Back to home

Privacy Policy (International) — Study in Türkiye / Study in China / Study in Spain, the Student Portal and the SIT Connect Hub

Last updated: July 16, 2026

This Privacy Policy explains how [COMPANY LEGAL NAME] ("we", "us", "our") collects, uses, shares and protects your personal data when you visit our student-recruitment websites and the Student Portal, contact us, or submit an enquiry, consultation request or application. We help prospective students from around the world find and apply to universities and study programs, so we process personal data to respond to you, give guidance, match you to programs, forward your application to the universities you choose, and measure and improve our services. Because our visitors and some of our service providers and partner universities are located in many different countries, this policy is written to meet the core requirements of the major data-protection laws worldwide and includes a "Your rights by region" section with additional country- and region-specific disclosures. Where a rule specific to your location differs from the general policy, the region-specific section for your location prevails for you. This is a template prepared for review by qualified counsel and is not itself legal advice or a guarantee of compliance. Last updated: [DATE].

1. Who we are and how to contact us

The data controller (also called the "personal information handler" under China's PIPL, "controlador" under Brazil's LGPD, or "veri sorumlusu" under Türkiye's KVKK) responsible for your personal data is [COMPANY LEGAL NAME], [REGISTERED ADDRESS], [COUNTRY].

You can reach us about privacy, or to exercise any of your rights, at [PRIVACY EMAIL] or by post at the address above. Where we have appointed one, our Data Protection Officer / Privacy Officer / Encarregado can be contacted at [DPO EMAIL].

Where we are required by law to designate a local representative or contact point, their details are: EU representative under GDPR Article 27 — [EU REP NAME / ADDRESS / EMAIL]; UK representative under UK GDPR Article 27 — [UK REP NAME / ADDRESS / EMAIL]; Türkiye data controller representative (VERBİS) — [TR REP DETAILS]; China PIPL Article 53 dedicated entity/representative — [CHINA REP DETAILS]. Some of these may not be applicable to us; where they are, they are named here.

2. The personal data we collect

We collect the personal data you give us directly through our enquiry, consultation, and application forms, the Student Portal, live chat, email, and similar channels, together with limited technical data collected automatically when you use our sites.

  • Identity and contact details: your name, email address, phone/WhatsApp number, country of residence and nationality.
  • Study preferences and background: the level, subject, destination and programs you are interested in; academic history; and similar information you choose to share.
  • Application information: the details and supporting documents needed to prepare and submit an application to a university, which can include passport/identity and, in some cases, financial-account details required by the institution.
  • Message content: anything you write in a free-text message, chat, or note, which you should avoid using to share sensitive details you do not want us to process.
  • Technical and usage data: IP address, device and browser information, and interactions with our sites collected through cookies and similar technologies (see "Cookies and similar technologies").
  • Marketing preferences: your consent choices and whether you have subscribed to or opted out of our communications.

3. Sensitive / special-category data

We try to avoid collecting sensitive data. Depending on your country's law, some information can be treated as sensitive — for example information revealing racial or ethnic origin, religious or philosophical beliefs, or health; passport/government-ID numbers and financial-account details; citizenship or immigration status; and any personal data about a child. Sensitive data can also appear unintentionally in free-text messages or uploaded documents.

Where we process sensitive data and the law requires it, we do so only on a permitted condition — typically your explicit or specific consent, or another lawful condition — and, where required (for example under China's PIPL or Brazil's LGPD), we obtain your separate, specific and highlighted consent and tell you why the processing is necessary and how it affects you. Please do not include sensitive information in free-text fields unless it is necessary.

4. How and why we use your data (purposes and legal bases)

We use your personal data for the purposes below. Different laws describe the lawful grounds for processing differently: the EU/UK GDPR and Brazil's LGPD use enumerated "legal bases"; Türkiye's KVKK uses Article 5 grounds; China's PIPL relies mainly on consent and contract necessity and has no "legitimate interests" basis; and US state laws work on a notice-and-transparency (mostly opt-out) model rather than legal bases. The grounds we rely on, as applicable to you, are shown for each purpose.

