Data Compliance
Settlyou is designed to handle student and athlete data responsibly. This page explains how we comply with FERPA and GDPR, and what that means for your institution.
Last updated: April 30, 2026
FERPA Compliant
Family Educational Rights and Privacy Act — U.S. federal student data protection law.
GDPR Ready
General Data Protection Regulation — EU/EEA data protection framework. DPA available on request.
FERPA
Family Educational Rights and Privacy Act
Our role under FERPA
When Settlyou is contracted by a U.S. educational institution, we operate as a "School Official" with a legitimate educational interest as defined under FERPA (34 CFR §99.31(a)(1)). This means we may access student education records solely to provide the services agreed upon — generating personalized relocation guides and collecting required documents on behalf of the institution.
What this means in practice
- Student data submitted through Settlyou is used exclusively to generate relocation guides and collect required documents.
- We do not disclose student education records to any third party without the written consent of the institution or the student, except as required by law.
- Student data is never sold, shared for marketing, or used to train AI models.
- Institutions remain the data controller — they decide what data is submitted and who has access.
- Student records are available to the institution upon request at any time.
- Data is deleted within 30 days of account termination or written request.
Institution responsibilities
Institutions using Settlyou are responsible for ensuring their use of the platform complies with FERPA, including obtaining any necessary student consents and maintaining appropriate data governance policies. Our Terms of Service include specific institution obligations regarding FERPA compliance.
Questions about FERPA compliance? Contact us at hello@settlyou.com. We can provide additional documentation or participate in your institution's vendor review process.
GDPR
General Data Protection Regulation (EU/EEA)
Our role under GDPR
For institutions and athletes based in the EU or EEA, Settlyou acts as a Data Processor on behalf of the institution (the Data Controller). We process personal data only on the documented instructions of the institution, for the purpose of delivering our relocation guide and document collection services.
Legal basis for processing
- Contractual necessity — Processing is necessary to deliver the services agreed with the institution (Art. 6(1)(b)).
- Legitimate interest — Improving platform reliability and security, where this does not override individual rights (Art. 6(1)(f)).
- Consent — Athletes provide explicit consent when submitting their onboarding form, with a clear statement of how their data will be used.
Your rights under GDPR
EU/EEA residents have the following rights, which we honor within the timeframes required by law:
Right of access
Request a copy of all personal data we hold about you.
Right to rectification
Correct inaccurate or incomplete personal data.
Right to erasure
Request deletion of your data. We action within 30 days.
Right to restriction
Restrict processing while a dispute is under review.
Right to portability
Receive your data in a machine-readable format.
Right to object
Object to processing based on legitimate interest.
Data transfers
Settlyou's infrastructure is hosted in the United States (Vercel, Supabase). For EU/EEA institutions, data transfers to the U.S. are covered by Standard Contractual Clauses (SCCs). We can provide our Data Processing Agreement (DPA) upon request for institutions that require it as part of their vendor approval process.
Data breach notification
In the event of a personal data breach, we will notify affected institutions within 72 hours of becoming aware, as required by GDPR Article 33. Notifications will include the nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken to address it.
Need a DPA or have a GDPR question? Contact us at hello@settlyou.com. We'll provide our Data Processing Agreement and any additional documentation within 2 business days.
Sub-processors
Settlyou uses the following third-party sub-processors that may handle personal data as part of delivering our service. Each is bound by appropriate data protection agreements.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database & file storage | United States |
| Anthropic | AI guide generation | United States |
| Vercel | Hosting & deployment | United States |
| Resend | Transactional email | United States |
| Bird (MessageBird) | WhatsApp delivery | Netherlands / United States |
Note: Anthropic has confirmed they do not use data submitted via API for model training. See Anthropic's privacy policy.
Contact & requests
For any compliance-related questions, data subject requests, DPA requests, or security concerns:
Settlyou Data & Compliance
We respond to compliance inquiries within 2 business days.