UnikPathUnikPath

Privacy Policy

Last updated: April 20, 2026

Introduction

This Privacy Policy explains how Prepaze (“we,” “us,” “our”) collects, uses, discloses, and safeguards information when you access or use UnikPath (the “Service”), including our website at unikpath.com, our web application, and any related services. Prepaze is the operator of UnikPath, a college admissions planning platform designed for independent educational consultants, school counselors, schools, students, and families.

We take the privacy and security of personal information — especially student education records — very seriously. This policy describes what data we collect, why we collect it, how we protect it, and the choices you have regarding your information. It applies to all users of the Service, including administrators, counselors, students, and parents who interact with the platform.

By accessing or using UnikPath, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please do not use the Service.

Information We Collect

We collect information in several ways depending on how you interact with the Service. Below is a comprehensive description of the categories of information we may collect:

Account Information

When you create an account, we collect your name, email address, role (administrator, counselor, student, or parent), and organization affiliation. If you are invited to join an existing organization, the inviting administrator may provide your name and email address before you sign up. Passwords are stored as bcrypt hashes and are never stored or logged in plaintext.

Student Records Uploaded by Users

Authorized users — typically counselors, administrators, students, or parents — may enter student education records into the Service. These records can include academic data (GPA, test scores, class rank, course history), extracurricular activities and achievements, college lists and application statuses, essays and personal statements, recommendation letter metadata and content, scholarship information, meeting notes, and parent or guardian contact information. We do not independently collect student records; all student data in the platform is provided by authorized users within the relevant educational organization.

Usage Data and Analytics

When you use the Service, we automatically collect certain technical and usage information. This includes pages visited, features used, actions taken (such as creating or editing records), timestamps, IP addresses, browser type and version, device type, operating system, referring URLs, and session duration. We use this information to operate, maintain, and improve the Service, and to detect and prevent abuse or unauthorized access.

Cookies and Tracking Technologies

We use cookies and similar technologies to authenticate users, maintain session state, and understand how the Service is used. Specific categories include:

  • Essential session cookies: These are required for the Service to function. They maintain your authenticated session, remember your preferences, and enable core functionality such as navigation between pages. Without these cookies, the Service cannot operate properly.
  • Analytics cookies: We may use privacy-respecting analytics tools to understand aggregate usage patterns, such as which features are most popular and how users navigate the platform. Analytics data is used solely to improve the Service and is not shared with advertisers or used for ad targeting.

You can control cookies through your browser settings. Most browsers allow you to refuse cookies or delete existing cookies. Please note that disabling essential cookies may prevent you from using the Service. We do not use cookies for advertising, retargeting, or cross-site tracking purposes.

Billing Data

Payment processing is handled entirely by Stripe, our third-party payment processor. When you subscribe to a paid plan, your credit card number, billing address, and payment method details are collected and stored by Stripe in accordance with PCI DSS Level 1 compliance standards. We never receive, transmit, or store your full credit card number. We receive only subscription metadata from Stripe, including your plan type, subscription status, billing cycle dates, and payment confirmation details, which we use to manage your account and provide customer support.

How We Use Information

We use the information we collect for the following purposes:

  • Operate and maintain the Service: To provide, deliver, and administer all features of UnikPath, including student profile management, application tracking, essay review, meeting scheduling, college search and comparison, document management, and reporting.
  • Send transactional emails: To communicate essential information related to your account and use of the Service, including account invitations, email verification, password resets, deadline reminders, meeting notifications, billing receipts, and important service announcements.
  • Provide customer support: To respond to your questions, requests, and support tickets, and to troubleshoot technical issues you may encounter.
  • Detect and prevent abuse: To monitor for fraudulent activity, unauthorized access, terms of service violations, and security threats, and to protect the integrity and availability of the Service for all users.
  • Improve the Service: To analyze usage patterns, identify bugs, measure feature adoption, conduct internal research and development, and improve the overall quality and user experience of the platform.
  • Fulfill legal obligations: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

We do not sell personal information. We do not display third-party advertisements within the Service. We do not use student data for marketing, lead generation, behavioral targeting, or any purpose unrelated to providing the Service to the educational organization that uploaded the data. We will never monetize student records or personal information in any way.