  • To respond to your enquiry and give you guidance — on the basis of taking steps you request before any contract and/or our legitimate interests (GDPR/UK GDPR/LGPD); contract-necessity or legitimate interest (KVKK); your consent and/or contract necessity (PIPL); and as a disclosed business purpose (US).
  • To match you with suitable universities and programs, and to prepare and forward your application to the universities you choose to apply to — on the basis of performance of the service you request (contract/pre-contractual steps) and, where required for a specific institution or transfer, your consent.
  • To operate, secure, maintain and improve our websites, the Student Portal, and our services, and to prevent fraud and abuse — on the basis of our legitimate interests (where that basis exists) or, where it does not (e.g. PIPL), your consent or another permitted ground.
  • To send you marketing communications (such as newsletters, offers and study updates) and to run non-essential analytics and advertising cookies — only with your consent, which you can withdraw at any time; in the US, subject to your right to opt out of "sale"/"sharing"/targeted advertising.
  • To comply with our legal, tax, accounting and regulatory obligations and to establish, exercise or defend legal claims — on the basis of legal obligation and/or our legitimate interests.
  • We do not use your data for a new, incompatible purpose without giving you further information and, where required, obtaining your consent.

5. Automated decision-making and profiling

We may use tools that help match you to relevant programs or prioritise follow-up. We do not intend to make decisions that produce legal or similarly significant effects about you based solely on automated processing without human involvement. Where any such solely-automated decision-making were to occur, you have rights to be informed about it, to obtain an explanation, to express your point of view, and to request human review or to object, to the extent your local law provides (for example GDPR/UK GDPR Article 22, PIPL Article 24, LGPD Article 20, Quebec Law 25, and applicable US state profiling opt-outs).

For any marketing driven by automated profiling, you can opt out at any time.

6. How we share your data

We share personal data only as needed for the purposes above and under appropriate contracts and safeguards. We do not sell your personal data for money.

  • Universities and program providers you choose to apply to or ask us to contact — so your application or enquiry can be considered. Many of these institutions are located outside your country.
  • Service providers (processors) that support our operations — for example website hosting, the Student Portal, CRM, email delivery, analytics, and communications tools — under written contracts that limit their use of your data to providing services to us.
  • Professional advisers, and public authorities or law-enforcement bodies, where we are legally required or permitted to do so, or to protect our rights or the safety of others.
  • In connection with a business reorganisation, merger or transfer, subject to this policy and applicable law.

7. International data transfers

Because we help students apply to universities around the world, we transfer personal data across borders — both to the universities you choose and to service providers that help us run our sites, some of which are located outside your country and outside the EEA, the UK, Türkiye, and China. Different regimes require different transfer mechanisms, and where more than one applies to you we apply each one cumulatively.

When we transfer personal data internationally, we rely, in order of preference, on: (1) a recognised adequacy decision covering the destination (for example an EU or UK adequacy decision, including the EU-US Data Privacy Framework for certified US recipients); or (2) appropriate safeguards — most commonly the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914) for EEA-origin data, the ICO's International Data Transfer Agreement or the UK Addendum for UK-origin data, the KVKK Board's standard contract for Türkiye-origin data, and the China Standard Contract (filed with the CAC) or certification for PIPL-covered data, together with a documented transfer risk/impact assessment and supplementary measures such as encryption where needed; or (3) Binding Corporate Rules for intra-group transfers.

In limited cases — for example when you ask us to send your application to a specific university in a country not covered by one of the above mechanisms — we may transfer your data because it is necessary to perform the service you requested, or on the basis of your explicit, informed consent after we have explained the risks. Under China's PIPL and Brazil's LGPD, where applicable, we will additionally inform you of the overseas recipients and obtain your separate/specific consent before transferring. You can ask us for a copy of the safeguards we use, or details of the mechanism relied on for a given destination, by contacting us at [PRIVACY EMAIL].

