Data Protection Policy

StudyChoice.University – Data Protection Policy

Last updated: 24 June 2025


1. Introduction & Scope

StudyChoice OÜ (hereinafter “StudyChoice”, “we”, “our” or “us”) operates the website https://studychoice.university and provides study-planning, application and placement services for higher‑education institutions across Europe. This Data Protection Policy explains in detail how we collect, use, disclose, store and otherwise process personal data when you:

visit or interact with our website, mobile applications or social‑media pages;

register an account or use our consultancy and placement services;

receive marketing or informational communications from us; or

otherwise provide personal data to us—online or offline.

This Policy applies to all individuals whose data we process (“data subjects”), including prospective students, current students, partner‑institution contacts, website visitors, webinar attendees, and any representatives thereof. It is designed to meet the transparency requirements of the EU General Data Protection Regulation (Regulation (EU) 2016/679 – “GDPR”) and the Estonian Personal Data Protection Act (Isikuandmete Kaitse Seadus).

2. Identity & Contact Details of the Controller

The data controller (within the meaning of Article 4 (7) GDPR) is:


StudyChoice OÜ
 Company reg. No 14876523
 Maakri tn 19/1
 10145 Tallinn
 Estonia
 Phone: +372 699 1234
 E‑mail: privacy@studychoice.university

Data Protection Officer (DPO)

We have appointed an external Data Protection Officer whom you may contact for all matters relating to the processing of your personal data and to exercise your rights:


DPO: Mrs Kärt Linnus
 E‑mail: dpo@studychoice.university
 Postal address as above (please mark “Attn: DPO”)

3. Definitions

Unless expressly stated otherwise, the terms used in this Policy correspond to the definitions in Article 4 GDPR, including but not limited to “personal data”, “processing”, “controller”, “processor”, “recipient”, and “data subject”.

4. Data Protection Principles

We commit to processing personal data strictly in accordance with the fundamental principles set out in Article 5 GDPR:

Lawfulness, fairness and transparency

Purpose limitation

Data minimisation

Accuracy

Storage limitation

Integrity and confidentiality

Accountability

5. Categories of Personal Data We Process

Depending on your interaction with StudyChoice, we may process the following categories of personal data:

   Category Examples     Identification Data Given name, family name, date of birth, nationality, gender, passport or national ID details   Contact Data Postal address, e‑mail address, telephone number, messaging‑app handle   Academic & Professional Data Secondary‑school transcripts, higher‑education diplomas, language certificates (IELTS/TOEFL), CV, references, portfolio, work experience details   Application Data Preferred study programme, university preferences, desired start date, tuition‑fee budgets, scholarship applications, essay responses   Contract & Financial Data Service contract details, invoices, payment method, payment status, scholarship or funding information   Usage Data Log files, IP address, browser type & version, device identifiers, pages visited, session duration, referring URLs   Marketing Preferences Newsletter opt‑ins, consent records, communication channel preferences   Communication Content E‑mails, chat transcripts, webinar Q&A, support tickets   Special Category Data (processed only if necessary and with explicit consent) Health or disability information relevant to university accommodations; diversity data for scholarship statistics   6. Sources of Personal Data

Directly from you: via online forms, uploaded documents, e‑mail, telephone or in‑person meetings.

Automatically collected: through cookies and similar technologies when you visit our website.

Third parties: secondary schools, language‑test providers, referees and partner universities (only with your authorisation).

7. Purposes & Legal Bases for Processing

We process personal data only where a lawful basis under Article 6 GDPR (and, where applicable, Article 9 GDPR) applies. The main purposes and corresponding legal bases are:

   Purpose Legal Basis Explanation     Advisory & placement services Art. 6 (1)(b) GDPR – performance of a contract Data is necessary to assess eligibility, prepare applications, liaise with universities and finalise enrolment.   Online account management Art. 6 (1)(b) GDPR Enables secure login, dashboard functions, document uploads and progress tracking.   Communication with you Art. 6 (1)(b) or (f) GDPR We respond to enquiries and provide service‑related notifications; legitimate interest in efficient customer service.   Scholarship mediation Art. 6 (1)(b) & Art. 9 (2)(a) GDPR We may process special‑category data (e.g., health/disability) with your explicit consent where required by scholarship providers.   Marketing & newsletters Art. 6 (1)(a) GDPR – consent We send information about programmes and events only if you opt in. You can withdraw consent at any time.   Website analytics & performance Art. 6 (1)(f) GDPR – legitimate interest We analyse usage to improve services, ensure uptime and detect fraud.   Regulatory compliance & defence of claims Art. 6 (1)(c) & (f) GDPR We retain records for tax/accounting obligations and may process data to establish or defend legal claims.   Automated decision‑making (e.g., programme matching scores) Art. 6 (1)(a) & Art. 22 GDPR Only with your explicit consent; you may request human review.   We do not use personal data for purposes that are incompatible with those detailed above without first notifying you and, where required, obtaining your consent.

