The data controller is:
Internship Abroad (operating name of Future Proof Intelligence S.r.l.) TO CONFIRM
Registered address: TO CONFIRM -- Sardinia, Italy, upon incorporation
Email: privacy@internshipabroad.nl
General contact: daan@internshipabroad.nl
When we say "we," "us," or "Internship Abroad" in this policy, we mean this entity.
We are in the process of designating a Data Protection Officer (DPO). TO CONFIRM -- appoint and name DPO or confirm exemption applies
Until our DPO is appointed, all privacy enquiries should go to privacy@internshipabroad.nl. We treat these with the same priority and response time as a formal DPO communication.
Our operating entity is incorporated in Italy (EU). Students and companies in other EU/EEA countries can contact their own national supervisory authority; see Section 18.
We collect the following categories of personal data from students who register and build a Living Profile on the platform.
| Category | Examples | Source |
|---|---|---|
| Account basics | Email address, password (hashed and never stored in plain text), or magic-link session token | Provided directly by you |
| Identity and profile content | First and last name, profile photo, university, study programme, graduation year, nationalities, languages, skills, interests, free-text story and future vision | Provided by you, including via conversation with Isa (our AI assistant) |
| Placement preferences | Desired countries and cities, preferred sectors, internship duration, start date, full-service or self-service preference | Provided by you |
| Communication and placement activity | Messages sent to or received from companies, outreach status, any notes added by our team in the course of supporting your search | Generated during your use of the platform |
| Payment metadata (students who pay platform fees) | Stripe customer ID, products purchased, purchase dates, refund records. We never see or store your card number, expiry, or CVV -- those go directly to Stripe. | Generated at checkout |
| Usage signals | Pages visited, features used, session timestamps -- collected by our privacy-first analytics tool (Umami, see Section 14). No cookies, no persistent cross-site tracking. | Collected automatically when you use the platform |
We do not ask for, and you should not provide, any special-category data (health conditions, disability status, religion, political views, ethnicity, trade union membership, etc.) unless a specific placement or programme requires it and we have separately obtained your explicit consent for that narrow purpose.
Profile photos are treated as ordinary personal data. We do not run facial recognition, biometric matching, or any automated identification on photos. If we ever intend to introduce such processing, we will obtain explicit consent under Article 9(2)(a) GDPR and carry out a Data Protection Impact Assessment before doing so.
When a company registers as a host employer on the platform, we collect:
Contact persons at companies are data subjects in their own right. This policy applies to their data. They may exercise any right listed in Section 12.
When a university or higher education institution partners with us (for example, through a co-branded student portal), we collect:
We do not share any individual student's personal data with their university without first obtaining the student's explicit consent for that specific disclosure.
New students build their Living Profile through a guided conversation with Isa, our AI chat assistant. Here is what you should know:
GDPR requires us to have a documented lawful basis for every processing activity. Here is our basis for each main activity.
| Processing activity | Lawful basis | Notes |
|---|---|---|
| Creating and maintaining your student account | Contract (Art 6(1)(b)) | Necessary to provide the service you signed up for |
| Making your profile and photo visible to companies | Consent (Art 6(1)(a)) | Explicit, granular, opt-in consent obtained before any profile is published. See Section 8. |
| Sharing your profile with a specific company at your request | Contract (Art 6(1)(b)) and Consent | You initiate this action; we fulfil it on your behalf |
| Automated opportunity matching (suggesting companies to you) | Contract (Art 6(1)(b)) | Core feature of the service; human review available on request |
| Processing payments and issuing invoices | Contract (Art 6(1)(b)) and Legal obligation (Art 6(1)(c)) | Legal obligation covers tax record-keeping under Italian and Dutch law |
| Sending transactional emails (account, placement updates) | Contract (Art 6(1)(b)) | Part of the service |
| Sending marketing or newsletter emails | Consent (Art 6(1)(a)) | Separate opt-in required; withdraw via unsubscribe link at any time |
| Platform analytics (Umami) | Legitimate interests (Art 6(1)(f)) | Cookieless, no individual identification, no cross-site tracking. Minimal privacy impact. Legitimate interest balancing test passed. |
| Keeping suppression records after account deletion | Legitimate interests (Art 6(1)(f)) | Necessary to prevent accidental re-creation of a deleted account. Hashed email only, retained for 3 years. |
| Fraud prevention and platform security | Legitimate interests (Art 6(1)(f)) | Necessary to protect students, companies, and the platform |
When your profile is live and visible, companies browsing the platform can see: your name, profile photo, university and study programme, desired destinations and sectors, your free-text story and future vision, and your listed skills and languages. They cannot see your email address or phone number unless you choose to share those through our messaging system.