8. How long we keep your data (retention)

We keep personal data only for as long as necessary for the purposes described in this policy and to meet legal, accounting and dispute-related obligations, after which we securely delete or anonymise it. We set retention periods per category of data; the periods below are templates to be confirmed against our actual retention schedule and applicable law.

  • Enquiry / consultation data that does not lead to an application: retained while your enquiry is active and for a limited follow-up window afterwards (e.g. up to [12–24] months from last contact).
  • Application data: retained for the duration of the recruitment relationship plus a defined period afterwards to handle re-applications, references, and disputes (e.g. [X] years).
  • Marketing-consent records: retained until you withdraw consent and for a short period afterwards as proof of consent.
  • Cookie / analytics data and consent logs: retained per the lifetimes stated in our cookie information and as needed to demonstrate a valid consent or transfer basis (commonly 12–24 months).
  • Accounting / tax and other legally-mandated records: retained for the statutory period required by applicable law.

9. How we protect your data (security)

We implement technical and organisational measures appropriate to the risk — including encryption in transit and (where appropriate) at rest, access controls, staff training, vendor due diligence, and incident-response procedures — to protect personal data against unauthorised access, loss, misuse, or alteration.

Where required by applicable law, we will notify the competent authority and affected individuals of a personal-data breach or security incident within the timeframes and thresholds set by that law.

10. Cookies and similar technologies

We use cookies and similar technologies (such as pixels, SDKs, and local storage) to run our sites, remember your preferences, measure traffic, and — where you allow it — support analytics, advertising and personalisation.

Strictly necessary cookies that are essential to provide a service you have requested do not require consent. We only set non-essential cookies and trackers (analytics, advertising, personalisation) with your prior consent, given through our cookie banner. You can give, refuse, or change your choices at any time using the "Manage cookies" / "Your Privacy Choices" control, and "Reject all" is offered as prominently as "Accept all". Where required, we recognise browser-based opt-out signals such as Global Privacy Control (GPC). Withdrawing consent does not affect processing carried out before you withdrew it. A detailed cookie table listing categories, purposes, providers and durations is available at [COOKIE POLICY LINK].

11. Children's and minors' data

Our services are intended for people who are old enough to apply to higher education and are not directed at young children. Because applicants can nonetheless be minors, we apply heightened protection: we minimise the data we collect from minors, avoid using their data for behavioural advertising or marketing profiling, and present information in clear, age-appropriate language.

The age at which a young person can consent on their own varies by country. Where we rely on consent, a person below the applicable age may only use consent-based features with the authorisation of a parent or guardian, and we make reasonable, risk-proportionate efforts to verify this. The applicable thresholds include, among others: 16 by default in the EEA (lowered by some countries to as low as 13, e.g. 14 in Spain); 13 in the UK; under-14 parental consent under China's PIPL (where a minor under 14's data is treated as sensitive) and under Brazil's LGPD for "children" under 12; under-13 parental consent under US COPPA and opt-in rules for selling/sharing the data of consumers under 16 in California; and under-13 (rest of Canada) / under-14 (Quebec) under Canadian law. Where a stricter rule applies to you, that rule governs. If we learn we have collected a minor's data without the required consent, we delete it promptly.

12. Your rights and how to exercise them

Depending on where you live, you have some or all of the rights below. The specific rights that apply to you, and the exact way they work, are set out in the "Your rights by region" section that follows.

To exercise any right, contact us at [PRIVACY EMAIL]. We may need to verify your identity, and where the law allows it you may use an authorised agent. We respond within the timeframe required by your applicable law (for example, generally within one month under GDPR/UK GDPR, 30 days under KVKK, and the periods set by US state and other laws), and normally free of charge. We will not discriminate or retaliate against you for exercising your privacy rights.

