Privacy Policy

1. Introduction

NexPath Oy ("we," "our," or "us") operates the NexPath career guidance platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services.

We are committed to protecting your privacy and ensuring GDPR compliance. We believe in transparency about our data practices and your rights.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, organization affiliation
• Assessment Data: Responses to career assessments, interests, values, work styles
• Profile Information: Educational background, career goals, demographic data (optional)
• Communication Data: Messages sent through our platform, support requests

2.2 Automatically Collected Information

• Usage Data: Pages visited, features used, time spent, click patterns
• Device Information: Browser type, device type, operating system, IP address
• Cookies: Session management, preferences, analytics (see Cookie Policy)

3. How We Use Your Information

We use your information to:

• Provide personalized career guidance and recommendations
• Analyze assessment responses using our algorithms (RIASEC, Work Adjustment Theory)
• Generate reports for counselors and administrators (when authorized)
• Improve our algorithms and platform functionality
• Communicate important updates, new features, or support responses
• Comply with legal obligations and prevent fraud

4. Data Sharing and Disclosure

4.1 Within Your Organization

If you access NexPath through a school or organization, authorized counselors and administrators can view your assessment results and progress. Individual response data is aggregated for organizational insights.

4.2 Third-Party Service Providers

We may share data with:

• Hosting Providers: Supabase (EU-hosted PostgreSQL), Vercel (EU region)
• Email Services: Nodemailer via secure SMTP
• Analytics: Privacy-first analytics (no tracking cookies without consent)
• Payment Processing: Stripe for secure payment processing. When you make a purchase, Stripe receives your payment card details, billing address, and email to process the transaction. NexPath does not store your payment card numbers. See Stripe's Privacy Policy.

All third parties are contractually obligated to protect your data under GDPR standards.

4.3 Legal Requirements

We may disclose information if required by law, court order, or to protect our rights, safety, or the safety of others.

5. Data Security

We implement industry-standard security measures:

• Encryption in transit (TLS/SSL) and at rest (database encryption)
• Row-Level Security (RLS) policies on all database tables
• JWT-based authentication with secure token management
• Regular security audits and penetration testing
• Access controls limiting employee access to need-to-know basis

6. Your Rights (GDPR)

Under GDPR, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure ("Right to be Forgotten"): Request deletion of your data
• Portability: Export your data in machine-readable format (JSON)
• Restrict Processing: Limit how we use your data
• Object: Opt-out of certain data uses (e.g., marketing)
• Withdraw Consent: Revoke consent at any time

To exercise these rights, contact us at [email protected] or use the account settings within the platform.

7. Data Retention

• Billing Data: Invoices, payment records, and transaction history are retained for 6 years in accordance with Finnish accounting law (Kirjanpitolaki 1336/1997)
• Active Users: Data retained for duration of account + 6 months after last activity
• Deleted Accounts: Data anonymized or deleted within 30 days (except legal holds)
• Assessment Results: Retained for research and algorithm improvement (anonymized after 2 years)

8. Children's Privacy

NexPath is intended for users aged 13+ (or local equivalent age). For users under 16, we require parental or school consent as per GDPR Article 8. We do not knowingly collect data from children under 13 without verified consent.

9. International Data Transfers

All data is hosted within the EU (Supabase EU region). If you access NexPath from outside the EU, your data is transferred to and stored in EU servers under GDPR protections.

10. Changes to This Policy

We may update this Privacy Policy periodically. Changes will be posted on this page with an updated "Last updated" date. Material changes will be communicated via email or in-app notification.

11. Contact Us

For privacy inquiries, data requests, or complaints: