Legal
Privacy Policy
Last updated: July 4, 2026
This policy is reviewed periodically. When we make material changes, we update the date above and provide in-product notice.
Overview
OppPaths is an AI-powered scholarship platform for students worldwide. This Privacy Policy explains what information we collect, how we use it, how AI processing works, and the choices available to you.
Who We Are
OppPaths is operated by an individual sole operator based in Thailand, who is the data controller responsible for your personal data. Contact us at support@opppaths.com for any privacy question or to exercise your rights.
Who Can Use OppPaths
OppPaths is intended for students, and many of our users are young.
You must be at least 13 years old to create an account. If you are under 18, you may only use OppPaths with the consent of a parent or legal guardian, who accepts our Terms of Service on your behalf.
If you are in Thailand, note that the age of majority is 20; where you are under 20 and not otherwise legally of age, we rely on consent given or approved by your parent or guardian, except for actions a minor may take on their own under the Civil and Commercial Code. In some EEA/UK countries the minimum age to consent on your own is 16 (or as low as 13); below that age we rely on parental consent.
If we learn we have collected a child’s data without proper consent, we will delete it. Parents and guardians can contact us at support@opppaths.com.
Information We Collect
- Account information: your email address and authentication details.
- Student profile information you provide: academics, test scores, activities, interests, goals, scholarship preferences, and application history.
- Documents and application materials you create, upload, or generate (drafts, CVs, statements of purpose, notes).
- Payment information: handled by Stripe. We never see or store your full card number; we receive limited billing records such as your plan, subscription status, and transaction amounts.
- Usage and device information: pages viewed, product interactions, browser and device data, approximate location from your IP, and analytics events.
Please avoid including sensitive data (such as health, religion, or ethnicity) unless it is genuinely needed for a scholarship, in which case you are asking us to process it to provide the service.
How We Use Your Information
We use your information to provide the service (scholarship matching, gap analysis, planning, and document generation), manage your account, process payments, provide support, keep the service secure, send transactional and account messages, improve the product using aggregate or de-identified data, and comply with legal obligations.
For EEA/UK users, our legal bases are: performance of a contract, consent (for optional analytics and communications), legitimate interests (security and improvement), and legal obligation. Under Thailand’s PDPA we rely on the equivalent bases, including consent and contractual necessity.
We do not sell your personal data and do not use your profile or documents for third-party advertising.
How AI Processing Works
AI features analyze your profile, compare it against scholarship requirements, summarize gaps, and help draft documents. When you use an AI feature, relevant profile details, requirements, and draft content are sent to our AI provider (OpenRouter), which routes the request to a supported model provider to generate the output.
Our AI providers are configured so your inputs and outputs are not used to train their models. AI output can be inaccurate or incomplete, so always review and edit it before relying on it.
Third Parties We Share Data With
We share personal data only with service providers who process it on our behalf, under contract, and only as needed to run the service:
- Supabase: database, authentication, and backend hosting.
- Stripe: payment and subscription processing.
- Resend: transactional and account email.
- OpenRouter and its AI model providers: AI processing (configured no-training).
- PostHog: product analytics, EU-hosted, consent-gated.
- Google Analytics: website and usage analytics, consent-gated.
- Hostinger: application hosting, Singapore.
We may also disclose data if required by law, to protect our rights or others’ safety, or in a business transfer, giving notice where we reasonably can.
International Data Transfers
We operate from Thailand and our providers operate in various countries, so your data may be processed outside your home country. Where we transfer data across borders we rely on appropriate mechanisms, which may include your consent, the necessity of the transfer to provide the service, and standard contractual clauses or equivalent safeguards. For transfers out of Thailand we rely on the derogations and safeguards permitted under the PDPA; for the EEA/UK, on adequacy decisions or standard contractual clauses where applicable.
Cookies and Analytics
Essential cookies keep you logged in and the service secure and are always on. Analytics (PostHog and Google Analytics) only runs if you consent via our cookie banner; PostHog analytics are EU-hosted.
Your choice is stored in your browser’s local storage. You can change it at any time using "Cookie preferences" in the page footer, or through your browser settings.
How Long We Keep Your Data
We keep your account, profile, and documents while your account is active and as needed to provide the service. When you delete your account (available in Settings), we delete or de-identify your data within a reasonable period, except limited information we must keep for legal, dispute, or security reasons. Residual copies may briefly persist in encrypted backups before being overwritten.
Your Rights
Wherever you live, you can exercise these rights by emailing support@opppaths.com or using your account settings: access a copy of your data, correct it, delete it (right to be forgotten), receive it in a portable format, restrict or object to processing, and withdraw consent where we rely on it.
EEA/UK users may also lodge a complaint with their local supervisory authority. Thailand users have equivalent PDPA rights and may complain to the Personal Data Protection Committee (PDPC). We will not treat you differently for exercising your rights and aim to respond within 30 days.
How We Protect Your Data
We use reasonable technical and organizational measures, including encryption in transit, access controls, and trusted infrastructure providers. No system is perfectly secure, but we work to protect your information and will notify you and any required authority of a breach where the law requires.
Changes to This Policy
We may update this policy as OppPaths evolves. If changes are material we will take reasonable steps to notify you and update the date above. Continued use after changes take effect means you accept the updated policy.
Contact
Privacy questions, requests, or complaints: support@opppaths.com.
Related Terms
Use of OppPaths is also governed by our Terms of Service.