Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

Account Information: When you create an account, we collect your name, email address, and the institution you attend.

Degree Audit Data: When you upload your degree audit, we process the academic requirements, completed courses, grades, and degree progress contained in that document. You voluntarily share this information with us, as is your right under FERPA.

Plan and Simulation Data: When you build academic plans, run what-if simulations, or interact with our AI assistant, we collect the inputs, queries, and selections you make.

Communications: If you contact us for support, we collect the content of those communications.

1.2 Information Collected Automatically

Usage Data: We collect information about how you interact with the Service, including features used, pages viewed, simulations run, plans created, and time spent on the platform.

Device and Log Data: We collect standard log information such as IP address, browser type, device type, operating system, and referring URLs.

1.3 Information We Do NOT Collect

We do not collect Social Security numbers, financial aid information, billing or payment information from students, health records, disciplinary records, or any information beyond what is contained in the degree audit you voluntarily upload.

2. How We Use Your Information

Provide the Service: To generate your personalized degree plan, run what-if simulations, power AI assistant responses, and deliver course recommendations based on your specific academic requirements.

Improve the Platform: To understand how students use Ardvarq, identify bugs, improve features, and develop new functionality.

Aggregate Research and Reporting: To produce de-identified, aggregate insights about student academic planning behavior. These aggregate reports never identify individual students. See Section 4 for details.

Communicate With You: To send service-related notifications, respond to support requests, and (with your consent) share product updates.

3. How We Store and Protect Your Data

Infrastructure: Your data is stored on Neon, a managed PostgreSQL platform that uses Amazon Web Services (AWS) infrastructure with encryption at rest (AES-256) and in transit (TLS 1.2+).

Access Controls: Access to student data is restricted to authorized Ardvarq team members who need it to operate and improve the Service. We maintain role-based access controls and audit logs.

Data Retention: We retain your data for as long as your account is active or as needed to provide the Service. You may request deletion at any time (see Section 6).

Breach Notification: In the event of a data breach affecting your personal information, we will notify affected users and any relevant institutions within 72 hours of discovery, consistent with applicable law.

4. How We Share Your Information

We do not sell your personal information. We will never sell individually identifiable student data to any third party, including advertisers, data brokers, or other commercial entities.

4.1 Aggregate and De-Identified Data

We may share aggregate, de-identified data that cannot reasonably be used to identify any individual student. For example, we may report that “43% of Biology students at a given institution explored switching to Public Health” without identifying which students did so. Aggregate reports are subject to minimum cohort sizes (no reporting on groups smaller than 10 students) to prevent re-identification.

4.2 Institutional Partners

When Ardvarq operates under a formal agreement with your institution (e.g., as part of a pilot program), we may share aggregate usage reports with that institution. These reports contain only de-identified, aggregate data unless you have provided explicit consent for individual-level sharing. We will clearly notify you if your institution has a formal partnership with Ardvarq and what data, if any, is shared under that agreement.

4.3 Service Providers

We use third-party service providers to help operate the Service (e.g., cloud hosting, AI model providers, analytics). These providers are contractually obligated to use your data only to perform services on our behalf and to maintain appropriate security measures. Current providers include Neon (database), Google and Microsoft (authentication), Anthropic and DeepSeek (AI model providers), Google (document parsing), and Vercel (hosting).

4.4 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect the rights, property, or safety of Ardvarq, our users, or the public.

5. FERPA Compliance

Student-Initiated Sharing: When you upload your degree audit to Ardvarq, you are exercising your right under FERPA to access and share your own education records. Ardvarq does not access institutional systems or receive student data from institutions without appropriate agreements in place.

Institutional Agreements: When Ardvarq partners with an educational institution, we enter into a FERPA-compliant agreement that designates Ardvarq as a “school official” with a “legitimate educational interest” under 34 CFR §99.31(a)(1). These agreements specify the data we may access, the purposes for which it may be used, and our obligations regarding re-disclosure and security.

No Re-Disclosure: We do not re-disclose personally identifiable information from education records to any third party except as permitted by FERPA and authorized under our agreements with institutions, or with your explicit consent.

