Privacy Policy

Last updated: May 20, 2026 (version 2026.05.20)

1. Who we are

MS in Germany (Qogent Global LLP) operates the website at msingermany.com and the user dashboard reachable from it. Contact: [email protected].

Operating addresses. Dubai: Onyx Building, Unit 101-228, Al Khabeesi, Dubai, AE 239532; USA: 131 Continental Dr, Suite 305, Newark, DE, US 19713.

2. EU representative (GDPR Article 27)

Because the controller is established outside the European Union but offers services to EU residents, GDPR Article 27 requires an EU representative for data-protection matters.

To be confirmed by the operator The identity and contact of our EU representative are being confirmed and will appear here once finalized. In the meantime you can reach the controller directly at [email protected].

3. What we collect, and why

This is an exhaustive list of the data categories the dashboard actually stores. We do not collect anything else under the surface.

Account identity

  • email address
  • full name (optional)
  • avatar URL (Google OAuth users)

Goal & profile

  • primary goal (study / work / live / train)
  • country of origin
  • target intake
  • language levels (German, English)
  • field of study
  • work experience (years and structured detail)
  • education history
  • language certifications
  • target cities
  • date of birth
  • phone (optional)

Journey data

  • applications (university / course)
  • deadlines
  • documents (metadata only; files in Cloudflare R2)
  • journey events / progress timestamps
  • checklists and checklist items

AI Advisor

  • conversations and messages
  • feedback on messages
  • long-term memory entries
  • upload log (filename, mime, size)

Tool results

  • saved outputs from grade calculator, ECTS, cost calculator, etc.

Preferences

  • voice input enabled
  • voice auto-speak
  • cost-footer enabled
  • theme
  • language

Lead-form submissions

  • consultation, contact, partner, sponsorship, newsletter form fields (name, email, phone, message, etc.)

Paid-service records

  • service slug, name, email, currency, status (retained for tax law)
  • payment-plan financial data (retained for tax law)

Technical / consent

  • consent cookie value (msig_consent)
  • IP address (transient, for rate limiting and IP-hash in AI call logs)

4. Lawful basis for processing

  • Contract (Art. 6(1)(b)): account creation and sign-in, dashboard data, AI Advisor, paid services.
  • Consent (Art. 6(1)(a)): analytics cookies (only after you tap "Accept all" on the banner), newsletter subscription, marketing emails.
  • Legal obligation (Art. 6(1)(c)): retention of invoices and payment records under German Handelsgesetzbuch and Abgabenordnung, plus Stripe's PCI / chargeback retention.
  • Legitimate interests (Art. 6(1)(f)): security logging, rate limiting, internal lead-triage Slack channels.

5. Sub-processors

These are every external service the application calls today. Each entry's legal transfer mechanism (for non-EU transfers) is marked pending where the controller has not yet finalized the supporting agreement. Pending status does not change what the application does; it documents what the operator still needs to formalize.

  • Supabase - Authentication sessions, Postgres database for all dashboard data, row-level security. Location: European Union (operator-confirm exact region). Transfer mechanism: To be confirmed by the operator. Data Processing Agreement signed: To be confirmed by the operator. Vendor policy: https://supabase.com/privacy
  • Google (Sign in with Google / One Tap) - Optional one-click sign-in. Google Identity Services loads only after you tap "Accept all" and processes your Google account identity token to create or restore your account. Location: United States. Transfer mechanism: To be confirmed by the operator. Data Processing Agreement signed: To be confirmed by the operator. Vendor policy: https://policies.google.com/privacy
  • Cloudflare R2 - Object storage for AI Advisor attachments and brand assets. Location: Per bucket configuration (operator-confirm). Transfer mechanism: To be confirmed by the operator. Data Processing Agreement signed: To be confirmed by the operator. Vendor policy: https://www.cloudflare.com/privacypolicy/
  • Anthropic - Large-language-model inference for AI Advisor, chat, and selected tools. Location: United States. Transfer mechanism: To be confirmed by the operator. Data Processing Agreement signed: To be confirmed by the operator. Vendor policy: https://www.anthropic.com/legal/privacy
  • OpenAI - Large-language-model inference for selected tools. Location: United States. Transfer mechanism: To be confirmed by the operator. Data Processing Agreement signed: To be confirmed by the operator. Vendor policy: https://openai.com/policies/privacy-policy/
  • Stripe - Payment processing for paid services and webhook event logging. Location: European Union (Stripe Ireland) and United States. Transfer mechanism: To be confirmed by the operator. Data Processing Agreement signed: To be confirmed by the operator. Vendor policy: https://stripe.com/privacy
  • Resend (transactional email) - Transactional email send: signup confirmation, password reset, contact-form receipts. Location: United States. Transfer mechanism: To be confirmed by the operator. Data Processing Agreement signed: To be confirmed by the operator. Vendor policy: https://resend.com/legal/privacy-policy
  • Resend (audiences) - Marketing audience: emails of users who submitted a "Notify me" service form. On account deletion the audience entry is removed via Resend's API. Location: United States. Transfer mechanism: To be confirmed by the operator. Data Processing Agreement signed: To be confirmed by the operator. Vendor policy: https://resend.com/legal/privacy-policy
  • Slack - Internal operator channels receive lead-form submissions (consultation, contact, partner, sponsorship, notify-me) for triage. Retention per Slack workspace policy. Not user-facing communication. Location: United States. Transfer mechanism: To be confirmed by the operator. Data Processing Agreement signed: To be confirmed by the operator. Vendor policy: https://slack.com/trust/privacy/privacy-policy
  • Airtable - Read-only for dashboard surfaces (success stories, employee directory, course / university enrichment). Write for the separate student-portal subdomain (magic-link identity). Location: United States. Transfer mechanism: To be confirmed by the operator. Data Processing Agreement signed: To be confirmed by the operator. Vendor policy: https://www.airtable.com/privacy
  • Tally - Embedded forms on service-page and student-portal flows. Form submissions stored in Tally. Location: European Union (Brussels) (operator-confirm). Transfer mechanism: To be confirmed by the operator. Data Processing Agreement signed: To be confirmed by the operator. Vendor policy: https://tally.so/help/gdpr
  • Google (OAuth) - Sign-in only. The user provides explicit consent on Google's OAuth screen at sign-in. Location: United States and global. Transfer mechanism: To be confirmed by the operator. Data Processing Agreement signed: To be confirmed by the operator. Vendor policy: https://policies.google.com/privacy
  • DataFast - Privacy-friendly analytics. Loaded only after explicit positive consent via the cookie banner. Location: European Union. Transfer mechanism: To be confirmed by the operator. Data Processing Agreement signed: To be confirmed by the operator. Vendor policy: https://datafa.st/privacy
  • Google Analytics 4 - Web analytics. Loaded only after explicit positive consent via the cookie banner. Location: Global. Transfer mechanism: To be confirmed by the operator. Data Processing Agreement signed: To be confirmed by the operator. Vendor policy: https://policies.google.com/privacy
  • Meta (Facebook Pixel) - Remarketing and conversion tracking. Loaded only after explicit positive consent via the cookie banner. Location: United States. Transfer mechanism: To be confirmed by the operator. Data Processing Agreement signed: To be confirmed by the operator. Vendor policy: https://www.facebook.com/privacy/policy

