GradLaunch

Privacy Policy

Last updated: 14/05/2026

GradLaunch ("we", "us") is a UK-based platform connecting graduates with startup opportunities. We act as a data controller for personal data we process about you. We're committed to UK GDPR and the Data Protection Act 2018.

1. Who we are

GradLaunch is operated from the United Kingdom. For privacy questions, contact privacy@gradlaunch.co.uk.

2. What we collect

  • Account data: name, email, password (hashed), role.
  • Profile data: university, degree, skills, bio, CV, portfolio links, avatar.
  • Activity data: opportunities posted/applied to, messages, CV access requests.
  • Technical data: IP address, user agent, device info, security events.
  • Cookie data: consent choices, session tokens.

3. Why we process it (lawful basis)

  • Contract (Art. 6(1)(b)): running your account, matching, messaging, applications.
  • Legitimate interests (Art. 6(1)(f)): security, fraud prevention, abuse moderation, analytics, service improvement.
  • Consent (Art. 6(1)(a)): non-essential cookies, marketing emails (where applicable).
  • Legal obligation (Art. 6(1)(c)): responding to lawful requests, tax/audit records.

4. Sharing & sub-processors

We do not sell personal data. We share data only with sub-processors that help us run the service:

  • Lovable Cloud — hosting, database, authentication, file storage (EU/UK).
  • Lovable AI Gateway — AI summarisation of CVs (text only; not used for model training).
  • hCaptcha — bot protection on signup/signin.
  • Resend — transactional email delivery.
  • Sentry (if enabled) — error monitoring with PII scrubbing.

Founders see your graduate profile when you apply to their opportunity. CV access requires your explicit approval per founder.

5. International transfers

Where sub-processors operate outside the UK/EEA, transfers are protected by Standard Contractual Clauses or equivalent UK adequacy mechanisms.

6. Retention

  • Active account data: kept while your account is active.
  • Inactive accounts: anonymised after 3 years of inactivity.
  • Deleted accounts: hidden immediately, hard-deleted after 30 days.
  • Financial/tax records: 7 years (UK statutory).
  • Security logs: 12 months.

7. Your rights (UK GDPR)

  • Access: download your data at /settings/data-export.
  • Rectification: edit profile fields directly in your account.
  • Erasure: delete your account at /settings/delete-account.
  • Restriction & objection: contact us.
  • Portability: the export above is machine-readable JSON.
  • Withdraw consent: via the cookie banner or by emailing us.

8. Cookies

See our Cookie Policy for the full list. Strictly necessary cookies (auth/session) are always on; everything else is opt-in and we honour the browser Do Not Track signal.

9. Security

We use TLS, hashed passwords, hCaptcha bot protection, row-level security in the database, rate limiting, and a content security policy. Report vulnerabilities at /security-policy.

10. Complaints

You can complain to the UK Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint, or call 0303 123 1113. We'd appreciate the chance to address concerns first at privacy@gradlaunch.co.uk.

11. Changes

We'll post updates here and, for material changes, notify you by email or in-app banner.