Legal

Privacy Policy

Effective Date: April 2, 2026 · Last Updated: April 2, 2026

CollegeLens does not sell your personal data to data brokers or third parties. Like most free platforms, we work with analytics providers, display lender advertisements, offer lender matching features, and operate affiliate partnerships. This policy explains exactly how your data is used so you can make informed choices.

Sections: 1 Introduction · 2 Categories of Information We Collect · 3 Sensitive Personal Information · 4 How We Use Your Information · 5 What We Do NOT Do · 6 How We Share Your Information · 7 Award Letter Data · 8 Cookies & Tracking · 9 Data Security · 10 Data Retention · 11 Financial Incentive Notice · 12 How to Exercise Your Privacy Rights · 13 Your Privacy Rights by State · 14 California Privacy Metrics · 15 Third-Party Links · 16 Changes to This Policy · 17 Contact Us

Introduction

CollegeLens ("we," "us," or "our") operates the college funding platform at www.collegelens.ai (the "Platform"). This Privacy Policy explains how we collect, use, share, and protect your information, and describes the rights available to you.

CollegeLens is a free educational tool. To sustain a free platform, we generate revenue through lender advertisements, lender matching features, and affiliate partnerships. This policy is transparent about those relationships. By using the Platform you agree to the practices described here. Questions? Email support@collegelens.ai.

Categories of Personal Information We Collect

The table below categorizes the personal information we collect, consistent with categories defined under the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA). These categories apply to all users regardless of state of residence.

Category	Examples We Collect	Source	Purpose	Shared With
Identifiers	Email address, session ID, IP address	You / Automatic	Account management, security, analytics	Infrastructure & analytics providers
Personal Records (Financial)	Award letter data: cost of attendance, grants, loans, expected family contribution	You (voluntary upload)	Generate funding plan analysis	Not shared externally
Protected Classification Characteristics	None actively collected	N/A	N/A	N/A
Commercial Information	Funding goal, borrowing comfort, lender preferences, affiliate referral source	You / Automatic	Personalization, lender matching, affiliate attribution	Lender partners (opt-in only), affiliate networks
Internet / Network Activity	Pages visited, features used, clicks, time on page, navigation path	Automatic	Analytics, platform improvement	Analytics providers
Geolocation Data	Approximate location (state or country) from IP address - not precise GPS	Automatic	Compliance, analytics, contextual ads	Analytics providers, advertising partners
Professional / Educational Information	Intended major, degree type, enrollment status, expected start term, expected graduation year	You	Platform features, personalization	Not shared externally
Inferences	Estimated funding gap, likely borrowing need, college funding profile	Derived from your inputs	Personalized recommendations	Not shared externally
Sensitive Personal Information	Limited - see Section 3	See Section 3	See Section 3	See Section 3

We collect only the information reasonably necessary to operate the Platform and provide the features you use. Award letter upload and profile completion are optional and user-initiated.

Sensitive Personal Information

Certain categories of personal information are classified as "sensitive" under applicable privacy laws including the CPRA, Maryland MODPA, and other state laws. The table below identifies each recognized sensitive category and states whether CollegeLens collects it.

Sensitive Category	Examples	Does CollegeLens Collect?	Notes
Government-Issued ID Numbers	Social Security, driver license, state ID, passport	No	We do not request or store government ID numbers.
Financial Account Credentials	Bank account numbers, debit/credit card numbers, access codes	No	We do not collect payment credentials. The Platform is free.
Precise Geolocation	GPS coordinates, exact street address	No	Only approximate location (state level) from IP address.
Racial or Ethnic Origin	Race, ethnicity, national origin	No	Not collected.
Religious or Philosophical Beliefs	Religion, faith, philosophical views	No	Not collected.
Union Membership	Labor union affiliation	No	Not collected.
Genetic Data	DNA sequences, genetic test results	No	Not collected.
Biometric Data	Fingerprints, facial recognition, voiceprints	No	Not collected.
Health Information	Medical records, conditions, prescriptions	No	Not collected.
Sex Life or Sexual Orientation	Sexual orientation, gender identity	No	Not collected.
Private Communications	Contents of mail, email, or texts not intended for us	No	Not collected.
Financial Aid & Award Letter Data	Cost of attendance, grants, loans, expected family contribution, funding gap	Yes - voluntarily uploaded	Processed only to generate your funding plan. Not shared externally. See Section 7.

