UUDO
Privacy Policy
Effective date: June 22, 2026
Introduction
This Privacy Policy explains how UUDO (“UUDO”, “we”, “us”) collects, uses, shares, and protects your personal data when you use the UUDO mobile application for iOS and Android (the “App”) and the UUDO website at uudo.app (the “Site”). UUDO is a community platform for university students. The student experience is delivered exclusively through the mobile App; the Site is informational.
The data controller responsible for your personal data is João Pedro Vartanian, who can be reached at privacy@uudo.app.
UUDO is currently in beta. We may add, change, or remove features during this period, and we will keep this policy current as the product evolves.
This policy is written to comply with the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados, Law No. 13.709/2018, the “LGPD”) and, for users in the European Union and European Economic Area, the General Data Protection Regulation (the “GDPR”).
Personal data we collect
We collect only the data we need to operate UUDO. Depending on how you use the App and Site, this includes:
- Account and identity: your email address and your first and last name.
- Academic profile: your university, major, program, and expected graduation year.
- Profile content: an optional short bio, a profile photo, and the interests you choose to personalize your experience.
- App preferences: interface settings such as reduced-motion and haptics. These are user-experience preferences only — they are not health or disability data.
- Social activity: the connections (“bonds”) you make, accounts you block, the chat rooms you join, and the messages you send.
- Communications: messages you send through in-app chat, support requests, and details you submit through forms on the Site (waitlist, contact, research, and institution-request forms), which may include your name, email, phone number, and any message you write.
- Technical and security data: your IP address and device or browser information, recorded in security and audit logs to protect the platform.
- Website analytics: on the Site only, and only if you accept analytics cookies, standard usage data through Google Analytics and performance data through Vercel. The mobile App contains no advertising or product-analytics trackers.
What we do not collect
To keep your data minimal and safe, UUDO does not collect:
- sensitive personal data under LGPD Art. 5 (such as data on health, racial or ethnic origin, religious or political belief, union membership, sex life, or biometric or genetic data);
- your date of birth — you confirm only that you are at least 18 years old;
- precise location data;
- payment or financial data.
We do not profile you using sensitive data, and we operate no advertising network.
How and why we use your data
We process your personal data for the purposes below, each under a specific legal basis:
| Purpose | Data used | LGPD basis (Art. 7) | GDPR basis (Art. 6) |
|---|---|---|---|
| Create and manage your account; sign you in | Email, name, academic profile | Performance of a contract (V) | Contract (b) |
| Verify your university and keep each university’s community separate | Email domain, university | Performance of a contract (V); legitimate interest (IX) | Contract (b); legitimate interests (f) |
| Personalize the people and content you see | Interests, academic profile, social activity | Consent (I); legitimate interest (IX) | Consent (a); legitimate interests (f) |
| Enable chat and social connections | Chat messages, bonds, blocks, room membership | Performance of a contract (V) | Contract (b) |
| Send you service and account emails | Performance of a contract (V) | Contract (b) | |
| Protect the platform: security, abuse and fraud prevention, rate limiting | IP address, device information | Legitimate interest (IX); legal obligation (II) | Legitimate interests (f); legal obligation (c) |
| Provide customer support | Your message, email, name, university | Performance of a contract (V); legitimate interest (IX) | Contract (b); legitimate interests (f) |
| Understand product usage in aggregate | Anonymized, grouped statistics (no individual identifiers) | Legitimate interest (IX) | Legitimate interests (f) |
| Measure Site traffic | Analytics cookies (Site only) | Consent (I) | Consent (a) |
Where we rely on consent, you may withdraw it at any time. Our aggregate product statistics are computed with a minimum group size so that no individual can be identified.
Age requirement
UUDO is intended only for university students aged 18 or older. When you sign up, you confirm that you are at least 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us data, contact privacy@uudo.app and we will delete it.
International data transfers
UUDO’s infrastructure and several of our providers are located in the United States, so your personal data is processed outside Brazil and outside the EU/EEA. These transfers are carried out on the basis of our legitimate interests in operating UUDO, subject to oversight by the ANPD (LGPD Art. 33, VIII) and, for EU/EEA users, on the basis of standard contractual clauses or other lawful mechanisms under Chapter V of the GDPR.
How we protect your data
All data is transmitted over encrypted connections (TLS/HTTPS).
Chat messages are encrypted at rest on our servers using AES-256-GCM, with keys held only by our backend, so that access to the database alone does not reveal message content. Extending these protections to message-derived data such as conversation previews, and to locally cached copies on your device, is on our security roadmap.
We offer optional two-factor authentication (TOTP), and we enforce database-level access controls so that each university’s data stays separate.
Chat is not end-to-end encrypted: because messages are encrypted with keys we manage, our systems are technically able to process message content in order to operate the service.
No method of storage or transmission is completely secure, but we protect your data using industry-standard measures.
How long we keep your data
We keep personal data only as long as needed for the purposes described above:
| Data | How long we keep it |
|---|---|
| Account and profile data | Until you delete your account |
| Data after a deletion request | Permanently erased within 30 days |
| Security and audit logs | Up to 12 months |
| Raw content-view records | Deleted within 48 hours |
| Aggregate, anonymized statistics | Kept indefinitely (no longer identifies you) |
You can cancel a deletion request within 7 days; after that, your data is permanently erased within 30 days. We may keep some data longer where necessary to comply with a legal obligation or to resolve a dispute.
Your rights
Under the LGPD (Art. 18), you have the right to:
- confirm that we process your data, and access it;
- correct incomplete, inaccurate, or outdated data;
- anonymize, block, or delete data that is unnecessary, excessive, or processed unlawfully;
- request the portability of your data to another provider;
- delete data we process based on your consent;
- be informed about the public and private entities with which we share your data;
- be informed about the consequences of refusing to give consent;
- withdraw your consent at any time.
If you are in the EU or EEA, the GDPR also gives you the rights of access, rectification, erasure, restriction of processing, data portability, objection to processing, and withdrawal of consent. To exercise any of these rights, email privacy@uudo.app or delete your account directly in the App. We will respond within the timeframes set by law.
Data Protection Officer (Encarregado)
We have designated a Data Protection Officer to serve as the point of contact between you, UUDO, and the data protection authorities on any question about how we handle your personal data. Under the LGPD (Art. 41) this role is the Encarregado; under the GDPR (Arts. 37–39) it is the Data Protection Officer (DPO).
Our designated Encarregado and Data Protection Officer is João Pedro Vartanian, who can be reached at privacy@uudo.app. You may contact this address to exercise any of the rights described above or to raise any concern about how your personal data is handled.
Calendar
When you add a UUDO event to your device calendar, that information is written only to your phone’s calendar. No calendar data is sent to our servers.
Changes to this policy
We may update this policy as UUDO evolves. When we do, we will revise the effective date at the top of this page. For material changes during beta, we will also notify you in the App or by email.
Contact us
For any question about this policy or your personal data, contact the data controller, João Pedro Vartanian, at privacy@uudo.app.