Privacy Policy

InternationalGPA.com (also known as "iGPA" and accessible at internationalgpa.com and igpa.app) is a product of Insight Digital Agency LLC, a U.S.-based company. We provide a web-based platform that helps international admissions and credential evaluation teams convert international grades into U.S.-style GPAs and use those conversions to support admission, and scholarship decisions.

This Privacy Policy describes how we collect, use, disclose, and protect personal information when:

• Institutional staff use iGPA; and
• Institutions upload or otherwise provide student/applicant data to be processed in the platform.

This Policy applies specifically to iGPA and related support channels (e.g., Support@InternationalGPA.com, security/privacy contact emails, and phone support). System notifications and transactional emails are sent from notifications.internationalgpa.com. This Policy supplements any broader Insight Digital Agency privacy notices.

The data InternationalGPA.com processes depends on how your institution uses the platform.

3.1 Institutional user (staff) data

We typically process:

• Name
• Work email address
• Institution (official/legal) name
• Login / authentication data
• Activity logs (e.g., when evaluations are run)

3.2 Student/applicant data (education records)

Depending on your configuration and workflows, we may process:

• Student/applicant name (if your workflows include it)
• Gender and City of residence (if your workflows include it)
• Country of education, institution attended, and dates of study
• Course lists, grades/marks, credit/volume information
• Calculated GPA(s) and related evaluation outputs
• Other transcript-related academic record fields your institution chooses to submit

Our HECVAT documentation classifies this as Sensitive Data / Level 2 PII under typical university schemes.

3.3 Technical and usage data

We collect limited technical data for security and service operation:

• IP address (server-side only)
• Browser user agent
• Access timestamps

3.4 Optional marketing data

Institutions may optionally include students' gender and/or city of residence for marketing insights. This information is processed with the same security measures as all education records and is never used for purposes beyond what the institution authorizes. We do not infer or profile beyond supplied fields.

We use personal information to:

• Provide, operate, and support the iGPA service (including GPA calculations, reporting, and dashboards).
• Authenticate users and secure accounts (including MFA for administrative access).
• Maintain and improve the service through troubleshooting, performance monitoring, and platform development. Platform improvements use only:
  • De-identified, aggregated usage statistics (e.g., average conversion times by country)
  • Synthetic test data in isolated development environments
  • Technical logs that do not contain student PII
• Enforce our Terms of Service and prevent abuse.
• Comply with legal obligations (e.g., responding to lawful requests, FERPA-related obligations, GDPR/UK GDPR requirements where applicable).

We do not use identifiable student data for marketing, research, or unrelated analytics, and we do not use student/applicant data for third-party advertising.

We may share personal information in the following limited circumstances:

Sub-processors and infrastructure providers

• Supabase (supabase.co) – Managed Postgres database, authentication, and logging; provides encryption at rest and point-in-time recovery.
• Netlify – Primary application hosting.
• Cloudflare Pages – Secondary/failover hosting (serves static assets only during failover events).
• Resend (resend.com) – Email delivery for transactional emails from notifications.internationalgpa.com.
• Unsplash (unsplash.com) – Image hosting for education system cover photos and illustrations. When you view country profile pages, some images are loaded directly from Unsplash's servers. Unsplash may collect technical data (IP address, browser type) as part of standard image delivery. We do not control or have access to this data.

Where required, these providers operate under SCCs or similar mechanisms for cross-border transfers. All sub-processors are bound by data protection obligations equivalent to this Privacy Policy and our Data Processing Agreement.

Marketing and CRM (non-student PII)

We use HighLevel (GoHighLevel) for marketing/scheduling related to staff contacts (name, email, etc.) but no student PII is stored in that system.

Legal, safety, and compliance

We may disclose information where we believe in good faith that it is necessary to:

• Comply with applicable laws or lawful requests;
• Protect the rights, privacy, safety, or property of our users, students, or the public; or
• Enforce our agreements.

We do not sell, rent, or lease student or institutional contact lists to third parties.

We maintain an internal list of sub-processors and can provide it to institutional partners upon request.

Retention periods depend on how you use iGPA:

9.1 Definitions

• Cancellation: When a subscription is not renewed at the end of the billing period. The account remains active with limited functionality, and historical data is retained.
• Termination: Permanent closure of an account, triggering data deletion procedures.

