GDPR Compliant

Data Protection & Your Rights

Understanding how we protect your personal data and your rights under GDPR and the Irish Data Protection Act.

Your Data Protection Rights
Under GDPR, you have the following rights regarding your personal data

Right to Access (Article 15)

You have the right to request a copy of all personal data we hold about you, including your assessment results, profile information, and usage data.

Request Your Data

Right to Erasure (Article 17)

Also known as the "right to be forgotten," you can request complete deletion of your account and all associated data. We will process deletion requests within 30 days.

Request Data Deletion

Right to Rectification (Article 16)

You can update or correct any inaccurate personal information directly in your profile settings or by contacting support.

Right to Restrict Processing (Article 18)

You can request that we limit how we use your data in certain circumstances.

Right to Data Portability (Article 20)

You can receive your data in a structured, machine-readable format to transfer to another service.

Right to Object (Article 21)

You can object to certain types of data processing, including direct marketing.

Under 18? Parental Consent Required
Special protections for students under 18 years old

In accordance with Irish educational guidelines (Circular 0035/2017) and GDPR, students under 18 require parental or guardian consent to access certain assessment features:

  • Personality Profile Assessment requires explicit parental consent before students under 18 can proceed
  • Students 18+ can provide self-consent for all assessment components
  • All consent decisions are logged and can be reviewed or revoked at any time
Contact Our Data Protection Officer
Required under GDPR Article 37 & Irish Data Protection Acts

If you have questions about how we handle your data, want to exercise your rights, or have concerns about data protection, please contact:

Data Protection Contact

CourseCompass

📧 Email: info@coursecompass.ie

🌐 Website: www.coursecompass.ie/data-protection

⏱️ Response Timeframe

We aim to respond to all data protection requests within 30 days as required by GDPR Article 12.

Send Data Protection Request
AI Transparency (EU AI Act 2024)
How we use artificial intelligence in our platform

🤖 Our AI Systems

CourseCompass uses AI-powered analysis to generate personalized course recommendations and subject interest insights. All AI-generated content is clearly labeled as such.

AI Models We Use:

  • • OpenAI GPT-4o-mini for career path analysis
  • • Educational recommendation algorithms
  • • Subject interest matching systems

✅ How We Ensure Safety & Fairness

  • Human Oversight: All AI recommendations are reviewed using educator-validated models
  • Bias Testing: Regular audits to ensure fair recommendations across all demographics
  • Transparency: All AI-generated insights clearly labeled with disclaimers
  • Right to Explanation: You can request details on how recommendations were generated

📋 AI System Risk Classification

Under the EU AI Act, our educational guidance systems are classified as "Limited Risk", requiring transparency obligations which we fulfill through clear labeling and this disclosure.

Record of Processing Activities (GDPR Article 30)
Summary of how we process your personal data

📊 Data Categories Processed

  • • Personal identifiers (name, email, date of birth)
  • • Assessment responses & results
  • • Educational preferences & course selections
  • • Consent records & timestamps

🎯 Processing Purposes

  • • Educational guidance & course recommendations
  • • Platform functionality & user experience
  • • Security & fraud prevention
  • • Legal compliance & consent management

⏰ Data Retention Periods

We retain personal data only as long as necessary:

  • • Active accounts: Duration of service use + 1 year
  • • Inactive accounts: Automatic deletion after 3 years
  • • Consent records: 7 years (legal requirement)
  • • Audit logs: 2 years (security requirement)

🌍 Data Residency & Hosting

All data is hosted within the European Economic Area (EEA) using Supabase's EU infrastructure (Frankfurt/Dublin regions). We do not transfer personal data outside the EEA without adequate safeguards.

🤝 Third-Party Data Processors

  • Supabase (EU): Database & authentication
  • OpenAI: AI analysis (anonymized data only)
  • Resend: Email communications

All processors have signed Data Processing Agreements (DPAs) as required by GDPR Article 28.

How We Protect Your Data
  • Encryption: All data is encrypted both in transit (TLS) and at rest using bank-level security standards
  • Access Control: Strict role-based access with Row Level Security policies ensuring users can only see their own data
  • Audit Logging: All data access by school staff is logged and reviewable
  • No Third-Party Sharing: Your assessment results are never shared with universities, employers, or advertisers
  • Regular Security Audits: Our systems undergo regular security testing and compliance reviews