Cookies and Tracking Technologies

As described above, UnikPath uses a limited set of cookies and similar browser-based storage technologies to operate the Service. We believe in transparency about these technologies and offer the following details:

Session cookies are temporary cookies that expire when you close your browser or after a defined period of inactivity. They are essential for maintaining your login session and ensuring that authenticated requests are properly attributed to your account.

Persistent cookies may be used for limited purposes such as remembering your display preferences or language settings across visits. These cookies have a defined expiration date and are automatically deleted after that date.

Analytics: We may use first-party or privacy-focused third-party analytics services to understand how users interact with the Service in aggregate. We do not use Google Analytics or any analytics platform that engages in cross-site tracking or data sharing with advertisers.

How to opt out: You can manage or delete cookies through your browser settings at any time. Browsers such as Chrome, Firefox, Safari, and Edge all provide options to block or delete cookies. Additionally, you can use browser extensions designed to control tracking technologies. Please note that blocking essential cookies may impair the functionality of the Service, and you may need to log in more frequently or lose certain preferences.

Information Sharing

We do not sell, rent, or trade personal information or student records. We share information with third-party service providers (“subprocessors”) only to the extent necessary to operate and deliver the Service. Each subprocessor is contractually bound by a data processing agreement (DPA) that limits their use of data to the specific services they provide to us and requires them to maintain appropriate security measures.

Our current subprocessors include:

  • Vercel — Application hosting, serverless compute, and content delivery network (CDN). Vercel processes requests and serves the application to end users. Bound by DPA.
  • Supabase — Database hosting, authentication services, and file storage. All data stored in Supabase is encrypted at rest using AES-256 encryption via AWS infrastructure. Bound by DPA.
  • Resend — Transactional email delivery. Resend processes recipient email addresses and email content solely for the purpose of delivering messages on our behalf (account invitations, password resets, notifications). Bound by DPA.
  • Sentry — Error monitoring and application performance tracking. Sentry receives error reports and diagnostic data to help us identify and fix software bugs. We configure Sentry to minimize the capture of personally identifiable information; no student PII is intentionally sent to Sentry. Bound by DPA.
  • Stripe — Payment processing and subscription management. Stripe handles all credit card and payment data in compliance with PCI DSS Level 1 standards. We do not receive or store full payment card numbers. Bound by DPA.
  • LiveKit — Real-time video and audio communication infrastructure for video meetings conducted through the Service. LiveKit processes audio and video streams during active meetings; streams are not recorded or stored by LiveKit unless explicitly initiated by the user. Bound by DPA.

In addition to our subprocessors, we may disclose information if required to do so by law, regulation, subpoena, court order, or other governmental request. We may also disclose information when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request. If UnikPath is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, and we will notify you via email or a prominent notice in the Service before your information becomes subject to a different privacy policy.

Parent and Student Data

UnikPath is designed to be used by educational organizations, independent counselors, and schools that work directly with students and their families. It is important to understand the roles and responsibilities regarding student data:

We have no direct relationship with students. The counselor, school, or educational organization that uses UnikPath is the data controller (or, in FERPA terms, the “educational agency or institution”) with respect to the student education records they enter into the platform. Prepaze acts as a data processor (or “school official” under FERPA) on behalf of that organization.

Responsibility for consent lies with the educational organization. It is the responsibility of the school, counselor, or educational organization to obtain any required consents from students, parents, or legal guardians before entering student data into UnikPath. This includes, where applicable, consent under FERPA, state student privacy laws, and any other relevant regulations. We rely on the educational organization to ensure that they have a lawful basis for sharing student data with us as their service provider.

When a parent or student creates an account (for example, to view their college list or communicate with their counselor), the educational organization has invited them to do so. Parents and students should direct any questions about how their data is used to their counselor or school, who can in turn refer to this Privacy Policy and any applicable DPA.

