Privacy Policy

1. About UnisHub

UnisHub is a publicly accessible, read-only platform that aggregates structured data about accredited U.S. colleges and universities from public sources (e.g., IPEDS, College Scorecard). The platform offers no payment, subscription, login, or user-generated-content features. It operates solely to improve public access to higher-education data.

2. Definitions

• “Personal Data” - any information relating to an identified or identifiable natural person.
• “Processing” - any operation performed on Personal Data (collection, storage, analysis, etc.).
• “Controller” - the natural or legal person that determines the purposes and means of Processing; for this site, the Controller is the operator of UnisHub.
• “Processor” (also called Service Provider in some jurisdictions) - a third party that processes Personal Data on behalf of the Controller pursuant to a written contract.
• “You” / “User” / “Visitor” - any individual who accesses or uses the UnisHub website.
• “Sensitive Personal Information” - data defined as sensitive under CPRA §1798.140 & GDPR Art. 9; UnisHub does not collect such data.

3. Scope of This Policy

This Privacy Policy applies worldwide. By accessing or using https://unishub.com you acknowledge the practices described herein. If you are located in the European Economic Area (EEA), the UK, or Switzerland, you also have the right to lodge a complaint with your local supervisory authority (e.g., the CNPD in Luxembourg or the UK ICO).

4. Notice at Collection (United States)

At or before the point of collection, we disclose the following:

Category of Personal Information	Purpose	Retention	Sensitive PI
IP address & coarse geolocation	Security, traffic analytics	< 90 days	Not collected
Device & browser details	Performance diagnostics	< 90 days	Not collected
Site interaction metrics	Usability improvements	14 months (Google Analytics 4 default)	Not collected
Contact-form contents (if used)	Responding to inquiries	Until request resolved + 12 months	Not collected

We do not “sell” or “share” Personal Data as those terms are defined by the California Privacy Rights Act (CPRA) and other U.S. state laws.

5. Information We Collect

5.1 Automatically Collected Data

When you visit the site we collect:

• IP address and approximate location (city/region)
• Date/time of access, pages viewed, scroll and click events
• Referring URL
• Browser type, version, operating system, device type, screen size

5.2 Web-Server Logs

The server (located in the Republic of Moldova) stores standard access logs containing the data listed above. Logs are deleted or anonymised within 90 days and are accessible only to authorised personnel.

5.3 Contact Form

If a contact form is provided, your email address and message will be used solely to respond to your inquiry. Messages may be stored securely on our server or delivered via email. They will be deleted 12 months after resolution.

5.4 Global Privacy Control & Do-Not-Track Signals

We honour browser-based opt-out signals such as the Global Privacy Control (GPC). When detected, analytics cookies are blocked and your opt-out preference is recorded.

6. Our Legal Bases for Processing (GDPR Art. 6)

Purpose	Legal Basis
Server logs, security monitoring	Legitimate interests (Art. 6 (1)(f)) - see Legitimate-Interest Assessment
Analytics cookies	Consent (Art. 6 (1)(a))
Fraud detection, legal requests	Legal obligation (Art. 6 (1)(c))
Responding to contact-form inquiries	Legitimate interests (communication) or Contract (Art. 6 (1)(b))

7. How We Use Information

• Operate, maintain, and secure the website
• Analyse aggregate traffic patterns to improve content and performance
• Identify and block fraudulent or abusive activity
• Respond to support or information requests that you initiate

We do not use Personal Data for marketing, profiling, or automated decision-making.

8. Cookies & Similar Technologies

We use:

• Essential cookies - required for core site functions (e.g., load balancing).
• Analytics cookies - placed by Google Analytics 4 only after you grant consent via our cookie banner. You can withdraw consent at any time by clicking “Cookie Settings” in the footer or via browser signals (GPC).

A detailed Cookie Policy is available for your review.

