Privacy Policy

Last updated: April 16, 2026

This policy explains what data BidBoard collects, why we collect it, and how we protect it. We've written it in plain English first, with the formal language below each summary.

What We Collect

Plain English: We collect the info you give us when you sign up and build your profile — your name, email, GPA, school, and scholarship preferences. We also collect basic usage data (like which pages you visit) so we can make the product better.

Account Information

When you create an account, we collect your name and email address through Clerk, our authentication provider. We do not store your password — Clerk handles authentication directly.

Profile Data

To match you with scholarships, we ask for information such as your GPA, intended major, school name, graduation year, demographic background, and scholarship preferences. This data is stored in our database and used solely to power your personalized scholarship feed and essay suggestions.

Usage Data

We collect standard web analytics data — pages visited, features used, session duration, and browser/device type. This data is aggregated and used only to improve BidBoard. We do not build individual behavioral profiles for advertising purposes.

Cookies & Local Storage

We use cookies to maintain your session and remember your preferences. See the Cookies section below for details.

How We Use It

Plain English: Your data powers the core product — matching you to scholarships, generating essay suggestions, and sending deadline reminders. We also use aggregated usage data to fix bugs and ship better features.

Scholarship Matching

We use your profile data and OpenAI-generated embeddings to rank and surface scholarships that best match your background and goals. This matching runs entirely within BidBoard's infrastructure — your profile is not shared with OpenAI beyond the embedding generation step.

Essay Engine

When you use BidBoard's essay tools, your profile and essay drafts may be processed by OpenAI's API to generate suggestions. Only the data necessary for a given request is sent — we do not send your entire profile indiscriminately.

Deadline Reminders

If you opt in to deadline reminders, we use your email address to send transactional notifications via Resend. You can unsubscribe from these emails at any time from your account settings.

Product Improvement

Aggregated, anonymized usage data helps us understand which features are working and which need improvement. Individual user data is never used for A/B testing without your knowledge.

What We Don't Do

We never sell your data. Full stop. Your name, email, profile, essays, and activity are not sold, rented, or traded to any third party for any purpose — advertising, marketing lists, data brokers, or otherwise. This is a hard commitment, not a policy that can be quietly changed.

Beyond not selling your data, we also do not:

  • Share your personal information with scholarship providers or universities without your explicit action (e.g., you clicking "Apply").
  • Use your essays or profile data to train AI models without your explicit, opt-in consent.
  • Send marketing emails to third parties on behalf of sponsors or partners.
  • Use third-party advertising networks or tracking pixels.
  • Retain your data after account deletion beyond the minimum required by law.

Third-Party Services

Plain English: We use a small, carefully chosen set of vendors to run BidBoard. Each one sees only the data it needs to do its job. None of them can sell your data.

Clerk Authentication

Handles sign-up, sign-in, and session management. Clerk stores your email and password hash. Their privacy policy governs how they process your authentication data.

Stripe Billing

Processes subscription payments. BidBoard never sees or stores your full credit card number. Stripe is PCI-DSS Level 1 certified. Their privacy policy governs payment data.

Neon Database

Hosts the PostgreSQL database where your profile, tracker, and scholarship data is stored. Data is encrypted at rest and in transit. Neon does not access your data for any purpose other than storage.

Vercel Hosting & Infrastructure

Serves the BidBoard application. Vercel may log request metadata (IP address, request path, response time) for infrastructure and security purposes. These logs are retained for a limited period per Vercel's data retention policy.

OpenAI Scholarship Matching & Essay Engine

We send profile attributes and essay text to OpenAI's API to generate embeddings and essay suggestions. OpenAI does not use API data to train models by default under their enterprise terms. Only the minimum required data is sent per request.

Resend Transactional Email

Sends deadline reminders and account notifications to your email address. Resend is used exclusively for transactional email — no marketing or bulk mail.

Data Retention

Plain English: We keep your data while your account is active. When you delete your account, we delete your personal data within 30 days. We may retain anonymized, aggregated data that cannot identify you.