CollegeLens collects only one category that may be considered sensitive: financial aid and award letter data voluntarily uploaded by users. This data is subject to strict additional protections described in Section 7 and is never shared externally without your explicit consent.

How We Use Your Information

4.1 To Operate the Platform

Authenticate your session and save your funding plan across visits.
Analyze uploaded award letters and generate cost estimates, gap analyses, and repayment projections.
Pre-populate your funding plan with profile information you have provided.
Send transactional account communications (e.g., session verification).

4.2 To Improve the Platform

Understand usage patterns using data from third-party analytics tools.
Identify bugs, test new features, and optimize the user experience.

4.3 For Advertising and Lender Matching

Display lender advertisements relevant to your general funding situation (e.g., state of residence, degree type).
Facilitate opt-in lender matching features that connect you with relevant lenders based on information you voluntarily provide.

4.4 For Affiliate Attribution

Track affiliate referrals to measure partner effectiveness and calculate commissions.
Record click-through referrals when you navigate from CollegeLens to a partner site.

4.5 For Security and Legal Compliance

Detect and prevent fraud, abuse, and security threats.
Comply with applicable laws, regulations, and legal processes.

What We Do NOT Do With Your Information

We do NOT:

Sell your personal information to data brokers, marketing list companies, or any third party for their own direct marketing.
Share award letter documents or specific financial figures contained in them with lenders, advertisers, or affiliate partners without your explicit consent.
Automatically submit you to a lender matching feature - lender matching is always opt-in.
Send unsolicited marketing or promotional emails unless you have explicitly opted in.
Allow advertising or affiliate partners to use your personal data for their own independent marketing beyond the context of the Platform.
Discriminate against users who opt out of advertising, lender matching, or affiliate tracking.

Award Letter Data - Special Protections

Award letters contain sensitive financial information. We apply strict additional protections beyond our general practices.

Processed solely to extract cost and aid figures for your funding plan. Not reviewed by human staff in normal operations.
Not shared with lenders, advertisers, affiliate partners, or analytics providers.
Not used to target you with ads or submit you to lender matching without your affirmative action.
Deletable at any time: email support@collegelens.ai with subject "Delete My Award Letter Data."
Not used to assess your creditworthiness or facilitate any financial transaction without your explicit consent.

Cookies, Local Storage, and Tracking Technologies

8.1 First-Party Local Storage and Cookies

We use browser local storage to maintain your session state (plan progress, session ID) and minimal first-party cookies for session authentication and CSRF security. These are not accessible to third parties.

8.2 Third-Party Analytics Cookies

Analytics providers we use may set cookies to collect usage data as described in Section 6.2. Their practices are governed by their own privacy policies.

8.3 Advertising and Affiliate Tracking Cookies

Lender advertising partners and affiliate networks may use cookies, tracking pixels, or URL parameters to measure ad impressions, click-through rates, and affiliate referrals. These are governed by the placing party's privacy policy.

8.4 Your Cookie Choices

Manage or delete cookies through your browser settings. You may also use provider opt-out tools (e.g., Google Analytics Opt-out Add-on) or industry opt-out programs at optout.networkadvertising.org or youradchoices.com. Disabling certain features may affect Platform functionality.

Data Security

We implement reasonable technical and organizational measures including encryption in transit (HTTPS/TLS), encryption of sensitive data at rest, personnel access controls, and regular security reviews. No electronic system is completely secure. If you believe your account has been compromised, contact support@collegelens.ai immediately.

Data Retention

Account and plan data is retained while your account is active or as needed to provide the Platform.
You may request deletion at any time at support@collegelens.ai - processed within 30 days.
Analytics data is subject to each provider's retention policy.
Affiliate and ad interaction data is retained as long as needed to calculate and audit commissions.
Anonymized, aggregate, non-identifiable data may be retained indefinitely for platform improvement.
Data may be retained longer as required by law or to resolve disputes.

Financial Incentive Notice

This notice is required under the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) and similar state laws for businesses that offer a financial incentive in exchange for the collection or retention of personal information.