9. Third-Party Services

• Google Analytics 4 & Google Tag Manager - aggregate usage metrics; IP anonymisation enabled. Google acts as an independent Controller for its own purposes and as our Processor for dashboard reporting.
• Cloudflare CDN & WAF - edge caching and DDoS mitigation; processes IP addresses and HTTP headers. Cloudflare acts as both Processor (under the DPA) and independent Controller for security analytics.
• OpenStreetMap Tiles - when viewing interactive maps, your browser requests tiles from OSM servers, exposing your IP address to OSM (independent Controller).

10. Data Retention

• Server access logs: deleted within 90 days.
• Google Analytics 4 data: retained 14 months and then auto-deleted.
• Contact-form emails: stored until request resolved + 12 months.

11. Data Security

We implement administrative, technical, and organisational measures aligned with OWASP Top 10 and ISO/IEC 27001, including:

• Encrypted data in transit (HTTPS/TLS 1.3)
• Firewall and Web-Application Firewall (Cloudflare)
• Least-privilege server access (SSH keys, MFA)
• Weekly security patches and daily off-site backups

Researchers may report vulnerabilities via security.txt. No method of transmission or storage is 100 % secure; you use the site at your own risk.

12. International Data Transfers

By visiting from outside the Republic of Moldova, you acknowledge that technical data may be transferred to and processed on servers in the Republic of Moldova and by third-party providers worldwide. Where required, we rely on:

• Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914)
• EU-US Data Privacy Framework adequacy decision (EU 2023/1795)
• UK International Data Transfer Addendum (IDTA) & EU SCCs
• Equivalent adequacy mechanisms for Switzerland and other jurisdictions

No financial transactions occur on UnisHub; international transfers concern technical data only.

13. Your Privacy Rights

13.1 EU / EEA / UK Visitors

You may request access, rectification, erasure, restriction, objection, or portability of your Personal Data and may lodge a complaint with a supervisory authority.

13.2 United States Residents

Residents of California (CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Florida (FOPA), Texas (TDPSA), Oregon (OCPA), Iowa (ICPA), Delaware (DCPA), Tennessee (TIPA), Minnesota (MCDPA), Maryland (MPDPA) and any future state privacy law may request: (i) confirmation of processing, (ii) access, correction, or deletion, and (iii) opt-out of targeted advertising or profiling.

13.3 Canada (PIPEDA)

Canadian residents may request access to, or correction of, Personal Data and may challenge our compliance before the Office of the Privacy Commissioner of Canada.

13.4 Australia (Australian Privacy Principles)

Australian users have rights to access, correction, and complaint under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

13.5 Brazil (LGPD)

Under LGPD Art. 18 you may request confirmation, access, correction, anonymisation, restriction, portability, or deletion of your data.

13.6 South Africa (POPIA)

South African residents have rights to access, correction, and objection under POPIA.

13.7 China (PIPL)

Chinese residents may request access, copy, correction, deletion, or portability, and may withdraw consent at any time under the PIPL.

To exercise any right, email privacy@unishub.com with sufficient information to verify your identity. We will respond within 30 days (extendable by up to 60 days for complex cases).

14. Data Breach Notification

If a breach likely to result in a high risk to your rights and freedoms occurs, we will notify the competent supervisory authority within 72 hours and affected users without undue delay, per GDPR Arts. 33-34 and comparable laws.

15. Children’s Privacy

UnisHub is not directed to children under 13 years of age, and we do not knowingly collect Personal Data from minors. If we learn that we have inadvertently collected such data, we will delete it promptly and notify the parent or guardian.

16. Changes to This Policy

We may update this Privacy Policy periodically. The “Effective Date” reflects the latest revision. Material changes will be highlighted via an on-site banner or pop-up for at least 30 days. Archived versions are available on request.

17. Contact

Data Controller: Operator of UnisHub

Postal address: Chișinău MD-2028, Republic of Moldova

Email: privacy@unishub.com

Appendix A - Legitimate-Interest Assessment (Summary)

We conducted a balancing test confirming that the limited log data we process is necessary for security and does not override your fundamental rights. A full report is available upon request.