days; Pro results after 1 year. You can delete any result at any time. Usage data: We collect standard server logs including IP addresses, browser type, pages visited, and timestamps. These are used for security, debugging, and understanding how our product is used. Logs are retained for 90 days. Payment data: Payments are processed by Stripe. We never see or store your full credit card number. We receive a customer ID and subscription status from Stripe.

We use your information to: • Provide and improve the IvyScore service • Personalise your analysis and recommendations • Send you account-related emails (receipts, password resets, plan changes) • Send you the weekly digest and milestone alerts if you have enabled them (Family plan) • Respond to support requests • Detect and prevent fraud and abuse • Comply with legal obligations We do not use your application materials or transcript content to train AI models. Analysis is performed on-demand using Anthropic's API and results are not retained by Anthropic beyond their standard API terms.

IvyScore is designed to be FERPA-aware. We treat transcript content and educational records with particular care: • Raw transcript PDFs are never uploaded to our servers • Only text extracted in your browser is transmitted • We do not share educational record content with third parties for advertising or analytics • Students (or parents of students under 18) may request deletion of any stored educational record content at any time by emailing privacy@ivyscore.ai If you are a school or educational institution using IvyScore under a School plan, additional data processing agreements may apply. Contact us to discuss.

We share your information only as necessary to operate the service: Anthropic (AI analysis): Extracted text from your application materials is sent to Anthropic's Claude API for analysis. Anthropic processes this data under their API terms of service and privacy policy. We do not send your name, email, or account information to Anthropic — only the document text. Stripe (payments): Your email and payment information are processed by Stripe under their privacy policy. We receive only subscription status and a customer ID. Vercel / hosting infrastructure: Our application is hosted on cloud infrastructure. Hosting providers process data only to the extent necessary to operate the service. We do not sell, rent, or trade your personal information to any third party. We do not use your data for targeted advertising.

Depending on your location, you may have the following rights: • Access: Request a copy of the personal data we hold about you • Correction: Request correction of inaccurate data • Deletion: Request deletion of your account and all associated data • Portability: Request your analysis history in a machine-readable format • Objection: Object to certain processing activities • Withdrawal: Withdraw consent where processing is based on consent To exercise any of these rights, email privacy@ivyscore.ai. We will respond within 30 days. California residents have additional rights under CCPA — see Section 9 below.

Account data: Retained while your account is active, plus 30 days after deletion to allow for account recovery. Analysis results: Free plan — 7 days. Pro plan — 1 year. Family/School — 2 years. Deleted immediately on request. Application text: Not stored after analysis unless history is enabled. Deleted with your analysis results. Payment records: Retained for 7 years as required by financial regulations. Server logs: 90 days.

We implement appropriate technical and organisational measures to protect your data: • All data in transit is encrypted using TLS 1.3 • Passwords are hashed using bcrypt with a work factor of 12 — we cannot recover your password • Authentication uses short-lived JWT tokens in httpOnly cookies, preventing XSS access • We enforce rate limiting on all sensitive endpoints • Regular security reviews and dependency updates • Access to production data is restricted to authorised team members only No security system is perfect. If you discover a vulnerability, please report it responsibly to security@ivyscore.ai.

California residents have the right to: • Know what personal information is collected and how it is used • Request deletion of personal information • Opt out of the "sale" of personal information — we do not sell personal information • Non-discrimination for exercising CCPA rights To make a CCPA request, email privacy@ivyscore.ai with the subject "CCPA Request".

IvyScore is intended for students aged 13 and older. If you are under 13, please do not create an account or submit personal information. For students aged 13-17, we encourage parents to review this privacy policy. The Family plan is designed specifically to allow parents to create and oversee student accounts. If we become aware that we have collected personal information from a child under 13 without verifiable parental consent, we will delete it promptly. Contact us at privacy@ivyscore.ai if you believe this has occurred.

We use minimal cookies: Strictly necessary: Authentication cookies (access_token, refresh_token) stored as httpOnly, Secure, SameSite=Strict cookies. These are required for the service to function. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. If you use our service without signing in, no persistent cookies are set.

We may update this policy from time to time. We will notify you of material changes by email (if you have an account) and by posting the updated policy with a new "Last updated" date. Continued use of the service after the effective date of changes constitutes acceptance of the updated policy.