GradsMatch

    Privacy

    Privacy policy

    Plain language. Only what we actually collect, only what we actually do with it.

    Last updated: April 21, 2026

    Who runs GradsMatch

    GradsMatch is an independent project by Antoine Pangas. There is no parent company. See the About page for background. Contact for privacy questions: hello@gradsmatch.com.

    What we collect

    Only what we need to run the site. Categories:

    • Account data - email address and a password hash (or a Google OAuth token if you sign in that way). Stored in Supabase Auth. Used to sign you in, save your profile, and send transactional email (deadline reminders, receipts).
    • Academic profile - values you enter yourself: GPA, test scores, intended major, work experience, program saves. Used to compute your match score against programs. You can delete this at any time from /settings.
    • Resume uploads - if you choose to upload a resume, the file text is processed to extract structured fields (GPA, school, degree, test scores). We do not retain the file or its text after extraction. The extracted fields are written to your academic profile for your review; you can edit or remove any of them at any time. Rate-limited to 3 uploads per hour and 10 per day per user.
    • Saved programs and checklists - row-level per your account. Used to power the "Saved" tab and deadline reminders.
    • Payment metadata - if you subscribe to Pro, Stripe handles the card. We receive subscription status (active, trialing, canceled, renewal dates) and the Stripe customer ID. We never see your card number.
    • Server logs - Vercel's standard edge logs (IP, user agent, requested URL, timestamp). Retained per Vercel's defaults. Used for debugging, abuse detection, and nothing else.

    We do not use analytics tracking beyond Vercel Speed Insights (performance-only, no personal identifiers). No Google Analytics. No Facebook pixel. No session replay.

    We use your data only for the purposes described above. We do not repurpose it for anything unrelated.

    What we share with third parties

    • Supabase (authentication, database hosting). Our primary data store.
    • Stripe (payment processing). Only when you subscribe.
    • Resend (transactional email). For deadline reminders and subscription receipts. Your email address only.
    • Vercel (hosting, edge logs).

    We do not sell or share your data. We do not share application data with schools, admissions consultants, or advertisers. Schools do not pay to rank higher or to appear in your matches. This means we do not "sell" or "share" personal information as those terms are defined under the California Consumer Privacy Act.

    We may disclose information when required by law, valid legal process, or to protect the rights, safety, or property of GradsMatch, our users, or others.

    Legal basis for processing

    If you are in the EU, UK, or another jurisdiction with a GDPR-style framework, we process your personal data on the following bases:

    • Contract - account data, saved programs, payment metadata, and anything needed to operate the service you signed up for.
    • Consent - academic profile fields you enter yourself and resume uploads. You can withdraw consent at any time by editing or deleting your profile from /settings.
    • Legitimate interest - server logs for debugging, abuse prevention, and keeping the service running. We limit this to what is strictly necessary.
    • Legal obligation - retention of billing records where required by tax or financial regulation.

    International transfers

    GradsMatch is operated from the United States. The service providers listed above are also US-based. If you access the service from the EU, UK, or elsewhere, your data is transferred to the US. Transfers rely on the EU-US Data Privacy Framework where the recipient is certified, and on Standard Contractual Clauses otherwise. You can request a summary of the safeguards in place by emailing hello@gradsmatch.com.

    How long we keep things

    • Account data and academic profile - for as long as your account is active, plus up to 30 days in backup snapshots after you delete the account.
    • Saved programs and checklists - same as above, tied to your account.
    • Resume text - not retained. Extraction runs transiently and the text is discarded immediately after.
    • Server logs - approximately 30 days, then automatically purged.
    • Billing records - up to 7 years, as required by tax and financial-records regulations.

    Security and breach notification

    Data is encrypted in transit (HTTPS everywhere) and at rest in our database provider. Access is restricted to the people operating the service. If we ever suffer a breach that is likely to affect your rights or personal data, we will notify the relevant supervisory authority within 72 hours and inform affected users without undue delay.

    Automated decision-making

    We compute a match score between your academic profile and each program's published requirements. This score is advisory: it helps you decide where to apply, and does not produce any legal or similarly significant effect on you. No school receives your score, and no admissions decision is made by our system.

    Cookies

    We use functional cookies only: Supabase's auth session cookie (keeps you signed in) and a small theme preference in localStorage. No advertising or tracking cookies.

    Your rights

    You can view, export, or delete your data at any time from /settings. For anything you cannot do in-app, email hello@gradsmatch.com. We respond within the periods required by applicable law (generally 30 to 45 days, extendable in complex cases).

    Depending on where you live, you have the following rights over the personal data we hold about you:

    • Access - request a copy of what we hold.
    • Rectification - correct anything that is wrong or incomplete.
    • Erasure - ask us to delete your data (also available directly from /settings).
    • Restriction - ask us to pause processing while a dispute is resolved.
    • Portability - receive your data in a structured, machine-readable format.
    • Objection - object to processing based on legitimate interest.
    • Withdraw consent - at any time, for the bits we processed on consent. Does not affect past processing.
    • Complaint - lodge a complaint with a supervisory authority in your country (for example the ICO in the UK, or your national data-protection authority in the EU).

    California residents additionally have the rights to know what we collect, to delete it, to correct it, to opt out of sale or sharing (we do not sell or share - see above), to limit use of sensitive personal information, and to non-discrimination for exercising any of these rights. See "Do Not Sell or Share My Personal Information" below.

    Do Not Sell or Share My Personal Information

    GradsMatch does not sell personal information and does not share it for cross-context behavioral advertising. There is therefore nothing to opt out of. If this ever changes, we will add a working opt-out mechanism here and update this policy before the change takes effect.

    Children

    GradsMatch is intended for adults applying to graduate programs. We do not knowingly collect data from users under 16. If we learn that a user is under 13, we will delete their account and data promptly.

    Governing law

    This policy and any dispute arising from it are governed by the laws of the State of California, United States, without regard to its conflict-of-laws rules. Nothing in this section removes any rights you have as a consumer under the laws of your own country.

    Changes to this policy

    If we change what we collect or who we share it with, we'll update the last-updated date at the top of this page and, for material changes, notify signed-in users by email.

    See also: terms of use · how we collect program data · contact.