  • Be informed about, and access a copy of, your personal data.
  • Correct / rectify inaccurate or incomplete data.
  • Delete / erase your data, and restrict or object to certain processing, subject to legal exceptions.
  • Data portability, where applicable.
  • Withdraw consent at any time (without affecting processing already carried out), and opt out of marketing at any time.
  • Opt out of the "sale" or "sharing"/targeted advertising of your personal information, and limit the use of sensitive personal information (US states).
  • Object to, or seek human review of, solely-automated decisions that significantly affect you, where applicable.
  • Complain to your local data-protection or privacy authority (see the region sections below).

13. Changes to this policy

We may update this policy from time to time to reflect changes in our practices or the law. We will post the updated version here with a new "Last updated" date and, where required, notify you or seek fresh consent. We review this policy at least every 12 months.

Your rights by region

European Economic Area (EU/EEA)

EU General Data Protection Regulation — Regulation (EU) 2016/679 ("GDPR"), read with the ePrivacy Directive 2002/58/EC (as amended) for cookies and electronic marketing. Applies across the EU and in Iceland, Liechtenstein and Norway.

If you are in the EU/EEA when you contact us, the GDPR applies. We process the data you submit through our forms (name, email, phone, nationality, study preferences and message content) to respond and give guidance (Art. 6(1)(b) pre-contractual steps and Art. 6(1)(f) legitimate interests), to prepare and forward your application to the university you choose (Art. 6(1)(b)), to send marketing only with your consent (Art. 6(1)(a)), and to run non-essential cookies/analytics only with your consent (ePrivacy Art. 5(3)). We rely on Art. 6(1)(c) to meet legal obligations, and where any special-category data is processed we rely on an Art. 9(2) condition (usually explicit consent). We keep data only as long as necessary (Art. 5(1)(e)). We share data with the universities you apply to and with processors (hosting, CRM, email, analytics), some outside the EEA; for international transfers we rely on an adequacy decision (including the EU-US Data Privacy Framework) or the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914) with a transfer impact assessment and supplementary safeguards, and you can request a copy. You have the rights listed here; to exercise them contact [PRIVACY EMAIL]. You can also complain to the DPA in your country of residence, work, or where the issue arose (Art. 77) — find yours at edpb.europa.eu — though we welcome the chance to resolve your concern first. Whether we must appoint an EU Article 27 Representative and/or a DPO, and their details, are [to be confirmed and inserted]. This notice is a template for counsel review and is not legal advice.

Your rights:

  • Access to your data and a copy (Art. 15)
  • Rectification of inaccurate/incomplete data (Art. 16)
  • Erasure / 'right to be forgotten' (Art. 17)
  • Restriction of processing (Art. 18)
  • Data portability (Art. 20)
  • Object to legitimate-interests processing, and an absolute right to object to direct marketing (Art. 21)
  • Rights regarding solely-automated decisions with legal/similar effects (Art. 22)
  • Withdraw consent at any time (Art. 7(3))
  • Lodge a complaint with a supervisory authority (Art. 77) and seek a judicial remedy (Arts. 78–79)

Supervisory authority: Your national Data Protection Authority (for example: Ireland — Data Protection Commission, dataprotection.ie; France — CNIL, cnil.fr; Spain — AEPD, aepd.es; Germany — the BfDI and Länder authorities; Netherlands — Autoriteit Persoonsgegevens; Norway — Datatilsynet). A full list is at the European Data Protection Board, edpb.europa.eu.

United Kingdom

UK GDPR (Regulation (EU) 2016/679 as retained in UK law) and the Data Protection Act 2018, with cookies and electronic marketing governed by the Privacy and Electronic Communications Regulations 2003 (PECR). Note: the Data (Use and Access) Act 2025 is amending parts of this framework in phases.