Before your profile becomes visible to any company, we ask for your explicit, informed, opt-in consent. This is a clear checkbox action during onboarding -- it is never pre-ticked and never bundled into general terms of service acceptance. The consent screen explains, in plain language, exactly what will be shown and to whom.
Consent for displaying your photo is collected as a separate step. You can publish your profile without a photo if you prefer.
You can hide your profile from companies at any time from your dashboard ("Visibility" toggle) or by emailing privacy@internshipabroad.nl. On withdrawal, your profile is removed from the company-facing browse view immediately (within 24 hours at the latest). Companies who had already viewed your profile and saved your details to their own records remain obligated to delete that data under the terms they agreed to with us (see below).
Once a company views your profile and copies or saves your data for their own recruiting purposes, they become an independent data controller for that copy of your data. We bind every company to a data-sharing agreement before they can view any profile. That agreement requires them to:
If you wish to exercise your rights against a company that received your data, you should contact them directly. You can also ask us for a list of companies that were given access to your profile -- see Section 12.
We do not run any automated facial recognition, biometric matching, or face-similarity search on profile photos. Photos are displayed as images only.
Our founders and a small number of placement coordinators (currently Daniel, Bregje, and Larysa) have access to student records to support placements, review profiles before publication, and handle support requests. Access is limited to what is necessary for each role.
Companies who have registered, accepted our data-sharing terms, and paid for access can view published student profiles.
We use the following sub-processors. Each is bound by a Data Processing Agreement (Article 28 GDPR) and receives only the minimum data necessary to perform their function.
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Hosting and deployment of the platform | USA (Standard Contractual Clauses in place) |
| Airtable Inc. | Structured database for student, company, and placement records | USA (Standard Contractual Clauses in place) |
| Anthropic PBC | AI language model powering Isa (the profile-building chat) | USA (Standard Contractual Clauses in place) |
| Stripe Inc. | Payment processing (see Section 15) | USA / Ireland (Stripe Payments Europe Ltd for EU transactions) |
| Google (Workspace) | Transactional and team email | EEA and USA (Standard Contractual Clauses in place) |
| Make (Celonis SE) | Workflow automation (routing emails, triggering notifications) | Germany / EU |
| Umami Software Inc. | Privacy-first analytics (self-hosted instance) | Self-hosted; data stays on our Vercel infrastructure |
| Replicate Inc. TO CONFIRM -- if used for student-facing features | AI image generation (used in content production, not for processing student photos) | USA (Standard Contractual Clauses in place) |
We do not sell your data to data brokers, advertising networks, or any third party for commercial purposes.
Our primary operating entity is based in the EU (Italy). Some of our sub-processors (Vercel, Airtable, Anthropic, Stripe) process data in the United States, which is not considered to have an "adequate" level of data protection under EU law.
For all such transfers, we rely on the European Commission's Standard Contractual Clauses (SCCs, 2021 version) as the legal transfer mechanism under Article 46 GDPR. We carry out a transfer impact assessment for each sub-processor to verify that SCCs provide effective protection in practice given the legal landscape in the destination country.
If you would like a copy of the SCCs or transfer impact assessments for a specific sub-processor, email privacy@internshipabroad.nl.
| Data type | Retention period | Reason |
|---|---|---|
| Active student profile and account data | For the duration of your active account | Necessary to provide the service |
| Profile and personal data after account deletion | Deleted within 30 days of your request | Reasonable processing period; we also need to notify companies that received your data |
| Hashed suppression record (email only) | 3 years after deletion | Prevents accidental re-creation; cannot be used to identify you |
| Payment and invoicing records | 10 years | Italian and Dutch statutory accounting requirements |
| Consent records (what you agreed to, when, and the wording shown) | Duration of account plus 3 years after deletion | Enables us to demonstrate compliance if challenged |
| Isa conversation logs | Same as profile data (deleted with the account) | Part of the profile-building record |
| Support correspondence | 3 years after last communication | Legitimate interests (resolving disputes) |
| Anonymised and aggregated analytics | Indefinitely | Cannot be attributed to any individual; used for platform improvement |
We do not retain data longer than necessary. When a retention period expires, data is deleted or anonymised in a scheduled process.
If you are located in the EU, EEA, or a country with equivalent data protection law, you have the following rights. We must respond within one calendar month of receiving a verifiable request (extendable to three months for complex cases, with written notice).
You can ask for a copy of all personal data we hold about you, the purposes for which we process it, the categories of recipients your data has been shared with (including a list or description of companies that accessed your profile), and the retention periods we apply.