9.2 Institutional subscription users

Active subscriptions

• Student/applicant calculation data is retained for up to 3 years by default to support data insights, market intelligence features, and year-over-year comparison reporting in the Dashboard and Teams features.
• Institutions maintain full control and can delete or export data at any time via the platform interface.

Canceled subscriptions (Subscription ended, account active)

When an institutional subscription is canceled:

• Account Status: Account remains active with read-only access to historical data
• Data Retention: All data retained for 90 days after cancellation
• Access: Staff can view historical calculations and export data; cannot create new premium calculations
• Reactivation: Subscription can be reactivated at any time with immediate restoration of full access
• Grace Period: After 90 days, account automatically moves to termination unless reactivated

Terminated accounts (Account closed, data deleted)

Account termination occurs when:

• 90 days have passed since cancellation without reactivation (automatic), OR
• Institution explicitly requests immediate account closure (manual)

Upon termination:

• All institutional data (staff accounts, student records, calculations) permanently deleted within 30 days
• Production systems: Immediate deletion
• Backup systems: Deleted within 30 days (overwritten in next backup cycle)
• Data becomes non-recoverable
• Termination is irreversible

Institution control

Institutions maintain full control and can at any time:

• Export all data via platform interface
• Request immediate termination (bypassing 90-day grace period)
• Delete specific records or student data
• Reactivate canceled subscriptions

9.3 Individual/free user data

Individual users without institutional subscriptions:

• Session data: Not stored on servers; calculations performed client-side when possible
• Temporary data: Any temporary processing data automatically deleted within 7 days
• Account data: If an individual user creates an account, basic profile information (email, name) retained indefinitely unless deletion requested
• Account closure: Can request account deletion by contacting support@internationalgpa.com

9.4 Legal and compliance holds

Notwithstanding the above, we may retain specific data longer when:

• Required by law or legal process (e.g., court order, investigation)
• Necessary to enforce our Terms of Service
• Needed to resolve disputes or investigate suspected fraud/abuse
• Required for regulatory compliance (e.g., financial records for tax purposes)

We will notify you if data subject to a deletion request is under legal hold.

9.5 Communication timeline for cancellations

When a subscription is canceled, we send automated notifications:

• Day 0: Confirmation of cancellation and access retention until period end
• Period end: Notice that 90-day data retention period has begun
• Day 60: Reminder with 30 days remaining to reactivate or export data
• Day 85: Final notice with 5 days remaining before permanent deletion
• Day 90: Confirmation of account termination and data deletion

9.6 Aggregated/de-identified data

We may retain aggregated, de-identified data indefinitely for product improvement, market research, and statistical analysis. This data cannot be re-identified and is not considered personal information under privacy laws.

We do not create local or offline copies of student PII on unencrypted endpoints, and local database dumps containing PII are expressly prohibited by policy.

Retention periods may be refined or agreed in writing with each institution.

If we detect or reasonably suspect unauthorized access, disclosure, or loss of Sensitive Data/PII, our Incident Response Plan is activated.

• We immediately convene the response team (Incident Coordinator and Technical Lead) to confirm scope, contain the incident (including revoking tokens, resetting credentials, and reviewing logs), and eradicate the root cause.
• For FERPA-protected data, we commit to notifying affected universities immediately upon confirmation that unauthorized access or disclosure of PII has occurred, typically via a dedicated secure email channel plus phone follow-up.
• For incidents involving GDPR/UK GDPR data, we assess risk to data subjects and, where required by law, coordinate with counsel to notify the relevant Data Protection Authority (DPA) within 72 hours of becoming aware of the breach.

Our notifications include the nature of the incident, categories of data affected, actions taken, and cooperation with the institution's regulatory obligations.

InternationalGPA.com is not directed to children. Insight Digital Agency does not knowingly collect personal information from persons under 13, and persons under 18 may only use the site with the permission of a parent or guardian.

Student data processed through InternationalGPA.com is supplied by institutions, not collected directly from minors.

We may update this Privacy Policy from time to time. When we do, we will:

• Revise the "Last updated" date above, and
• Where changes are material, provide reasonable notice (for example, via email or in-app notification).