If you are located in the UK, or we monitor your activity while you are in the UK, the UK GDPR and Data Protection Act 2018 apply. We use your form data to respond, guide, match you to programs and universities, forward your application, and measure and improve our marketing. Our legal bases are your consent (marketing and non-essential cookies under PECR), performance of a contract or steps you ask us to take before one, our legitimate interests (subject to a balancing assessment), and legal obligation. Some processors and the universities you apply to are outside the UK; for international transfers we rely on UK adequacy regulations where available, or otherwise the ICO's International Data Transfer Agreement or the UK Addendum to the EU SCCs together with a transfer risk assessment, or a permitted exception such as your explicit consent — you can ask us for a copy of the safeguards. You have the rights listed here; contact [PRIVACY EMAIL] to exercise them. If you are unhappy with our response you can complain to the ICO, though we would welcome the chance to help first. If you are under 13 and in the UK, please ask a parent or guardian to submit the form and consent on your behalf. Whether we must appoint a UK Article 27 representative and/or a DPO is [to be confirmed]. This notice is a template for counsel review and is not legal advice.

Your rights:

  • Be informed, and access your data via a subject access request (Arts. 13–15)
  • Rectification (Art. 16), erasure (Art. 17), and restriction (Art. 18)
  • Data portability (Art. 20)
  • Object to processing, with an absolute right to object to direct marketing (Art. 21)
  • Rights regarding solely-automated decision-making (Art. 22)
  • Withdraw consent at any time (Art. 7(3))
  • Complain to the ICO (Art. 77) and seek a judicial remedy and compensation (Arts. 78–79; DPA 2018 ss.168–169)

Supervisory authority: Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF; tel 0303 123 1113; ico.org.uk/make-a-complaint.

Türkiye

Personal Data Protection Law No. 6698 ("KVKK") and its secondary legislation, including the amendments to Articles 6 and 9 in force from 1 June 2024, and the VERBİS registry system.

This section applies to visitors located in the Republic of Türkiye. For KVKK, [COMPANY LEGAL NAME] is the data controller (veri sorumlusu); our Türkiye data controller representative and VERBİS registration details, where required, are [to be inserted]. We process the personal data you provide through our forms to respond and advise, match you to programs, submit your application to the universities you choose, and measure our marketing. Our Article 5 bases are, as applicable, contract necessity, our legitimate interests, and compliance with legal obligations; where none applies — and for any special-category data (for example data revealing ethnic origin) and for transfers abroad — we rely on your explicit consent (açık rıza), which you may withdraw at any time. Our privacy notice (aydınlatma metni) is kept separate from any consent text. Some providers (hosting, email, analytics) are outside Türkiye; we transfer data abroad only under an Article 9 mechanism — an adequacy decision, an appropriate safeguard such as the Board's standard contract or binding corporate rules, or, where applicable, your explicit consent after being informed of the risks. We retain data only as long as necessary or as required by law, then erase, destroy or anonymise it under our Retention and Destruction Policy. To exercise your Article 11 rights, apply to us at [KVKK CONTACT / EMAIL]; we respond within 30 days. If unsatisfied, you may complain to the Board (www.kvkk.gov.tr) within 30 days of our response and within 60 days of your application. This notice is a template for counsel review.

Your rights:

  • Learn whether your data is processed and request information about it (Art. 11)
  • Learn the purpose of processing and whether data is used accordingly
  • Know the third parties, in Türkiye or abroad, to whom data is transferred
  • Request rectification of incomplete/incorrect data
  • Request erasure or destruction under Art. 7
  • Have rectification/erasure notified to third parties the data was transferred to
  • Object to adverse outcomes arising solely from automated analysis
  • Claim compensation for damage from unlawful processing
  • Withdraw explicit consent (açık rıza) at any time

Supervisory authority: Personal Data Protection Authority / Board (Kişisel Verileri Koruma Kurulu), Nasuh Akar Mah. Ziyabey Cad. 1407. Sok. No: 4, 06520 Balgat, Çankaya/Ankara; www.kvkk.gov.tr.