You can correct inaccurate data directly in your profile dashboard. For data we hold outside the dashboard (for example, in internal records or email logs), email us and we will correct it and confirm in writing. Corrections propagate to all systems where the data is held.
You can request deletion of your account and all associated personal data. We will:
You can initiate deletion from your dashboard or by emailing privacy@internshipabroad.nl.
You can request a machine-readable export of the personal data you provided to us and that we process on the basis of consent or contract. We will provide this in JSON or CSV format within one month.
You can object at any time to processing based on legitimate interests (for example, analytics). We will stop the processing unless we can demonstrate compelling legitimate grounds that override your interests. For processing based on consent, withdrawing consent (described below) is the equivalent action.
You can withdraw consent for profile visibility at any time using the "Visibility" toggle in your dashboard, or by emailing us. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. It does not affect your right to use the rest of the platform.
You can ask us to pause processing of your data (without deleting it) in certain circumstances -- for example, while you contest the accuracy of data we hold, or while an objection is being assessed.
We do not make decisions about you (such as accepting or rejecting your application, or blocking your account) based solely on automated processing. A human review step exists at every decision point that significantly affects you. You can always request human review of any automated output by contacting privacy@internshipabroad.nl.
Email privacy@internshipabroad.nl with the subject "Data Subject Request" and a description of your request. We will ask you to verify your identity before processing the request (typically by confirming from your registered email address). There is no fee for a request unless it is manifestly unfounded or excessive.
We apply the following technical and organisational measures to protect your data:
No security measure is perfect. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware and notify affected users without undue delay.
We set a single session cookie (httpOnly, Secure, SameSite) to keep you logged in during your visit. This cookie contains a session token only -- no personal data -- and expires when you log out or your session times out. It is strictly necessary for the platform to function and does not require consent under the ePrivacy rules.
We use Umami, a privacy-first analytics tool, to understand how the platform is used. Umami collects:
Umami does not use cookies, does not track you across sites, does not store a persistent user identifier, and does not allow us to identify you as an individual. Our Umami instance is self-hosted on our own infrastructure. No data is shared with Umami's company or any third-party analytics provider. The lawful basis is legitimate interests (improving the platform) -- the privacy impact is minimal given the cookieless, non-identifying nature of the tool.
We do not currently operate paid advertising campaigns that use tracking pixels or conversion APIs on this platform. If we introduce such tools in future, we will update this policy and, where legally required, obtain your consent before placing any tracking code. TO CONFIRM -- confirm whether Meta pixel remains active or has been removed
Payments on the platform are processed by Stripe (Stripe Payments Europe Ltd for EU transactions, a subsidiary of Stripe Inc., USA). When you make a payment:
Payment records are retained for 10 years to comply with Italian and Dutch statutory accounting requirements (Art 6(1)(c) GDPR -- legal obligation).
We do not store, transmit, or have access to full card details at any point.
This platform is intended for users aged 16 and over. We do not knowingly collect personal data from anyone under 16. If you believe a user under 16 has registered, please contact privacy@internshipabroad.nl and we will delete the account promptly.
For users aged 16 and 17 in EU member states where the age of digital consent is 16 (the minimum allowed under GDPR), consent from a parent or guardian is not required. For any country where national law sets the age of digital consent higher than 16 TO CONFIRM -- check applicable member state derogations for your primary markets, we will implement appropriate age verification and parental consent collection before onboarding users under that age.
We will update this policy from time to time. The "Last updated" date at the top of this page will always reflect the most recent version. If we make a material change -- one that affects how we use your personal data in a way that could disadvantage you -- we will send you an email notification at your registered address before the change takes effect, giving you a reasonable period to withdraw consent or close your account if you do not agree.
For minor clarifications and updates that do not affect your rights or how we process your data, we will update the policy without individual notice.
You always have the right to lodge a complaint with a data protection supervisory authority. You may contact the authority in the EU member state where you habitually reside, where you work, or where an alleged infringement occurred.
As our operating entity is incorporated in Italy (Sardinia), our lead supervisory authority under the GDPR one-stop-shop mechanism is:
Garante per la protezione dei dati personali (Italian Data Protection Authority)
Website: garanteprivacy.it
Email: garante@garanteprivacy.it
Students based in the Netherlands may also contact:
Autoriteit Persoonsgegevens (Dutch Data Protection Authority)
Website: autoriteitpersoonsgegevens.nl
We would always prefer to resolve your concern directly before you escalate to a supervisory authority. Please try contacting us first at privacy@internshipabroad.nl.