Student Data and FERPA

UnikPath is built with the requirements of the Family Educational Rights and Privacy Act (FERPA) in mind. FERPA protects the privacy of student education records and gives parents certain rights regarding their children’s educational information. When a school or counseling organization uses our platform, the following principles apply:

  • Role-based access controls: Every user in UnikPath is assigned a specific role (administrator, counselor, student, or parent), and each role has distinct, enforced permissions. Counselors can access only the students assigned to them. Parents can view only the records of their own children. Students can access only their own profiles. Administrators manage their organization but cannot access other organizations’ data. These permissions are enforced server-side on every API request.
  • Organization-scoped data isolation: All data in UnikPath is scoped by organization ID at the database level. There is strict multi-tenant isolation: no user from one organization can access, view, or modify data belonging to another organization, regardless of their role.
  • Data used only for the Service: Student education records are used exclusively to provide the Service to the educational organization that uploaded them. We do not use student data for advertising, marketing, creating behavioral profiles, or any purpose other than delivering the features and functionality of UnikPath.
  • No profiling or automated decision-making: We do not use student education records for automated profiling, predictive analytics unrelated to the Service, or any form of automated decision-making that produces legal or similarly significant effects on students.
  • Data Processing Agreements available: We are prepared to execute a Data Processing Agreement (DPA) with any school, district, or educational institution that uses UnikPath. The DPA documents our obligations with respect to student data, including security measures, data use limitations, breach notification procedures, and data return or deletion upon contract termination. Contact privacy@unikpath.com to request a DPA.

COPPA

The Children’s Online Privacy Protection Act (COPPA) applies to the online collection of personal information from children under the age of 13. UnikPath is designed for high school students who are typically between the ages of 14 and 18, as well as their parents, counselors, and school administrators.

We do not knowingly collect personal information directly from children under the age of 13. UnikPath accounts for students are created in the context of an educational organization, and the counselor or school administrator is responsible for ensuring that students using the platform are of appropriate age. If we become aware that we have inadvertently collected personal information from a child under 13 without verifiable parental consent, we will take prompt steps to delete the information and terminate the associated account. If you believe that a child under 13 has created an account on UnikPath, please contact us immediately at privacy@unikpath.com.

State Student Privacy Laws

In addition to FERPA and COPPA, many states have enacted student privacy laws that impose additional requirements on education technology providers. Our practices are designed to align with the common requirements found across these laws, including but not limited to:

  • California — SOPIPA (Student Online Personal Information Protection Act): We do not use student data for targeted advertising. We do not create advertising profiles based on student information. We do not sell student information. We do not knowingly use student data for purposes other than the educational purposes for which the information was disclosed.
  • New York — Education Law 2-d: We implement data privacy and security protections for personally identifiable information (PII) of students and staff. We limit our use of PII to the educational purposes authorized by the educational agency. We are prepared to execute a Parents’ Bill of Rights for Data Privacy and Security and comply with the requirements of NY Ed Law 2-d and its implementing regulations.
  • Other state laws: We monitor the evolving landscape of state student privacy legislation and design our practices to meet the strictest common requirements. Key commitments that apply across jurisdictions include:
  • We do not sell student data under any circumstances.
  • We do not use student data for targeted advertising, behavioral profiling, or marketing purposes.
  • We encrypt all data in transit (TLS/HTTPS) and at rest (AES-256 via Supabase/AWS).
  • We commit to notifying affected educational organizations of any confirmed data breach within 72 hours of discovery.
  • We delete student data upon the request of the educational organization or after account cancellation, subject to our standard retention period.
  • We maintain a comprehensive information security program with administrative, technical, and physical safeguards.

Security Measures

Protecting the confidentiality, integrity, and availability of your data is a core priority. We implement the following technical and organizational security measures:

  • Encryption in transit (TLS): All data transmitted between your browser and our servers is encrypted using Transport Layer Security (TLS/HTTPS). No data is ever transmitted in plaintext. We enforce HTTPS across all endpoints and redirect any HTTP requests to HTTPS automatically.
  • Encryption at rest: All data stored in our database is encrypted at rest using AES-256 encryption, provided through our hosting infrastructure (Supabase running on AWS). This includes student records, account information, uploaded documents, and all other persistent data.
  • Password security (bcrypt): User passwords are hashed using the bcrypt algorithm with a strong work factor before being stored. We never store, log, or transmit plaintext passwords. Password reset flows use time-limited, single-use tokens delivered via email.
  • Role-based access control (RBAC): Every API request is authenticated and authorized based on the user’s role and organizational membership. Permissions are enforced server-side on every request, ensuring that users can only access data and perform actions appropriate to their role. There is no client-side-only access control.
  • Multi-tenant data isolation: All database queries are scoped by organization ID. Row-level security policies ensure strict data isolation between organizations. No user from one organization can access, modify, or view data belonging to another organization.
  • Breach notification: In the event of a confirmed data breach involving personal information or student education records, we will notify affected users and educational organizations within 72 hours of discovery, in accordance with applicable laws and any contractual commitments in our DPAs. The notification will include a description of the breach, the types of data involved, the steps we are taking to address the incident, and recommendations for affected individuals.