Active Accounts

While your account is active, we retain your profile data, application tracker history, saved scholarships, and essay drafts. You can delete individual items at any time from within the app.

Account Deletion

When you delete your BidBoard account, we initiate deletion of your personal data within 30 days. This includes your profile, essays, tracker entries, and any preference data. Some data may persist in encrypted database backups for up to 90 days before those backups are rotated and overwritten.

Billing Records

Transaction records associated with Stripe payments may be retained for up to 7 years as required by financial regulations. These records contain billing metadata, not your card details.

Anonymized Data

We may retain aggregated, anonymized analytics data (e.g., "X% of users clicked the essay tool in March") indefinitely. This data cannot be linked back to any individual user.

Your Rights

Plain English: You can see, correct, export, or delete your data. Email us at contact@bidboard.app and we'll handle it promptly — no runaround.

Depending on your location, you may have the following rights under GDPR, CCPA, or similar privacy laws. BidBoard honors these rights for all users regardless of geography.

Access

You can request a copy of all personal data BidBoard holds about you.

Correction

You can update your profile data directly in the app at any time. For data held by third-party providers (e.g., Clerk), contact them directly or contact us and we'll facilitate.

Deletion

You can delete your account from the Settings page, which initiates deletion of your personal data within 30 days.

Export

You can request an export of your data in a machine-readable format (JSON or CSV). We aim to fulfill export requests within 14 days.

Opt-out of Communications

You can unsubscribe from email notifications at any time via the link in any email or in account settings.

To exercise any of these rights, email contact@bidboard.app. We will respond within 30 days.

Cookies

Plain English: We use a small number of essential cookies to keep you logged in and remember your preferences. We do not use advertising cookies or third-party tracking pixels.

Essential Cookies

These cookies are required for BidBoard to function. They include your session token (managed by Clerk) and a cookie that remembers whether you've completed onboarding. You cannot opt out of essential cookies without also disabling your account session.

Analytics Cookies

We may use anonymized, first-party analytics to understand aggregate usage patterns. These cookies do not track you across other websites and are not shared with advertising networks.

What We Don't Use

BidBoard does not use advertising cookies, retargeting pixels, or third-party tracking scripts (e.g., Google Ads, Meta Pixel, LinkedIn Insight Tag).

Opting Out

You can block or delete cookies through your browser settings. Note that blocking essential cookies will prevent BidBoard from functioning correctly. For non-essential cookies, most modern browsers allow selective blocking via their privacy settings.

Children's Privacy

Plain English: BidBoard is not for children under 13. If you're under 13, please don't create an account. If we discover we've collected data from a child under 13, we'll delete it immediately.

BidBoard is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13 in compliance with the Children's Online Privacy Protection Act (COPPA).

If you are between 13 and 18, we recommend reviewing this Privacy Policy with a parent or guardian before creating an account.

If we learn that we have inadvertently collected personal information from a child under 13, we will delete that information as quickly as possible. Parents or guardians who believe their child has provided us with personal information may contact us at contact@bidboard.app to request deletion.

Changes to This Policy

Plain English: If we make a meaningful change to how we handle your data, we'll email you and update the date at the top of this page. We won't make changes quietly.

We may update this Privacy Policy from time to time. When we make a substantive change — one that affects your rights or how we use your data — we will notify you by email at least 14 days before the change takes effect and update the "Last updated" date at the top of this page.

Cosmetic or clarifying changes (e.g., fixing a typo, improving wording without changing meaning) will not trigger a notification, but will still update the date. The current version of this policy is always available at bidboard.app/privacy.

Continued use of BidBoard after a policy change takes effect constitutes acceptance of the updated policy.

Contact

Plain English: Questions about your data? Email us. We're a small team and we respond to real people, not bots.

If you have questions about this Privacy Policy or your personal data, or want to exercise any of your rights, please contact us:

BidBoard
Privacy inquiries: contact@bidboard.app
We aim to respond to all privacy-related inquiries within 5 business days.