UUDO

UUDO

Privacy Policy

Effective date: June 22, 2026

Introduction

This Privacy Policy explains how UUDO (“UUDO”, “we”, “us”) collects, uses, shares, and protects your personal data when you use the UUDO mobile application for iOS and Android (the “App”) and the UUDO website at uudo.app (the “Site”). UUDO is a community platform for university students. The student experience is delivered exclusively through the mobile App; the Site is informational.

The data controller responsible for your personal data is João Pedro Vartanian, who can be reached at privacy@uudo.app.

UUDO is currently in beta. We may add, change, or remove features during this period, and we will keep this policy current as the product evolves.

This policy is written to comply with the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados, Law No. 13.709/2018, the “LGPD”) and, for users in the European Union and European Economic Area, the General Data Protection Regulation (the “GDPR”).

Personal data we collect

We collect only the data we need to operate UUDO. Depending on how you use the App and Site, this includes:

  • Account and identity: your email address and your first and last name.
  • Academic profile: your university, major, program, and expected graduation year.
  • Profile content: an optional short bio, a profile photo, and the interests you choose to personalize your experience.
  • App preferences: interface settings such as reduced-motion and haptics. These are user-experience preferences only — they are not health or disability data.
  • Social activity: the connections (“bonds”) you make, accounts you block, the chat rooms you join, and the messages you send.
  • Communications: messages you send through in-app chat, support requests, and details you submit through forms on the Site (waitlist, contact, research, and institution-request forms), which may include your name, email, phone number, and any message you write.
  • Technical and security data: your IP address and device or browser information, recorded in security and audit logs to protect the platform.
  • Website analytics: on the Site only, and only if you accept analytics cookies, standard usage data through Google Analytics and performance data through Vercel. The mobile App contains no advertising or product-analytics trackers.

What we do not collect

To keep your data minimal and safe, UUDO does not collect:

  • sensitive personal data under LGPD Art. 5 (such as data on health, racial or ethnic origin, religious or political belief, union membership, sex life, or biometric or genetic data);
  • your date of birth — you confirm only that you are at least 18 years old;
  • precise location data;
  • payment or financial data.

We do not profile you using sensitive data, and we operate no advertising network.

How and why we use your data

We process your personal data for the purposes below, each under a specific legal basis:

PurposeData usedLGPD basis (Art. 7)GDPR basis (Art. 6)
Create and manage your account; sign you inEmail, name, academic profilePerformance of a contract (V)Contract (b)
Verify your university and keep each university’s community separateEmail domain, universityPerformance of a contract (V); legitimate interest (IX)Contract (b); legitimate interests (f)
Personalize the people and content you seeInterests, academic profile, social activityConsent (I); legitimate interest (IX)Consent (a); legitimate interests (f)
Enable chat and social connectionsChat messages, bonds, blocks, room membershipPerformance of a contract (V)Contract (b)
Send you service and account emailsEmailPerformance of a contract (V)Contract (b)
Protect the platform: security, abuse and fraud prevention, rate limitingIP address, device informationLegitimate interest (IX); legal obligation (II)Legitimate interests (f); legal obligation (c)
Provide customer supportYour message, email, name, universityPerformance of a contract (V); legitimate interest (IX)Contract (b); legitimate interests (f)
Understand product usage in aggregateAnonymized, grouped statistics (no individual identifiers)Legitimate interest (IX)Legitimate interests (f)
Measure Site trafficAnalytics cookies (Site only)Consent (I)Consent (a)

Where we rely on consent, you may withdraw it at any time. Our aggregate product statistics are computed with a minimum group size so that no individual can be identified.

Age requirement

UUDO is intended only for university students aged 18 or older. When you sign up, you confirm that you are at least 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us data, contact privacy@uudo.app and we will delete it.

How we share your data

We do not sell your personal data, and we never share it for third-party advertising. Within UUDO, other users at your university can see your public profile and activity; users at other universities cannot — each university community is isolated.

If your university partners with UUDO, the institution and its authorized administrators can view aggregated, anonymized statistics about student engagement through an administrative dashboard — for example, demographic breakdowns and engagement trends. These statistics are grouped and computed with a minimum group size so that no individual student can be identified, and administrators do not see your individual profile, messages, or activity through this dashboard. We provide these aggregate insights on the basis of our legitimate interest in helping universities understand and support their communities.