11.1 The Incentive

CollegeLens provides the Platform - including college cost comparison tools, award letter analysis, and funding plan features - at no monetary charge to you. In exchange, we collect and process your personal information as described in this Privacy Policy, including displaying lender advertisements, facilitating opt-in lender matching, and operating affiliate channels.

11.2 Categories of Personal Information Involved

Identifiers (email, session ID, IP address), usage and interaction data, general geolocation, and educational profile information. Award letter data is not included in the advertising or affiliate components of this arrangement.

11.3 Good-Faith Estimate of Value

The value of the data exchange is reasonably related to the revenue CollegeLens derives from advertising impressions, lender matching, and affiliate commissions generated from users' interactions with the Platform. We do not sell your raw personal data; your engagement with the Platform makes it possible to sustain the free service.

11.4 How to Opt Out or Withdraw

Analytics tracking: Use browser settings or provider opt-out tools (see Section 8.4).
Lender matching: Simply do not use lender matching features - they are opt-in only.
Advertising cookies: Opt out via industry tools at optout.networkadvertising.org.
Affiliate tracking: Decline cookies in your browser or use browser privacy settings.
Delete your account: Email support@collegelens.ai - processed within 30 days.

Opting out of certain data uses may limit some Platform personalization but will not prevent you from using core tools (college comparison, award letter upload, or cost estimates).

11.5 No Discrimination

We will not deny service, provide a lower quality of service, or penalize you for exercising your right to opt out of any component of this financial incentive arrangement.

How to Exercise Your Privacy Rights

Regardless of your state of residence, you can exercise privacy rights by contacting us using the methods below. We honor rights requests from all users.

12.1 How to Submit a Request

Email: Send to support@collegelens.ai with subject line "Privacy Request - [Request Type]"
Request types include: Access · Correction · Deletion · Opt-Out of Sale/Sharing · Limit Sensitive PI · Portability · Appeal

12.2 What to Include in Your Request

Your email address associated with your CollegeLens account.
The type of request (e.g., "I am requesting deletion of all my personal data").
A brief description of the specific information or action requested.

12.3 Verification

We will verify your identity before processing your request to protect against unauthorized access. For most requests, verification consists of confirming that the email address matches the one in our records. We will not require you to create an account solely to submit a request, and we will not charge a fee unless requests are manifestly unfounded or excessive.

12.4 Response Timelines

Request Type	Initial Response	Max Extension	Notes
Right to Access / Know	45 days	+45 days	We will notify you if we need an extension.
Right to Deletion	45 days	+45 days	Some data may be retained as required by law.
Right to Correction	45 days	+45 days	We will confirm corrections were made.
Right to Portability	45 days	+45 days	Provided in a portable, machine-readable format.
Opt-Out of Sale / Sharing	15 business days	None	Effective as soon as practicable.
Limit Sensitive PI (CA)	15 business days	None	Effective as soon as practicable.
Appeal of Denied Request	45 days	+60 days	We will explain our decision in writing.

12.5 Right to Appeal

If we deny or do not fully respond to your request, you have the right to appeal within 45 days of receiving our decision by emailing support@collegelens.ai with subject line "Privacy Rights Appeal." We will respond within 45 days (extendable by 60 additional days for complex cases). If your appeal is denied, you may contact your state Attorney General's office.

12.6 Authorized Agents

California residents may use an authorized agent to submit requests on their behalf. We may require written proof of the agent's authority and verification of your identity before processing agent-submitted requests.

Your Privacy Rights by State

Twenty U.S. states have enacted comprehensive consumer privacy laws as of April 2026. If you reside in one of the states listed below, you have specific rights under that state's law in addition to the general rights described in Section 12. To exercise any right, follow the process in Section 12.

Do Not Sell or Share My Personal Information

CollegeLens does not sell your personal information to data brokers. You may still opt out of advertising, affiliate tracking, and similar sharing signals by using the Manage Cookie Preferences control in the site footer or by emailing support@collegelens.ai.

