Skip to main content

How Unibuddy Collects and Stores Student Data

Find out more about the data we collect and store and why, and best practices for you as a university using Unibuddy

Amy Gray avatar
Written by Amy Gray
Updated yesterday

How Unibuddy Collects and Stores Student Data

At Unibuddy, we take data protection and compliance seriously. This article explains what data is collected through the platform, how it is used by both your institution and Unibuddy, and how we ensure full compliance with GDPR and other regulations.

Who Owns the Data?

When a user, whether a prospective student, student ambassador, or staff member - signs up to use Unibuddy, the university becomes the Data Controller.

  • The University = Data Controller

  • Unibuddy = Data Processor

This means that while Unibuddy operates the platform, your institution is ultimately responsible for the data and its usage.

What Data is Collected?

The data collected may include:

  • Personal profile details (e.g. name, email address, demographic information)

  • Conversations between users

  • Contributions such as blog posts or content shared in the platform

How Unibuddy Uses the Data

As the Data Processor, Unibuddy may:

  • Provide access to users’ personal data in order to deliver the communication service

  • Send automated follow-up messages to re-engage students with existing or new conversations

  • Gather feedback about students’ use of the platform

  • Analyse anonymised and aggregated data (including via machine learning) to better understand discussion topics and improve communications

  • Tag individuals within the platform to support future engagement strategies

⚠️ Importantly, Unibuddy will not use university sign-ups to promote Unibuddy’s own services or third-party services.

Unibuddy retains personal data for up to two years after the last login by a prospective student. After this, the data is fully anonymised.

How Universities Use the Data

As the Data Controller, your institution can:

  • Access the profile data of prospective students, including their activity on the platform

  • Export this data into your CRM system to track engagement and analyse recruitment effectiveness

  • View conversations between prospective students and ambassadors in your University Dashboard

  • Contact prospective students externally, if they have opted in to receive further marketing communications

Each institution should have its own data retention policy, clearly stated in its privacy agreement.

GDPR Compliance

Unibuddy’s platform has GDPR compliance built in:

  1. Universities Agreement – Each institution signs a Platform Licence Agreement that includes a Data Processor Agreement, covering all necessary legal obligations.

  2. User Agreement – Users agree to your Privacy Policy (presented on behalf of your university) which should explain how their data is processed and their rights under GDPR. Students are also invited to opt-in to further university communications.

We also maintain extensive security measures to ensure all personal data is stored, transmitted, and backed up securely.

Use of OpenAI for Conversation Summaries

Unibuddy uses OpenAI to generate summaries of conversations. To protect privacy:

  • All conversation data is anonymised before being sent to OpenAI

  • We have a data processing agreement with OpenAI that prevents it from using Unibuddy customer data to train models or for any purpose other than providing the service

  • OpenAI is listed on our sub-processor list, and our use of it is covered by the Unibuddy Privacy Policy

From OpenAI’s own Enterprise Privacy Policy:

"We don’t use content from our business offerings such as ChatGPT Team, ChatGPT Enterprise, and our API Platform to train our models."

For more details, see OpenAI’s Enterprise Privacy page.

Key Takeaways

  • Your institution owns and controls the data collected via Unibuddy

  • Unibuddy processes the data securely and only for the purposes of delivering and improving the platform

  • GDPR compliance is built into our agreements and policies

  • Data is anonymised before use in analysis or when shared with sub-processors like OpenAI

👉 You can read our full Privacy Policy and see our Sub-Processors List for complete details.

Best Practices for Universities Using Unibuddy

  • Embed clarity in your privacy notice: Explicitly mention Unibuddy as a processor, how data flows, retention timelines, and opt-in handling.

  • Align your retention policy: Ensure your own policies don’t conflict with the platform’s deletion/anonymisation schedule and that users are informed.

  • Leverage anonymised conversation data responsibly: Use it for ambassador training and insight while preserving user anonymity.

  • Respect opt-in choices: Only follow up via external marketing systems when explicit opt-in has been recorded.

  • Review sub-processor disclosures periodically: Ensure institutional due diligence by checking Unibuddy’s current subprocessors (e.g., OpenAI) as listed in your contractual or published documentation.

Did this answer your question?