China (mainland PRC)

Personal Information Protection Law of the People's Republic of China ("PIPL"), effective 1 November 2021, with the CAC's cross-border transfer rules (Security Assessment Measures; China Standard Contract; and the March 2024 Provisions on Promoting and Regulating Cross-Border Data Flows).

This section applies where PIPL governs the processing of your personal information. For this processing, [COMPANY / BRAND LEGAL NAME] is the "personal information handler." We process the information you submit through our forms — including name, contact details, nationality, passport/identity and, where relevant, financial-account details, academic background, study preferences and message content — to respond and guide you, match and refer you to universities and programs, submit and support your applications, and operate and measure our services. Our bases are your consent and, where applicable, contract necessity (Art. 13); PIPL has no "legitimate interests" basis, so we do not rely on one. Marketing and non-essential analytics are carried out only with your consent, which you can withdraw at any time. Some information you give us is "sensitive personal information" (for example passport/identity and financial-account details, and any data about a minor under 14); we process it only with a specific purpose and sufficient necessity, strict safeguards, and — where required — your SEPARATE consent, after informing you of the necessity and impact. If you are under 14, please do not submit personal information without your parent's or guardian's consent; we handle minors' data under dedicated rules. CROSS-BORDER TRANSFER: to respond to you and submit your applications we transfer your information outside the mainland PRC to processors and to the universities you apply to. Before doing so we will inform you of the overseas recipients' identities and contact details, the purpose, means and categories of information, and how to exercise your PIPL rights against them, and obtain your SEPARATE consent. We rely on a mechanism recognised by Art. 38 (for example the China Standard Contract filed with the CAC, a CAC security assessment, or certification), except where a statutory exemption applies (such as a transfer necessary to perform a contract to which you are a party). As we are established outside the mainland PRC, we have designated [name and contact of the China representative/entity under Art. 53] to handle personal-information-protection matters. To exercise any right, withdraw consent, or complain, contact us at [PRIVACY EMAIL]; you may also complain to the CAC or another competent department, or bring a claim before the People's Courts. This notice is a template for counsel review.

Your rights:

  • Know, decide about, and limit or refuse processing of your personal information (Art. 44)
  • Access and obtain a copy of your personal information (Art. 45)
  • Data portability to a handler you designate, where CAC conditions are met (Art. 45)
  • Correct or complete your information (Art. 46)
  • Delete your information (Art. 47)
  • Ask us to explain our processing rules (Art. 48)
  • Withdraw consent, with a convenient method to do so (Art. 15)
  • Refuse decisions made solely by automated means and opt out of profiled marketing (Art. 24)

Supervisory authority: Cyberspace Administration of China (CAC) and other competent departments that perform personal-information-protection duties; complaints may also be made to those departments or brought before the People's Courts.

United States — California and other state privacy laws

California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), enforced by the California Privacy Protection Agency and the California Attorney General, together with comparable comprehensive state laws (e.g. Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana). Federal sector laws such as COPPA also apply.

This section supplements our Privacy Policy for residents of California and other US states with comprehensive privacy laws. We collect identifiers (name, email, phone), your nationality and study preferences, message content, and usage data from cookies and analytics, and use them to respond to you, provide guidance, match you to programs, share your details with the universities and program providers you choose, and measure our marketing. We disclose personal information to service providers under written contracts limiting their use, and to universities you apply to; some recipients are outside the US. If any cookies or ad tools we use constitute a "sale" or "sharing"/"targeted advertising," you may opt out at any time using the "Your Privacy Choices" / "Do Not Sell or Share My Personal Information" link on our site, and we honor Global Privacy Control (GPC) signals. Some information we collect (for example nationality/ethnic origin, immigration or citizenship status, or government-ID/passport details) may be "sensitive personal information"; you may direct us to limit its use, and where your state's law requires it we will obtain your opt-in consent. Subject to your state's law, you have the rights listed here. To exercise them, contact [PRIVACY EMAIL] or [PHONE]; you may use an authorized agent, and we will verify your identity and respond within the required timeframe. We do not knowingly sell or share the personal information of consumers under 16 without opt-in consent (a parent/guardian must consent for those under 13), and we comply with COPPA for children under 13. California residents may contact the CPPA or the California AG; other states' residents may contact their state AG. Note: whether we meet the size/volume thresholds that make these laws apply to us is [to be confirmed by counsel]; these disclosures are provided as conservative best practice. Last updated: [DATE].