13.1 California - CCPA / CPRA (Effective Jan 1, 2023)

California residents have the most comprehensive privacy rights under the CCPA as amended by the CPRA:

Right to Know: Know what categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of third parties with whom it is shared.
Right to Access: Obtain a copy of the specific personal information we have collected about you in the prior 12 months.
Right to Delete: Request deletion of your personal information, subject to certain exceptions.
Right to Correct: Request correction of inaccurate personal information.
Right to Opt Out of Sale / Sharing: Opt out of the sale of your personal information and the sharing of your personal information for cross-context behavioral advertising. Use the "Do Not Sell or Share My Personal Information" link on our website or email us.
Right to Limit Use of Sensitive PI: Limit our use and disclosure of sensitive personal information to what is necessary to perform the services you request.
Right to Data Portability: Receive your personal information in a portable, machine-readable format.
Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.
Right to Appeal: Appeal our decision if we deny your request.

Limited private right of action: Civil action only for certain data security breaches ($100-$750 per incident or actual damages). All other rights enforced by the California Privacy Protection Agency (CPPA) and California Attorney General.

Use subject line "California Privacy Request" when emailing us.

13.2 All Other States with Enacted Privacy Laws

To exercise any right listed below, follow the process in Section 12.

State	Law & Effective Date	Your Rights	Response Window	Unique Notes
Virginia	VCDPA Jan 1, 2023	Access · Delete · Correct · Opt-Out of Sale/Targeted Ads/Profiling · Portability · Appeal	45 days (+45)	AG-only enforcement. No private right of action.
Colorado	CPA July 1, 2023	Access · Delete · Correct · Opt-Out of Sale/Targeted Ads/Profiling · Portability · Appeal	45 days (+45)	Prohibits processing minors data for targeted ads.
Connecticut	CTDPA July 1, 2023 (Amendments July 1, 2026)	Access (incl. inferences) · Delete · Correct · Opt-Out · Portability · Appeal	45 days (+45)	2026 amendments: categorical ban on processing minors data for targeted ads; prohibits endless scrolling features for minors.
Utah	UCPA Dec 31, 2023	Access · Delete · Opt-Out of Targeted Ads/Sale · Portability · Correct (July 1, 2026+)	45 days (+45)	Business-friendly model. AG-only enforcement.
Texas	TDPSA July 1, 2024	Confirm · Access · Delete · Correct · Opt-Out of Targeted Ads/Sale/Profiling · Appeal	45 days (+45)	First two requests per year are free. AG-only enforcement.
Oregon	OCPA July 1, 2024	Confirm · Access · Delete · Correct · Opt-Out of Sale/Targeted Ads/Profiling · Portability · Appeal	45 days (+45)	UNIQUE: Only state requiring disclosure of specific third parties to whom your data was disclosed.
Montana	MTCDPA Oct 1, 2024	Know · Access · Delete · Correct · Opt-Out of Sale/Targeted Ads/Profiling · Portability · Appeal	45 days (+45)	Cure period ended April 1, 2026. Up to $7,500 per violation.
Iowa	ICDPA Jan 1, 2025	Access · Delete · Opt-Out of Sale · Portability	90 days (+45)	No right to correct or opt-out of targeted advertising (disclosure only). Business-friendly.
Delaware	DPDPA Jan 1, 2025	Access · Delete · Correct · Opt-Out of Targeted Ads/Sale/Profiling	45 days (+45)	Consumers under 18 require opt-in for sale/targeted ads. $10,000 per violation.
Nebraska	NDPA Jan 1, 2025	Confirm · Access · Delete · Correct · Opt-Out of Sale/Targeted Ads/Profiling · Portability · Appeal	45 days (+45)	AG-only enforcement. No private right of action.
New Hampshire	NHPA Jan 1, 2025	Confirm · Access · Delete · Correct · Opt-Out · Portability · Appeal	45 days (+45)	Cure period ended Jan 1, 2026. Case-by-case cure thereafter.
New Jersey	NJDPA Jan 15, 2025	Access · Correct · Delete · Portability · Opt-Out of Sale/Targeted Ads	45 days (+45)	AG-only enforcement. 30-day cure window during initial enforcement period.
Indiana	INCDPA Jan 1, 2026	Confirm · Access · Delete · Correct · Opt-Out of Targeted Ads/Sale/Profiling · Portability · Appeal	45 days (+45)	Mandatory cure period (does not expire). Narrower sale definition (money-only).
Kentucky	KCDPA Jan 1, 2026	Confirm · Access · Delete · Correct · Opt-Out of Targeted Ads/Sale/Profiling · Portability · Limit Sensitive PI	45 days (+45)	Business-friendly model. AG-only enforcement.
Rhode Island	RIDTPPA Jan 1, 2026	Confirm · Access · Delete · Correct · Portability · Opt-Out of Sale/Targeted Ads/Profiling	45 days (+45)	NO cure period. Violations treated as deceptive trade practices ($10,000/violation).
Maryland	MODPA Enforcement: Apr 1, 2026	Access · Correct · Delete · Opt-Out of Targeted Ads/Sale/Profiling	45 days (+45)	STRONGEST sensitive data protections: sensitive data cannot be SOLD even with consent.
Minnesota	MCDPA July 31, 2025	Know · Access · Delete · Opt-Out · Correct · Appeal	45 days (+45)	No-notice enforcement began Feb 1, 2026. AG-only enforcement.
Tennessee	TIPA July 1, 2025	Confirm · Access · Delete · Correct · Opt-Out of Sale/Targeted Ads/Profiling · Portability	45 days (+45)	Applies at 100K+ or 25K+ with 25%+ revenue threshold.
Nevada	SB 220 Oct 1, 2019	Opt-Out of Sale of personal information	60 days	Limited law. CollegeLens does not sell covered information. Formal opt-out requests honored.

