Legal

Privacy Policy

Last updated: July 2026

The short version

We’re a free tool for UK students. We only collect what’s needed to run your account and your tracker. We never sell your data, never share it with employers, and you can download everything or delete your account in one click from Settings. We comply with the UK GDPR and the Data Protection Act 2018.

Who we are (Data Controller)

The Grid (also “Opportunity Grid”, “we”, “us”) is operated from the United Kingdom. The data controller is Haisem Zeino, trading as Opportunity Grid (sole-trader operation).

Privacy contact: privacy@opportunitygrid.co.uk · general enquiries: use the contact form. We respond to privacy requests within 30 days.

You also have the right to complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk.

What we collect

Split by purpose. Everything optional is clearly marked.

  • Required to create an account: email address, and either a password (stored as a bcrypt hash — nobody, including us, can read it) or a Google sign-in token.
  • Auto-created with your account: a profile shell with your display name (defaulted from your email), and auth audit metadata kept by our identity provider (sign-in timestamps, IP address of the sign-in for security).
  • Optional onboarding profile: nationality, fee status, education stage, year group, degree, university, graduation year, subject areas, career interests, and demographic fields you choose to share (ethnicity, gender, religion, household income, first-generation / care-experienced / disability flags). Used only to surface scholarships and opportunities you may be eligible for. Skip any of it freely.
  • Your Grid (functional data): opportunities and scholarships you favourite or track, the stages you set, deadlines you add, private notes (“what went well / even better if”), rejection feedback, and reflections.
  • Uploaded documents: CVs and cover letters you upload, stored in a private storage bucket only your account can access.
  • Contact submissions: if you message us via the contact form, your name, email, the message, any optional details, and the IP address of the request (for spam and abuse prevention).
  • Technical & security data: server logs at our edge provider (IP address, user agent, request URL, timestamp, response code) used to keep the service secure and reliable.

Sign in with Google (if you use it)

If you choose “Sign in with Google” we receive a small set of information from Google to create your account: your email address, basic profile name and your avatar URL. We do not receive your contacts, calendar, drive, or any other Google service data. You can disconnect Google at any time by deleting your account.

What we don't collect

  • No payment details. The Grid is free for students.
  • No advertising trackers, no analytics SDKs, no fingerprinting.
  • No selling, renting or trading your personal data, ever.
  • No special-category data is required — the optional demographic fields are processed on the basis of your explicit consent.

Why we use it (lawful basis under UK GDPR Art. 6)

  • Contract: to provide the account and tracker you signed up for.
  • Legitimate interests: to keep the service secure, prevent abuse (logging IPs, bot challenges), and improve the product. You can object at any time by contacting us.
  • Consent: for optional demographic fields and for any optional email communications you opt in to. Withdraw consent anytime from Settings.

Where your data lives

Account data, profile, tracker data, reflections and uploaded documents are stored on managed cloud infrastructure (Supabase) in the European Union. Web traffic transits through Cloudflare’s global edge network (terminates TLS, applies bot protection); requests may be processed by the geographically closest edge node. All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).

If you’re in the UK, transfers to the EU rely on the UK’s adequacy decision for the EU. Transfers via Cloudflare and Google (for OAuth) rely on the UK International Data Transfer Agreement / Addendum and EU Standard Contractual Clauses where applicable.

Subprocessors (who else processes your data on our behalf)

We use a small number of carefully chosen processors. Each is bound by a Data Processing Agreement and may only use your data to provide their service to us.

ProcessorPurposeRegionPersonal data?
SupabaseDatabase, authentication, file storageEUYes — all account & tracker data
CloudflareEdge hosting, TLS, DDoS protection, Turnstile bot checkGlobal edgeYes — IP address & request metadata
LovableApplication hosting platformEUYes — transit only
ResendTransactional email (contact-form replies, auth emails)EU / USYes — email address & message body
GoogleOAuth sign-in (only if you choose “Sign in with Google”)EU / USYes — email, name, avatar

How long we keep it (retention)

CategoryRetention period
Account & profileUntil you delete your account, then a 30-day grace window, then permanently purged.
Tracker entries, notes, reflections, favouritesSame lifecycle as your account.
Uploaded documents (CVs etc.)Same lifecycle as your account; storage files deleted on purge.
Contact-form submissions24 months, then deleted.
IP addresses (contact form & auth events)90 days for security / abuse investigation, then deleted or anonymised.
Edge & database server logsUp to 30 days at Cloudflare; up to 7 days at Supabase (provider defaults).

Cookies & local storage

We only use strictly necessary storage. No analytics cookies, no advertising trackers, no third-party fingerprinting. Specifically:

  • Auth session — stored in your browser’s localStorage so you stay signed in.
  • Cloudflare Turnstile — a short-lived cookie set during the bot challenge on the contact form, used only to verify you’re human.
  • Theme preference — light / dark choice saved locally so it persists.

Because all of these are strictly necessary for the service you asked for, no consent banner is required under PECR (the UK’s cookie law).

Who can access your data

  • You. Always. Row-Level Security on our database means your data is technically isolated from every other user.
  • The subprocessors listed above, only as needed to deliver their service.
  • Authorised administrators of The Grid may access user data on a strict need-to-know basis for: customer support (when you raise a request), security incident response, fraud and abuse prevention, system maintenance and debugging, and to comply with a legal obligation. All such access is logged.
  • We never share your data with employers, universities or any third party for marketing or analytics.

Your rights under UK GDPR (Articles 15–22)

  • Right of access & portability — download a complete JSON export of your data from Settings → Your data & account.
  • Right to rectification — edit any profile field at any time in Settings.
  • Right to erasure — one-click account deletion in Settings. You have 30 days to cancel before the data is permanently purged.
  • Right to restrict / object to processing — email privacy@opportunitygrid.co.uk or use the contact form.
  • Right to withdraw consent — clear the relevant fields in Settings, or delete your account.
  • Right to lodge a complaint with the ICO at ico.org.uk.

We respond to all rights requests within 30 days.

Security

Passwords are stored as one-way bcrypt hashes — no one, including us, can read them. We check new and changed passwords against the Have I Been Pwned breached-password database and reject ones that have appeared in known breaches. The database enforces Row-Level Security so users are technically prevented from reading each other’s data. All traffic is over TLS, data is encrypted at rest, secrets live in server-only environment variables (never in the browser bundle).

Age requirement

The Grid is intended for users aged 13 or over. This is the UK GDPR threshold for a child being able to consent to information-society services. By creating an account you confirm you meet this requirement. If we learn that an account belongs to someone under 13, we’ll delete it.

Changes

We'll update this page if our practices change. Material changes will be flagged on the homepage.