6. Your Rights and Choices

Access Your Data: You may request a copy of the personal information we hold about you at any time by contacting us at brad@ardvarq.com.

Correct Your Data: You may request correction of any inaccurate personal information by contacting us.

Delete Your Data: You may request deletion of your account and all associated personal data at any time. Upon receiving a verified deletion request, we will delete your data within 30 days, except where retention is required by law or legitimate business need (e.g., aggregate, de-identified data that cannot identify you). To request deletion, email brad@ardvarq.com.

Withdraw Consent: Where we rely on your consent to process data, you may withdraw that consent at any time.

Opt Out of Communications: You may opt out of non-essential communications at any time by using the unsubscribe link in any email or by contacting us.

7. Children's Privacy

Ardvarq is designed for use by college and university students who are 18 years of age or older. We do not knowingly collect personal information from children under 13. If we learn that we have collected information from a child under 13, we will promptly delete that information.

8. Use of Artificial Intelligence

Ardvarq uses AI models to power course recommendations, what-if simulations, and the AI assistant feature. When you interact with these features, the content of your queries and relevant academic data from your uploaded degree audit are sent to our AI provider to generate responses.

We do not use your personal data to train AI models. Your academic data and conversations with the AI assistant are used only to provide you with responses in real time and are not retained by our AI provider for model training purposes.

AI-generated recommendations are informational and do not replace professional academic advising. Students should verify all recommendations with their institution's official academic advisor or registrar.

9. State-Specific Privacy Rights

Colorado Privacy Act (CPA): Colorado residents have the right to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of certain processing activities. To exercise these rights, contact brad@ardvarq.com.

California (CCPA/CPRA): If applicable, California residents have additional rights regarding their personal information, including the right to know, delete, correct, and opt out of the sale or sharing of personal information. We do not sell personal information.

12. Payment Information & Purchase Data

12.1 Payment Processing

When you buy access, we collect payment information through Stripe Checkout, including your card number, expiration date, and CVC; your billing name and address; and your email.

Ardvarq does NOT store raw payment card data. Stripe tokenizes and securely stores payment information per PCI DSS Level 1 standards. Ardvarq stores only your Stripe customer reference and the email associated with your purchase.

12.2 Purchase & Billing Data We Retain

We store a record of your one-time purchases (the access purchase and any AI-usage top-ups), their amounts and dates, your Stripe customer reference, and internal AI-usage counters that track how much of your included usage remains. This data is used to provide the Service, show your purchase history and usage indicator, and comply with legal obligations. Nothing renews and there is no recurring billing schedule to retain.

12.3 Refund & Chargeback Processing

If you request a refund, we process it through Stripe to your original payment method within 5–15 business days depending on your bank. Refund eligibility is governed by our Purchase Terms. If you dispute a charge with your card issuer, the dispute is handled by Stripe and your card network; Ardvarq responds per Stripe's chargeback procedures. Please contact support@ardvarq.com to resolve a charge before initiating a chargeback.

12.4 No Automatic Renewal

Ardvarq purchases are one-time charges. There is no subscription, nothing renews automatically, and we never charge your payment method again without you initiating a new purchase. (California's Automatic Renewal Law applies to auto-renewing plans, which Ardvarq does not offer.) For full purchase details, see our Purchase Terms.

12.5 No AI Training on Payment Data

Ardvarq does NOT use your payment information, billing address, purchase history, or receipt data to train AI models. Payment data is processed solely to provide the paid Service, process your one-time purchases, generate receipts, and comply with legal and tax obligations.

12.6 Billing Dispute Rights

If you believe a charge is unauthorized or incorrect, contact us within 60 days of the charge at support@ardvarq.com with the charge date, amount, and a description of the problem. We will investigate and respond within 15 business days, and issue a refund if an error is confirmed. You also retain the right to dispute charges through your card issuer or bank.

12.7 Data Retention After Account Deletion

After you delete your account, your billing records are retained by Stripe as required to comply with tax and legal obligations, and you may request deletion of billing records except where retention is legally required.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a prominent notice on the Service prior to the change becoming effective. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy, your data, or our privacy practices, please contact us: