Also known as the "right to be forgotten," you can request complete deletion of your account and all associated data. We will process deletion requests within 30 days.
You can update or correct any inaccurate personal information directly in your profile settings or by contacting support.
Right to Restrict Processing (Article 18)
You can request that we limit how we use your data in certain circumstances.
Right to Data Portability (Article 20)
You can receive your data in a structured, machine-readable format to transfer to another service.
Right to Object (Article 21)
You can object to certain types of data processing, including direct marketing.
Under 18? Parental Consent Required
Special protections for students under 18 years old
In accordance with Irish educational guidelines (Circular 0035/2017) and GDPR, students under 18 require parental or guardian consent to access certain assessment features:
Personality Profile Assessment requires explicit parental consent before students under 18 can proceed
Students 18+ can provide self-consent for all assessment components
All consent decisions are logged and can be reviewed or revoked at any time
Contact Our Data Protection Officer
Required under GDPR Article 37 & Irish Data Protection Acts
If you have questions about how we handle your data, want to exercise your rights, or have concerns about data protection, please contact:
How we use artificial intelligence in our platform
🤖 Our AI Systems
CourseCompass uses AI-powered analysis to generate personalized course recommendations and subject interest insights. All AI-generated content is clearly labeled as such.
AI Models We Use:
• OpenAI GPT-4o-mini for career path analysis
• Educational recommendation algorithms
• Subject interest matching systems
✅ How We Ensure Safety & Fairness
✓Human Oversight: All AI recommendations are reviewed using educator-validated models
✓Bias Testing: Regular audits to ensure fair recommendations across all demographics
✓Transparency: All AI-generated insights clearly labeled with disclaimers
✓Right to Explanation: You can request details on how recommendations were generated
📋 AI System Risk Classification
Under the EU AI Act, our educational guidance systems are classified as "Limited Risk", requiring transparency obligations which we fulfill through clear labeling and this disclosure.
Record of Processing Activities (GDPR Article 30)
Summary of how we process your personal data
📊 Data Categories Processed
• Personal identifiers (name, email, date of birth)
• Assessment responses & results
• Educational preferences & course selections
• Consent records & timestamps
🎯 Processing Purposes
• Educational guidance & course recommendations
• Platform functionality & user experience
• Security & fraud prevention
• Legal compliance & consent management
⏰ Data Retention Periods
We retain personal data only as long as necessary:
• Active accounts: Duration of service use + 1 year
• Inactive accounts: Automatic deletion after 3 years
• Consent records: 7 years (legal requirement)
• Audit logs: 2 years (security requirement)
🌍 Data Residency & Hosting
All data is hosted within the European Economic Area (EEA) using Supabase's EU infrastructure (Frankfurt/Dublin regions). We do not transfer personal data outside the EEA without adequate safeguards.
🤝 Third-Party Data Processors
• Supabase (EU): Database & authentication
• OpenAI: AI analysis (anonymized data only)
• Resend: Email communications
All processors have signed Data Processing Agreements (DPAs) as required by GDPR Article 28.
How We Protect Your Data
Encryption: All data is encrypted both in transit (TLS) and at rest using bank-level security standards
Access Control: Strict role-based access with Row Level Security policies ensuring users can only see their own data
Audit Logging: All data access by school staff is logged and reviewable
No Third-Party Sharing: Your assessment results are never shared with universities, employers, or advertisers
Regular Security Audits: Our systems undergo regular security testing and compliance reviews