Privacy Policy

1. Introduction

This Privacy Policy describes how Skozo.ai (operating as skozo.ai) ("we," "us," or "our") collects, uses, shares, and protects your personal information when you use our grant discovery and matching service (the "Service"). We are committed to transparency and protecting your privacy rights under applicable laws including the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Children's Online Privacy Protection Act (COPPA), and the General Data Protection Regulation (GDPR).

2. Information We Collect

2.1 Information You Provide Directly

When you create an account or use our Service, you provide us with: (a) Account Information: Full name, email address, date of birth (for age verification and student-appropriate grant matching), and school affiliation. (b) Grant Preferences: Academic interests, intended major, financial need indicators, eligibility criteria, and other information relevant to matching you with appropriate grant opportunities. (c) Communication Settings: Email notification preferences, frequency settings, and consent preferences.

2.2 Information Collected Automatically

When you use our Service, we automatically collect: (a) Usage Data: Pages viewed, features used, search queries, grants clicked, time spent on pages, and interaction patterns. (b) Device Information: Browser type and version, operating system, device type, IP address (anonymized for storage), and approximate geographic location (city/state level only). (c) Cookies and Similar Technologies: We use essential cookies for session management and authentication, analytics cookies for understanding usage patterns, and marketing pixels for conversion tracking (with your consent where required).

2.3 Information We Do NOT Collect

We do not collect: Social Security numbers, bank account or payment information, health or medical information, biometric data, precise GPS location, or any other sensitive personal information beyond what is necessary for grant matching.

3. How We Use Your Information

We use your personal information to:

(a) Provide and Improve Services: Match you with relevant grant opportunities, send deadline reminders, provide personalized recommendations, improve our matching algorithms, and enhance user experience. (b) Communicate With You: Send account notifications, grant matches, optional service updates, and respond to your inquiries. (c) Analytics and Research: Analyze usage patterns, test new features, identify and fix bugs, and conduct research to improve our Service. (d) Compliance and Safety: Comply with legal obligations, enforce our terms of service, detect and prevent fraud or abuse, and protect the security of our Service. (e) Marketing: With your consent, track conversions from advertising campaigns using anonymized data.

4. How We Share Your Information

4.1 We NEVER Sell Your Personal Information

We do not sell, rent, or trade your personal information to third parties for monetary or other valuable consideration. This applies to all users, with special emphasis on students under 16 (CCPA requirement) and under 18 (our voluntary commitment).

4.2 Service Providers

We share information with trusted service providers who help us operate our Service: (a) Supabase: Database hosting with encryption at rest (b) Vercel: Website hosting and content delivery (c) Trigger.dev: Background job processing for grant notifications. These providers are contractually required to protect your data and may only use it to provide services to us.

4.3 Scholarship Providers

When you click "Apply" on a specific scholarship, we share your name, email, and relevant eligibility information with that scholarship provider only. You have complete control over these applications.

4.4 Analytics and Marketing

We share anonymized, aggregated data with: (a) Google Analytics: For understanding usage patterns (no personally identifiable information). (b) Meta/Facebook Pixel and TikTok Pixel: For conversion tracking only (anonymous data, no PII shared). You can opt-out of analytics and block marketing pixels through your account settings or browser.

4.5 Legal Requirements

We may disclose information when required by law, such as in response to valid subpoenas, court orders, or regulatory requests. We will notify affected users unless legally prohibited.

5. Your Privacy Rights

5.1 Rights Available to All Users

Regardless of your location, you have the following rights: (a) Right to Access: Request a copy of your personal information in JSON or CSV format. (b) Right to Delete: Request deletion of your account and associated data, with a 30-day grace period for recovery. (c) Right to Correct: Update inaccurate information through your account settings. (d) Right to Opt-Out: Control email notifications, analytics tracking, and marketing pixels. (e) Right to Appeal: If we deny your request, you can appeal by emailing privacy@skozo.ai with "Appeal" in the subject line.

5.2 Additional Rights for California Residents (CCPA/CPRA)

California residents have additional rights including: (a) Right to Know what categories of personal information we collect, use, disclose, and sell (we don't sell). (b) Right to Limit use of sensitive personal information (we only use it for stated service purposes). (c) Right to Non-Discrimination for exercising your privacy rights. (d) Special protections for users under 16 (no sale of data, enhanced consent requirements).

5.3 Rights for Virginia, Colorado, and Connecticut Residents

Residents of Virginia (VCDPA), Colorado (CPA), and Connecticut (CTDPA) have similar rights to California residents, including access, deletion, correction, data portability, and opt-out of targeted advertising and profiling. Colorado residents additionally benefit from universal opt-out mechanism support (GPC/browser signals).

