Legal

Privacy Policy

Last updated: 2026-05-21

Alumli ("we", "us") is an invite-only alumni network. This policy explains what personal information we collect, why we collect it, and the rights you have over it. It is written to satisfy the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA/CPRA). If you are elsewhere, your local rules may also apply.

1. Who is the data controller

The data controller is the organisation operating Alumli. Contact details are in our Imprint. For any privacy question, write to privacy@alumli.app.

2. What we collect

  • Account: email address, password hash (handled by our auth provider), and the invite token used to join.
  • Profile: name, city, role, status, what you're working on, what you're good for, optional photo, optional secondary email, phone, LinkedIn, Instagram.
  • Cohort: university, school, program, graduation year, schedule, format.
  • Visibility settings: per-field privacy choice (everyone, cohort only, on request).
  • Activity: board posts, events you create or RSVP to, direct messages you send, read receipts, theme preference.
  • Technical: standard server logs (IP address, user agent, request time) kept short-term for security and abuse prevention.

3. Why we use it (legal bases)

  • Contract (GDPR Art. 6(1)(b)): to operate your account and provide the network features.
  • Legitimate interest (GDPR Art. 6(1)(f)): to keep the service secure, prevent abuse, and let alumni find each other within agreed visibility settings.
  • Consent (GDPR Art. 6(1)(a)): for anything beyond the above — e.g. optional profile fields you choose to make visible to "everyone". You can withdraw consent any time by editing visibility or removing the field.

4. Who can see your data

  • Other authenticated members can see your name, city, role, status, working-on, good-for, cohort and photo.
  • Email, secondary email, phone, LinkedIn, and Instagram are only visible according to the visibility setting you choose for each field. "On request" means the field is hidden until you accept a direct message.
  • Workspace admins can see all profiles and content to moderate the service.
  • We never sell your personal data, run ads, or share it with marketing networks.

5. Sub-processors

We rely on the following providers strictly to run the service. They process data on our behalf under contract:

  • Lovable Cloud (managed Supabase, EU region) — database, authentication, file storage.
  • Cloudflare — application hosting, CDN, DDoS protection.
  • Google — optional sign-in. Only if you use "Continue with Google".

6. International transfers

Some sub-processors operate globally. Where personal data leaves the EEA/UK, transfers are protected by Standard Contractual Clauses or equivalent safeguards provided by the sub-processor.

7. Retention

  • Account & profile: until you delete your account.
  • Messages: until the thread is deleted or your account is deleted.
  • Events hidden by admins: auto-deleted after 90 days.
  • Unused invite codes: auto-deleted 30 days after they expire.
  • Server logs: 30 days, then deleted.

8. Your rights

Under GDPR (and equivalent rights under CCPA) you can:

  • Access — see what we hold (use "Export my data" on your profile, or email us).
  • Rectify — edit your profile in the app. For cohort details set by an admin, use "Request a correction".
  • Erase — delete your account at any time from your profile.
  • Portability — download your data as JSON from your profile.
  • Restrict / object — email privacy@alumli.app.
  • Complain — to your local EU data protection authority (or, for California residents, the California Privacy Protection Agency).

CCPA — Do Not Sell or Share: we do not sell or share personal information for cross-context behavioural advertising. No opt-out action is needed.

9. Security

Data is encrypted in transit (HTTPS) and at rest by our infrastructure providers. Access controls are enforced at the database level (row-level security). Profile photos are stored in a public bucket — do not upload a photo you don't want indexable on the open web. Treat your password like any other credential.

10. Children

Alumli is intended for university alumni. We don't knowingly process data of anyone under 16. If you believe a child has registered, contact us and we will delete the account.

11. Changes

We'll update the "Last updated" date when the policy changes. Material changes will be flagged in-app before they take effect.

12. Contact

Email privacy@alumli.app for any privacy question or to exercise your rights.