Your rights:

  • Know/access the categories and specific pieces of personal information collected, sources, purposes, and third parties (12-month look-back under CCPA)
  • Delete personal information collected from you, subject to exceptions
  • Correct inaccurate personal information
  • Data portability
  • Opt out of the 'sale' or 'sharing' of personal information for cross-context behavioral / targeted advertising
  • Limit the use and disclosure of sensitive personal information
  • Opt out of certain profiling / automated decision-making
  • Non-discrimination for exercising your rights, and the right to appeal a decision on your request

Supervisory authority: California Privacy Protection Agency (cppa.ca.gov) and the California Attorney General (oag.ca.gov/privacy). Residents of other states may complain to their state Attorney General. There is generally no private right of action except CCPA's limited one for certain data breaches.

Brazil

Lei Geral de Proteção de Dados Pessoais (LGPD), Lei nº 13.709/2018, supervised by the Autoridade Nacional de Proteção de Dados (ANPD), including the international-transfer rules under Resolution CD/ANPD nº 19/2024.

If you are located in Brazil, the LGPD governs our processing of your personal data, and this section prevails for you over any conflicting general statement. We act as controller (controlador) of the data you provide through our forms. We process it on the following bases (Art. 7): your consent (Art. 7, I) for optional processing such as marketing and analytics cookies; performance of, or preliminary steps toward, the service you request (Art. 7, V); our legitimate interests in responding to you, improving our services and preventing fraud (Art. 7, IX); and compliance with legal obligations (Art. 7, II). For any sensitive data we rely on Art. 11 (usually your specific, highlighted consent). We share your data with the universities you choose and with providers (hosting, communications, analytics), some outside Brazil; these international transfers are made under an Art. 33 safeguard — recognised adequacy, the ANPD Standard Contractual Clauses (Resolution CD/ANPD nº 19/2024), or your specific and highlighted consent to an international transfer where applicable. You have the Art. 18 rights listed here, plus the right to request review of solely-automated decisions (Art. 20). We do not knowingly process the personal data of children (under 12) without the specific, highlighted consent of a parent or guardian (Art. 14). To exercise any right or ask questions, contact our Data Protection Officer (Encarregado) at [ENCARREGADO NAME / EMAIL]; we respond within the LGPD timeframes. If unsatisfied, you may petition the ANPD (gov.br/anpd, via Fala.BR) or seek redress through consumer-protection bodies and the courts. This notice is a template for counsel review.

Your rights:

  • Confirmation that processing exists and access to your data (Art. 18, I–II)
  • Correction of incomplete, inaccurate or out-of-date data (Art. 18, III)
  • Anonymization, blocking or deletion of unnecessary/excessive or non-compliant data (Art. 18, IV)
  • Data portability (Art. 18, V)
  • Deletion of data processed on consent (Art. 18, VI)
  • Information about the entities with which we shared your data (Art. 18, VII)
  • Information about, and consequences of, refusing consent (Art. 18, VIII)
  • Withdraw consent at any time through a free and simple process (Art. 18, IX)
  • Request review of decisions based solely on automated processing (Art. 20)

Supervisory authority: Autoridade Nacional de Proteção de Dados (ANPD), gov.br/anpd — petitions via the Fala.BR platform (falabr.cgu.gov.br). You may also seek redress through consumer-protection bodies (e.g. PROCON) and the courts.