6. Cookies and tracking

We do not load any analytics or marketing trackers by default. The cookie banner appears on your first visit; until you choose "Accept all," no tracking script is loaded and no analytics request is sent. The optional "Sign in with Google" One Tap prompt also loads Google Identity Services only after you choose "Accept all." See the Cookie Policy for the full list of cookies and their durations.

7. Your data-subject rights

The dashboard implements the following rights as concrete in-product actions:

  • Access (Art. 15). Settings -> Download my data (GET /api/account/export). One JSON document.
  • Erasure (Art. 17). Settings -> Delete account (DELETE /api/account). Type-to-confirm. Lawfully retained financial records and processor-side residues are disclosed in the same flow.
  • Data portability (Art. 20). Same as Access: the export is structured JSON, machine-readable.
  • Rectification (Art. 16). Dashboard -> Profile / Settings forms.
  • Withdraw consent (Art. 7(3)). Clear the msig_consent cookie in your browser; the cookie banner reappears on your next visit so you can change your choice. Default behavior is reject-non-essential.
  • Complaint to supervisory authority (Art. 77). Identity of authority is operator-confirm (see Impressum).

Right to complain to a supervisory authority (Art. 77). To be confirmed by the operator

8. Lawful retention after account deletion

Account deletion is self-serve under Settings -> Delete account. It wipes your profile, preferences, applications, deadlines, documents, journey events, checklists, saved tool results, AI Advisor conversations and uploads, any consultation / contact / partner / sponsorship / newsletter records tied to your email, and your account login.

What we lawfully retain (GDPR Article 17(3)(b), compliance with a legal obligation):

  • Service-lead invoice spine on paid services: id, slug, name, email, currency, status, timestamps. Your phone is removed; the rest is retained for German tax law (typically 10 years under Handelsgesetzbuch).
  • Payment-plan records linked to retained service leads. Pure financial data: amounts, installments, currency.
  • Stripe webhook event log. Required for payment reconciliation and chargeback defense.
  • Portal impersonation audit log. Security record of admin actions on the student-portal subdomain; retained for security defensibility.

Processor-side residues we cannot wipe from the application:

  • Lead-form submissions are forwarded to internal Slack channels. Retention follows Slack workspace policy.
  • Resend (our transactional email vendor) retains a log of every email sent to your address.
  • AI Advisor and chat prompts are processed by Anthropic and OpenAI; provider-side inference retention applies per their policies.
  • Tally form responses (service-page and student-portal forms) live in Tally's database.
  • If you also hold a separate student-portal account (magic-link login on student.msingermany.com), that record is managed in Airtable and is not deleted by the dashboard delete action.
  • Stripe retains payment-related customer records server-side per PCI and chargeback-defense requirements.

Manual operator-side purge of any of the above is available on written request to [email protected].

9. AI Advisor and chat

The AI Advisor and chat features call third-party language models (Anthropic and OpenAI; see Section 5). What you type into them, and any document text you upload, is sent to those providers for inference and is subject to their retention policies (typically up to 30 days for abuse monitoring on standard APIs). Do not paste sensitive information you would not want held by those providers.

10. Security

Authentication and data access are handled by Supabase with row-level security policies enforcing own-data-only reads and writes. The deletion route uses a Supabase service-role function with restricted execute permissions. Uploaded files live in Cloudflare R2 under per-user prefixes. We do not claim our security is unbreakable; we follow generally accepted controls and disclose what we can.

11. Children

The dashboard is not intended for children under 16. We do not knowingly collect data from anyone under 16 without verifiable parental consent. If you believe a child has created an account, write to [email protected] and we will delete it.

12. Changes

We may update this policy. The effective date and version at the top of this page change when the content does. Material changes will be surfaced on the dashboard.

13. Contact

For any privacy question or to exercise your rights, email [email protected]. The contact you use does not have to be the email tied to your account.