5.4 Rights for EU/EEA/UK Residents (GDPR)

If you are in the European Economic Area, European Union, or United Kingdom, you have rights under GDPR including: access, rectification, erasure, restriction of processing, data portability, objection to processing, and the right to lodge a complaint with your local supervisory authority.

6. Special Protections for Students Under 18

6.1 Ages 13-15 (Parental Consent Required)

For users aged 13-15, we require verifiable parental consent before account creation. Parents must approve their child's registration. These users receive: (a) No sale of personal data (our policy for all ages). (b) Minimal data collection - only what's necessary for grant matching. (c) No behavioral advertising or profiling. (d) Enhanced privacy protections beyond legal requirements.

6.2 Ages 16-17 (Enhanced Protections)

Users aged 16-17 can create accounts independently but receive enhanced protections: (a) No sale of personal data (CCPA requirement and our commitment). (b) Easy opt-out of analytics and marketing. (c) Full transparency through this clear privacy policy. (d) Right to have parents exercise privacy rights on their behalf.

6.3 Parental Rights

Parents of users under 18 can contact us to: review their child's information, request deletion, refuse further collection, or opt-out of non-essential sharing.

7. Children Under 13 (COPPA Compliance)

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. We require date of birth during registration and automatically reject users under 13. If we learn that we have collected information from a child under 13, we will delete that information within 24 hours. Parents who believe their child under 13 has created an account should contact us immediately at privacy@skozo.ai.

8. Cookies and Tracking Technologies

8.1 Essential Cookies

These cookies are necessary for the Service to function: (a) sb-* (Supabase): Authentication and session management (session duration). (b) _vercel_jwt (Vercel): Website hosting (session duration). These cannot be disabled as they are required for login and core functionality.

8.2 Analytics Cookies

_ga (Google Analytics): Helps us understand usage patterns (2 years duration). You can opt-out in account settings.

8.3 Marketing Cookies

These track conversions from our advertising: (a) _fbp (Meta/Facebook): Conversion tracking (90 days). (b) _ttp (TikTok): Conversion tracking (13 months). You can block these via browser settings or ad blockers without affecting core functionality.

9. Data Security

We implement industry-standard security measures to protect your information:

(a) Encryption: TLS 1.3 for data in transit, AES-256 for data at rest in our database. Passwords are hashed using bcrypt and never stored in plain text. (b) Access Controls: Row-level security enforced by our database, least-privilege access for all systems, and regular rotation of API keys. (c) Monitoring: Automated secret scanning on every code commit (gitleaks), SAST security analysis (Semgrep), dependency vulnerability scanning (Trivy), and continuous security monitoring. (d) Breach Response: GDPR-compliant 72-hour notification to authorities, direct email notification to affected users, and public transparency report within 30 days.

10. Data Retention

We retain your information only as long as necessary: (a) Account data and grant preferences: Retained while your account is active. (b) Email logs: Retained for 2 years for compliance and debugging. (c) Analytics data: Retained for 26 months (Google Analytics default). (d) Deleted accounts: 30-day grace period for account recovery, then permanently deleted. (e) Legal holds: Retained as long as legally required. After the retention period, data is permanently deleted using secure deletion methods and purged from backups.

11. International Data Transfers

Your information may be transferred to and processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place for international transfers, including standard contractual clauses for GDPR compliance.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes that affect your rights by email at least 30 days before they take effect. Minor updates (clarifications, typo fixes) go live immediately. All changes are tracked in our public Git repository. Policy changes are documented in our monthly transparency reports. By continuing to use the Service after changes take effect, you accept the updated terms. If you disagree with changes, you may delete your account before they take effect.

13. How to Exercise Your Rights

To exercise any of your privacy rights, contact us at: Email: privacy@skozo.ai. Subject line: Include "Data Request," "Deletion Request," "Opt-Out Request," or "Appeal" as appropriate. We will respond within 24-48 hours (legally required maximum: 45 days). We may ask for verification of your identity before processing requests.

14. Contact Information

For privacy questions, data requests, or to exercise your rights:

Privacy Team: privacy@skozo.ai
General Support: support@skozo.ai
Data Protection Officer: dpo@skozo.ai

Skozo.ai (DBA skozo.ai)
Attn: Data Protection Officer

EU/UK users: You have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.

15. Effective Date and Acceptance

This Privacy Policy is effective as of December 14, 2025. By using Skozo.ai, you acknowledge that you have read and understood this Privacy Policy and agree to its terms.