Privacy Policy — Alumni Outcomes

1. Who We Are

alumn.is is an alumni outcome intelligence service operating within the European Union. We are the data controller for personal data processed through our website and in connection with our services.

If you have any questions about this Privacy Policy or how we handle your data, please contact us at hello@alumn.is.

This Policy applies to all personal data we process about: visitors to our website, prospective and current clients, and individuals whose professional data appears in our compiled reports.

2. What Data We Collect and Why

We collect and process personal data in two distinct contexts:

A — Client and website visitor data

Data	Purpose	Legal Basis
Name, email address, organisation	Responding to enquiries, delivering services	Contract (Art. 6(1)(b) GDPR)
Billing information	Invoicing and payment processing	Contract (Art. 6(1)(b) GDPR)
Email correspondence	Client communication, project delivery	Contract (Art. 6(1)(b) GDPR)
Website usage data (IP address, browser type, pages visited)	Website security and performance analytics	Legitimate interest (Art. 6(1)(f) GDPR)
Marketing communication preferences	Sending updates about our services	Consent (Art. 6(1)(a) GDPR)

B — Alumni and professional profile data (report subjects)

Our reports are compiled from publicly available professional data — primarily information individuals have published on professional networking platforms. This data includes job titles, employers, career progression, and education history.

Data	Purpose	Legal Basis
Name, current and past employers, job titles	Compiling alumni career outcome reports	Legitimate interest (Art. 6(1)(f) GDPR)
Education history (institution, degree, graduation year)	Cohort segmentation and outcome analysis	Legitimate interest (Art. 6(1)(f) GDPR)
Geographic location (country/city level)	Regional distribution analysis	Legitimate interest (Art. 6(1)(f) GDPR)

We do not collect or process special category data (Article 9 GDPR) such as health information, political opinions, religious beliefs, or ethnic origin. We do not process children's data.

3. Our Legitimate Interest Assessment

Where we rely on legitimate interest as our lawful basis, we have conducted a balancing test and concluded that our processing is proportionate and does not override the rights and freedoms of the individuals concerned, because:

We only process data that individuals have made publicly available on professional platforms with the reasonable expectation that it will be seen and used professionally
We process data at an aggregated, institutional level — our reports describe cohort outcomes, not targeted individual profiles
The processing serves a legitimate purpose: helping educational institutions understand and improve graduate career outcomes
We do not use the data for advertising, profiling for automated decisions, or any purpose beyond career outcome analysis
Individuals retain all rights described in Section 6 of this Policy, including the right to object

4. How Long We Keep Your Data

Data Type	Retention Period
Client contact and correspondence data	Duration of engagement + 3 years
Billing and invoice records	7 years (EU accounting obligations)
Website analytics data	13 months
Marketing consent records	Until consent is withdrawn + 1 year
Professional profile data (report subjects)	Up to 24 months from collection, refreshed or deleted upon update

After retention periods expire, data is securely deleted or anonymised so that it can no longer be attributed to any individual.

5. Who We Share Data With

We do not sell personal data to third parties. We share data only in the following circumstances:

Service providers: We use a small number of trusted third-party processors (e.g. cloud hosting, email delivery) who act under data processing agreements and may not use your data for their own purposes
Client institutions: Reports delivered to clients contain aggregated and anonymised data; where individual-level data is shared it is limited to what is already publicly available
Legal obligations: Where required by law, court order, or regulatory authority in an EU member state
Business transfers: In the event of a merger, acquisition, or asset sale, personal data may be transferred to the successor entity, subject to equivalent privacy protections

All third-party processors we engage are located in the European Economic Area (EEA) or in countries deemed adequate by the European Commission. Where transfers outside the EEA occur, we ensure appropriate safeguards are in place (e.g. Standard Contractual Clauses under Article 46 GDPR).

6. Your Rights Under GDPR

If you are located in the European Union or European Economic Area, you have the following rights regarding your personal data:

Right of Access Request a copy of the personal data we hold about you (Art. 15 GDPR)

Right to Rectification Ask us to correct inaccurate or incomplete data (Art. 16 GDPR)

Right to Erasure Request deletion of your data where there is no compelling reason for continued processing (Art. 17 GDPR)

Right to Restriction Ask us to limit how we use your data while a dispute is resolved (Art. 18 GDPR)

Right to Portability Receive your data in a structured, machine-readable format (Art. 20 GDPR)

Right to Object Object to processing based on legitimate interest, including for direct marketing (Art. 21 GDPR)

Right to Withdraw Consent Withdraw consent at any time where processing is based on consent, without affecting prior processing

Right to Complain Lodge a complaint with your national data protection authority if you believe we have breached GDPR

To exercise any of these rights, contact us at hello@alumn.is. We will respond within 30 days. We may need to verify your identity before processing your request.

If you are not satisfied with our response, you have the right to lodge a complaint with your national supervisory authority. A full list of EU data protection authorities is available at edpb.europa.eu.

7. Cookies and Website Tracking

Our website uses minimal tracking. We do not use advertising cookies or third-party tracking pixels.

Cookie / Technology	Purpose	Type
Session cookies	Basic website functionality	Strictly necessary
Analytics (privacy-friendly)	Understanding aggregate page traffic	Analytics (no personal identifiers stored)

You can control cookies through your browser settings. Disabling cookies will not affect your ability to access or read our website.

8. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration. These include:

Encryption of data in transit (TLS) and at rest
Access controls limiting data access to authorised personnel only
Regular review of data handling procedures
Secure deletion of data no longer required

We are working towards ISO 27001 certification. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, inform affected individuals without undue delay.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the services we offer. We will notify active clients of material changes by email at least 14 days before the changes take effect.

The date of the most recent revision is shown at the top of this page. We encourage you to review this Policy periodically.

10. Contact and Complaints

For any privacy-related questions, data subject requests, or concerns:

alumn.is — Data Controller
Email: hello@alumn.is
Website: alumn.is

If you are unsatisfied with how we have handled your request, you have the right to contact your national data protection authority. In Lithuania, this is the State Data Protection Inspectorate (VDAI).