We regularly review and update our security practices to address emerging threats and maintain the trust of the schools, counselors, and families who rely on UnikPath.

Data Retention and Deletion

We retain your data for as long as your account is active and as needed to provide the Service to you or your organization. Our data retention practices are as follows:

  • Active accounts: Data is retained while your account or your organization’s subscription is active. You may access, modify, export, or delete your data at any time through the Service.
  • After cancellation: When an organization cancels its subscription, we retain data for a 30-day grace period to allow for account restoration or data export. After 30 days, all associated data — including student records, account information, documents, meeting records, and organizational settings — is permanently and irreversibly deleted from our systems and backups.
  • Earlier deletion on request: Organizations may request immediate deletion of their data at any time by contacting support. Please note that deletion is irreversible and cannot be undone once completed.
  • Bulk export: Schools and organizations may request a bulk data export at any time, either through the Service or by contacting support. We will provide the exported data in a standard, machine-readable format.

Certain aggregated, anonymized, and de-identified data that cannot be used to identify any individual may be retained indefinitely for analytics, research, and service improvement purposes.

Your Rights

Depending on your location and applicable law, you may have certain rights regarding your personal information:

  • Access: You have the right to request a copy of the personal information we hold about you. You can access much of this information directly through your account settings.
  • Correction: You have the right to request that we correct any inaccurate or incomplete personal information. You can update most information directly through the Service.
  • Export: You have the right to request a portable copy of your data in a commonly used, machine-readable format.
  • Deletion: You have the right to request deletion of your personal information, subject to certain exceptions (such as data we are required to retain by law). You can initiate deletion from your account settings or by contacting support.

California residents: Under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), California residents have the right to know what personal information we collect, the right to request deletion, the right to opt out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising these rights.

European Union and UK residents: If you are located in the European Economic Area or the United Kingdom, you may have additional rights under the General Data Protection Regulation (GDPR) or UK GDPR, including the right to restrict processing, the right to object to processing, and the right to lodge a complaint with a supervisory authority.

To exercise any of these rights, please contact us at privacy@unikpath.com. We will respond to your request within 30 days, or within the timeframe required by applicable law.

International Users

UnikPath is hosted in the United States, and all data is stored and processed on servers located within the United States. If you access the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Service, you consent to the transfer of your information to the United States and its processing there in accordance with this Privacy Policy.

If you are located in the European Economic Area, the United Kingdom, or another jurisdiction that requires a lawful basis for cross-border data transfers, our legal basis for transferring your data to the United States is your consent and the necessity of the transfer for the performance of the contract between you (or your organization) and us.

Third-Party Websites

The Service may contain links to third-party websites, services, or resources that are not owned or controlled by Prepaze. This includes, but is not limited to, links to college and university websites, scholarship resources, testing organization websites, and other educational tools. We provide these links for your convenience and information, but we do not endorse and are not responsible for the privacy practices or content of these third-party sites.

When you leave UnikPath and visit a third-party website, this Privacy Policy no longer applies. We encourage you to review the privacy policy of every website you visit. We are not liable for any information you provide to or that is collected by third-party websites.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will update the “Last updated” date at the top of this page.

If we make material changes to this Privacy Policy — such as changes to how we collect, use, or share personal information or student education records — we will notify you by email to the address associated with your account, by a prominent notice within the Service, or both. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

Your continued use of the Service after the effective date of any updated Privacy Policy constitutes your acceptance of the revised terms. If you do not agree with the revised policy, you should discontinue use of the Service and contact us to request deletion of your account.

Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For schools and institutions seeking to execute a Data Processing Agreement (DPA), please email privacy@unikpath.com with the subject line “DPA Request” and include your organization name, district (if applicable), and the name of a primary contact. We will respond within five business days.

For individual data rights requests (access, correction, export, or deletion), please email privacy@unikpath.com with the subject line “Data Rights Request” and a description of your request. We will verify your identity and respond within the timeframe required by applicable law.