We rely on the third-party providers listed below to operate UUDO; they process personal data only to deliver their service to us. As UUDO is in beta, we are in the process of formalizing data-processing agreements with each provider.

ProviderPurposeData shared
SupabaseCloud hosting, database, authentication, and storageAll account, profile, and app data
ResendSending account and service emailsName, email
Cloudflare TurnstileBot and abuse protection on Site formsIP address
UpstashRate limiting to prevent abuseIP address
Atlassian JiraHandling support requestsYour support message, name, email, university
Google Analytics (Site only)Website traffic measurement, with your consentUsage data, cookie identifiers
Vercel (Site only)Website hosting and performanceUsage and performance data

International data transfers

UUDO’s infrastructure and several of our providers are located in the United States, so your personal data is processed outside Brazil and outside the EU/EEA. These transfers are carried out on the basis of our legitimate interests in operating UUDO, subject to oversight by the ANPD (LGPD Art. 33, VIII) and, for EU/EEA users, on the basis of standard contractual clauses or other lawful mechanisms under Chapter V of the GDPR.

How we protect your data

All data is transmitted over encrypted connections (TLS/HTTPS).

Chat messages are encrypted at rest on our servers using AES-256-GCM, with keys held only by our backend, so that access to the database alone does not reveal message content. Extending these protections to message-derived data such as conversation previews, and to locally cached copies on your device, is on our security roadmap.

We offer optional two-factor authentication (TOTP), and we enforce database-level access controls so that each university’s data stays separate.

Chat is not end-to-end encrypted: because messages are encrypted with keys we manage, our systems are technically able to process message content in order to operate the service.

No method of storage or transmission is completely secure, but we protect your data using industry-standard measures.

How long we keep your data

We keep personal data only as long as needed for the purposes described above:

DataHow long we keep it
Account and profile dataUntil you delete your account
Data after a deletion requestPermanently erased within 30 days
Security and audit logsUp to 12 months
Raw content-view recordsDeleted within 48 hours
Aggregate, anonymized statisticsKept indefinitely (no longer identifies you)

You can cancel a deletion request within 7 days; after that, your data is permanently erased within 30 days. We may keep some data longer where necessary to comply with a legal obligation or to resolve a dispute.

Your rights

Under the LGPD (Art. 18), you have the right to:

  • confirm that we process your data, and access it;
  • correct incomplete, inaccurate, or outdated data;
  • anonymize, block, or delete data that is unnecessary, excessive, or processed unlawfully;
  • request the portability of your data to another provider;
  • delete data we process based on your consent;
  • be informed about the public and private entities with which we share your data;
  • be informed about the consequences of refusing to give consent;
  • withdraw your consent at any time.

If you are in the EU or EEA, the GDPR also gives you the rights of access, rectification, erasure, restriction of processing, data portability, objection to processing, and withdrawal of consent. To exercise any of these rights, email privacy@uudo.app or delete your account directly in the App. We will respond within the timeframes set by law.

Data Protection Officer (Encarregado)

We have designated a Data Protection Officer to serve as the point of contact between you, UUDO, and the data protection authorities on any question about how we handle your personal data. Under the LGPD (Art. 41) this role is the Encarregado; under the GDPR (Arts. 37–39) it is the Data Protection Officer (DPO).

Our designated Encarregado and Data Protection Officer is João Pedro Vartanian, who can be reached at privacy@uudo.app. You may contact this address to exercise any of the rights described above or to raise any concern about how your personal data is handled.

Supervisory authority

If you believe we have not handled your personal data properly, you can lodge a complaint with the Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados — ANPD) at gov.br/anpd. Users in the EU/EEA may complain to their local data protection authority.

Cookies and similar technologies

The Site uses essential cookies to function and, only with your consent, Google Analytics cookies to measure traffic. You can accept or decline analytics cookies through the cookie banner. The mobile App does not use advertising cookies; it stores limited data on your device to keep you signed in and to cache content for performance.

Calendar

When you add a UUDO event to your device calendar, that information is written only to your phone’s calendar. No calendar data is sent to our servers.

Changes to this policy

We may update this policy as UUDO evolves. When we do, we will revise the effective date at the top of this page. For material changes during beta, we will also notify you in the App or by email.

Contact us

For any question about this policy or your personal data, contact the data controller, João Pedro Vartanian, at privacy@uudo.app.