Privacy law is evolving rapidly. Additional states may enact comprehensive privacy laws after the date of this policy. We will update this section as new laws take effect. Regardless of whether your state is listed above, you may always contact us to request access to, correction of, or deletion of your personal information.

California Privacy Metrics (CPRA Reporting)

The California Privacy Rights Act (CPRA) requires businesses that process the personal information of 10 million or more California residents annually to publish privacy request metrics by July 1 of each year for the prior calendar year.

CollegeLens is a growing startup. We will begin publishing full CPRA metrics when our California user volume crosses the applicable reporting threshold. Until that time, we voluntarily commit to the response timelines stated in Section 12.4 and will publish annual metrics as soon as we are required to do so.

When reporting is required, we will publish the following for each prior calendar year:

Metric	Description
Requests to Know / Access - Received	Total number received during the calendar year.
Requests to Know / Access - Complied With	Number complied with in whole or in part.
Requests to Know / Access - Denied	Number denied, with reason categories.
Median Days to Respond - Requests to Know	Median calendar days from receipt to substantive response.
Requests to Delete - Received	Total number received.
Requests to Delete - Complied With	Number complied with in whole or in part.
Requests to Delete - Denied	Number denied, with reason categories.
Median Days to Respond - Requests to Delete	Median calendar days from receipt to substantive response.
Requests to Opt-Out of Sale/Sharing - Received	Total number received.
Requests to Opt-Out - Complied With	Number complied with in whole or in part.
Requests to Opt-Out - Denied	Number denied, with reason categories.
Median Days to Respond - Opt-Out Requests	Median calendar days from receipt to substantive response (target: 15 business days).
Requests to Correct - Received	Total number received.
Requests to Limit Sensitive PI - Received	Total number received.

Third-Party Links and Partner Sites

The Platform contains links to third-party websites including lender sites, affiliate partner destinations, the U.S. Department of Education, colleges, and informational resources. When you click through to a third-party site, that site's own privacy policy governs how your information is handled. We are not responsible for third-party privacy practices. We encourage you to review the privacy policy of any external site before providing personal information.

Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, commercial relationships, technology, or legal requirements. When we make material changes, we will update the "Last Updated" date at the top of this page and notify you via email (if provided) or a prominent Platform notice. Continued use after changes constitutes acceptance of the updated policy.

Contact Us

For privacy questions, requests, appeals, or opt-out requests:

CollegeLens - Privacy Officer

Email: support@collegelens.ai

Subject Line: "Privacy Request - [Request Type]"

Website: www.collegelens.ai

Jurisdiction: Las Vegas, Nevada, United States

Response Time: Within 45 days of a verified request (15 business days for opt-out requests)

By using CollegeLens, you acknowledge that you have read and understood this Privacy Policy, including how your information is used to sustain the free Platform.