8. Cookies & Similar Technologies

We use first‑party and third‑party cookies, web beacons and local‑storage technologies to:

operate core site functions (e.g., session management, language settings);

perform analytics (Google Analytics 4, Matomo); and

deliver marketing or social‑media integrations (Meta Pixel, LinkedIn Insight Tag).

A detailed Cookie Notice is presented via our Consent Management Platform (CMP) upon your first visit, allowing you to granularly manage consents in accordance with the ePrivacy Directive and Article 5(3) of the Estonian Electronic Communications Act. You may adjust or withdraw your cookie consents at any time.

9. Disclosure of Personal Data

We share personal data only on a need‑to‑know basis and within the limits of the purposes listed in Section 7:

Partner universities & colleges – to process and monitor your application.

Scholarship bodies & accommodation providers – where you apply through us.

Service providers acting as processors under Article 28 GDPR, including:

cloud hosting & infrastructure (AWS EU, Hetzner DE);

CRM and applicant‑tracking platforms (HubSpot EU data centre);

payment service providers (Stripe Europe, Wise EU);

identity verification and document‑management tools.

Professional advisers – lawyers, auditors, tax consultants.

Authorities – where required under applicable law or to protect our rights.

Corporate transactions – in the event of a merger, acquisition or asset sale, subject to appropriate confidentiality measures.

All processors are bound by written data‑processing agreements in compliance with Article 28 GDPR.

10. International Data Transfers

Where we transfer personal data outside the European Economic Area (EEA), we ensure an adequate level of protection by:

relying on an adequacy decision (Article 45 GDPR) if the destination country is recognised as adequate by the European Commission;

concluding EU Standard Contractual Clauses (SCCs) under Article 46 GDPR with the recipient; and

implementing additional technical and organisational measures where necessary, following the European Data Protection Board’s recommendations.

You may obtain a copy of the relevant safeguards by contacting us at privacy@studychoice.university.

11. Data Retention & Deletion

We retain personal data for as long as necessary to fulfil the purposes outlined in this Policy, unless a longer retention period is required or permitted by law. Typical retention periods include:

  • Applicant files: 6 years after the end of the application cycle (for accountability under PSD2 and scholarship audits).
  • Contracts & invoices: 7 years to comply with Estonian accounting regulations.
  • Marketing consents: until you withdraw consent, plus 3 years for evidence.
  • Website logs: 12 months for security and fraud‑prevention purposes.

When retention is no longer justified, data is securely erased or anonymised.

12. Information Security

We maintain state‑of‑the‑art technical and organisational security measures, including but not limited to:

  • ISO 27001‑aligned information‑security management system (ISMS);
  • TLS 1.3 encryption in transit and AES‑256 encryption at rest;
  • multi‑factor authentication (MFA) for administrator accounts;
  • role‑based access control (RBAC) & least‑privilege principles;
  • regular penetration testing & vulnerability management;
  • continuous monitoring, audit logging and incident‑response protocols;
  • employee data‑protection training and confidentiality agreements.

13. Your Rights under the GDPR

Subject to the statutory conditions and limitations, you have the following rights:

  1. Right of access (Art. 15 GDPR)
  2. Right to rectification (Art. 16 GDPR)
  3. Right to erasure (‘right to be forgotten’) (Art. 17 GDPR)
  4. Right to restriction of processing (Art. 18 GDPR)
  5. Right to data portability (Art. 20 GDPR)
  6. Right to object (Art. 21 GDPR) to processing based on legitimate interests or direct marketing
  7. Right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal
  8. Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you (Art. 22 GDPR)

14. Exercising Your Rights

To exercise any of the rights listed above, please contact our DPO via dpo@studychoice.university or write to the postal address provided in Section 2, with proof of your identity. We will respond to your request without undue delay and in any event within one month of receipt, extendable by two further months when necessary pursuant to Article 12 (3) GDPR.

15. Right to Lodge a Complaint

If you believe that the processing of your personal data infringes applicable data‑protection law, you have the right to lodge a complaint with the competent supervisory authority:


Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Tatari 39
10134 Tallinn
Estonia
Phone: +372 627 4135
E‑mail: info@aki.ee
Website: https://www.aki.ee

You also have the right to seek a remedy before the civil courts.

16. Automated Decision‑Making & Profiling

We may use automated tools to score your eligibility for certain study programmes or scholarships. Such processing is never solely determinative; a human adviser reviews all recommendations. You may request human intervention, express your point of view and contest the decision at any time (Art. 22 GDPR).

17. Children’s Data

Our services are generally geared toward individuals aged 16 and older. If we learn that we have unintentionally collected personal data from a child under 16 without verifiable parental consent, we will delete that data without undue delay.

18. Updates to This Policy

We may amend this Data Protection Policy from time to time, e.g., to reflect changes in legal requirements or our processing activities. Any changes will be published on this page with a revised “Last updated” date. Where changes are material, we will notify you via e‑mail or prominent notice on our website.

19. Contact

For questions or concerns about this Policy or our privacy practices, please contact privacy@studychoice.university or our DPO as listed above.

© 2025 StudyChoice OÜ. All rights reserved.