Canada (including Québec)

Personal Information Protection and Electronic Documents Act (PIPEDA) at the federal level, and, for Québec residents, the Act respecting the protection of personal information in the private sector as amended by Québec's Law 25. Provincial laws in British Columbia and Alberta may apply to intra-provincial activity.

If you are in Canada, we process your personal information under PIPEDA and, for Québec residents, the Private Sector Act as amended by Law 25. Through our forms we collect your name, contact details, nationality, study preferences and message content and use them, with your knowledge and consent, to respond, guide, match you to programs, and — where you choose to apply — share them with the universities and partners you select, and to measure our marketing. Purposes are identified at or before collection, we ask for consent per purpose in clear language, and we obtain express consent for sensitive information. You may withdraw consent at any time, subject to legal or contractual limits and reasonable notice. Some providers and the institutions you apply to are outside Canada and Québec (including in Türkiye, China, Spain and elsewhere); your information may be processed abroad and become subject to the laws of, and access by authorities in, those jurisdictions. We remain accountable for your information, use contractual and other measures to ensure comparable protection, and — for Québec residents — carry out a privacy impact assessment before communicating personal information outside Québec. You have the rights listed here. We do not knowingly collect personal information from children under 13 (or, in Québec, from a minor under 14) without parental consent, unless clearly for the minor's benefit. To exercise your rights or complain, contact our Privacy Officer at [PRIVACY EMAIL]; if unsatisfied, you may complain to the OPC (priv.gc.ca) or, for Québec residents, the CAI (cai.gouv.qc.ca). Note that PIPEDA does not currently grant a general right to erasure or, outside Québec, a right to portability. This notice is a template for counsel review.

Your rights:

  • Access to your personal information and an account of its use and disclosure
  • Correction of inaccurate, incomplete or out-of-date information
  • Withdraw consent, subject to legal/contractual limits and reasonable notice
  • Challenge our compliance and complain to us, the OPC, or the CAI
  • Data portability (Québec Law 25)
  • De-indexing / cessation of dissemination in certain cases (Québec Law 25)
  • Be informed about, and contest, decisions based exclusively on automated processing (Québec Law 25)

Supervisory authority: Office of the Privacy Commissioner of Canada (OPC), 30 Victoria Street, Gatineau QC K1A 1H3; 1-800-282-1376; priv.gc.ca. For Québec residents: Commission d'accès à l'information du Québec (CAI), cai.gouv.qc.ca.

Everywhere else / your local law

Any other applicable national or regional data-protection or privacy law not specifically named above.

If you are located in a country or region not specifically addressed above, we still handle your personal data in line with the universal core of this policy, and we apply the most protective applicable requirements that your local law provides. This includes being transparent about what we collect and why, using an appropriate mechanism for any international transfer of your data (including to the universities you apply to and to our service providers abroad), keeping your data only as long as necessary, protecting it with appropriate security, and honouring the rights your local law grants you. To exercise your local rights, ask a question, or make a complaint, contact us at [PRIVACY EMAIL]; where your country has a data-protection authority or court remedy, you also retain the right to use it. This notice is a template for counsel review and is not legal advice.

Your rights:

  • The rights your local law grants you — which may include access, correction, deletion, objection, portability, and withdrawal of consent
  • The right to be informed about international transfers of your data and the safeguards used
  • The right to complain to your local authority and, where available, to a court

Supervisory authority: Your local data-protection or privacy authority, where one exists. You can contact us first at [PRIVACY EMAIL] and we will help you identify how to escalate.

This document is a template prepared to support legal review. It is not legal advice and is not a guarantee of compliance with any law. Statutory references, article/section numbers, named authorities, transfer mechanisms, retention periods, and applicability thresholds reflect a good-faith summary of the relevant regimes and must be verified by qualified counsel in each jurisdiction before publication. Where a specific provision is uncertain, it is flagged for confirmation. Placeholders shown in [BRACKETS] must be completed with our actual details before this policy is made public.

Privacy Policy — Study in Türkiye | تحصیل در ترکیه