Privacy Policy

GlobalPathway is a product of Travgenix Solutions Limited (“we”, “us”, “our”). We are committed to protecting your personal data in accordance with the Nigeria Data Protection Act 2023 (NDPA) and its subsidiary regulations. This policy explains what data we collect, why we collect it, and your rights regarding that data.

1. Data We Collect

We collect the following categories of personal data when you use GlobalPathway:

• Identity data: your full name and display name.
• Contact data: your email address.
• Payment data: transaction references and subscription status. We do not store raw card numbers or bank details — these are handled exclusively by Paystack (see Section 4).
• Usage data: scholarship searches, saved scholarships, document analyses, and notification preferences.
• Technical data: browser type, device type, and access timestamps collected automatically by our hosting infrastructure.

2. How We Use Your Data

Your personal data is used solely for the following purposes:

• Account management: creating and maintaining your GlobalPathway account.
• Scholarship matching: personalising AI-powered scholarship search results to your country, field, and degree level.
• Document analysis: processing documents you upload to generate AI feedback. Uploaded documents are not stored beyond your active session.
• Payment processing: initiating and verifying subscription transactions via Paystack.
• Service communications: sending welcome emails, deadline reminders, and account verification emails you have requested.
• Platform improvement: analysing aggregate, anonymised usage patterns to improve our features.

We do not sell, rent, or share your personal data with third parties for marketing purposes.

3. Legal Basis for Processing

Under the Nigeria Data Protection Act 2023 (NDPA), we process your data on the following lawful bases:

• Contract performance: to deliver the services you signed up for.
• Consent: for marketing emails and non-essential cookies. Consent must be freely given, specific, informed, and unambiguous — silence or inactivity does not constitute consent. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legitimate interests: for fraud prevention and platform security.

4. Payment Processing — Paystack

All payment transactions on GlobalPathway are processed by Paystack, a PCI-DSS compliant payment processor. When you make a payment, you are submitting your card details directly to Paystack’s secure environment. Travgenix Solutions Limited does not receive, store, or have access to your raw card or banking credentials. Paystack’s privacy policy governs data collected during payment and is available on their website.

5. Data Retention

We retain your personal data for 12 months from your last active use of the platform, or until you request account deletion, whichever comes first. After this period, your data is permanently deleted from our systems. Anonymised, aggregated analytics data may be retained indefinitely as it cannot be used to identify you.

6. Third-Party Services & Google API Access

GlobalPathway integrates with the following third-party services to deliver core platform functionality:

Google Calendar and Google Meet

When you choose to book a mentoring session, GlobalPathway requests permission to access your Google Calendar using the calendar.events scope. This access is used solely to create a calendar event for the booked session and to generate a Google Meet video link shared between you and your mentor.

We do not read, scan, index, or store any existing events or data from your Google Calendar. The calendar.events scope is used exclusively to write the single event created during the booking action. No calendar data is shared with third parties.

Your Google OAuth access tokens are stored in an HttpOnly session cookie (google_tokens) on your device. They are transmitted only to Google’s API during the booking action and are never logged, exported, or shared. You can revoke GlobalPathway’s access to your Google Calendar at any time by visiting Google Account Permissions .

Google API Limited Use Disclosure

GlobalPathway's use of information received from Google APIs adheres to the Google API Services User Data Policy , including the Limited Use requirements. Specifically, GlobalPathway uses Google OAuth for two purposes: (1) to allow users to sign in or create an account without a password via Firebase Authentication, and (2) to enable calendar booking between users and mentors. We do not use Google user data for any other purpose, transfer it to third parties, or use it for advertising.

Paystack

GlobalPathway uses Paystack to process subscription payments. When you complete a payment, your transaction is handled directly by Paystack. GlobalPathway does not store your card details. Paystack’s privacy policy is available at paystack.com/privacy.

Firebase (Google)

User authentication, data storage, and file hosting are provided by Google Firebase. Data is stored in Firebase Firestore and Firebase Storage in the europe-west1 region. Firebase’s privacy policy is available at firebase.google.com/support/privacy .

Gemini API (Google)

GlobalPathway uses the Gemini API, an AI service provided by Google, to power two features:

• AI scholarship search: when you submit a scholarship search, your query parameters (country, field of study, degree level, and any keywords you provide) are sent to the Gemini API to generate personalised scholarship recommendations.
• Document analysis: when you upload a document (e.g. a personal statement or CV) for AI feedback, the document content is sent to the Gemini API to produce suggestions. Documents are processed in memory only and are not retained beyond your active session.

No data sent to the Gemini API is used to train Google’s AI models. We do not send your name, email address, or payment information to the Gemini API. Google’s AI terms and privacy information are available at ai.google.dev/terms .

7. Cookies & Consent

GlobalPathway uses the following cookies and local storage keys:

• gp-theme — stores your dark/light mode preference (functional, no consent required).
• gp-cookie-consent — records your explicit opt-in to this cookie notice.
• google_tokens — an HttpOnly session cookie used when you connect your Google Calendar (functional).

In accordance with the NDPA and applicable data protection guidelines, your consent to non-essential cookies must be opt-in, specific, and informed. Continuing to browse or remaining on the page does not constitute consent. You may withdraw cookie consent at any time by clearing your browser storage or contacting us.

We do not use advertising or tracking cookies.

8. Your Rights Under the NDPA

As a data subject under the Nigeria Data Protection Act 2023 (NDPA), you have the right to:

• Access: request a copy of the personal data we hold about you.
• Correction: request that inaccurate or incomplete data be corrected.
• Deletion: request that your personal data be deleted from our systems. You may also delete your account directly from the Settings tab.
• Portability: request your data in a structured, machine-readable format.
• Objection: object to processing based on legitimate interests.
• Withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at hello@travgenix.com. We will respond within 30 days in line with NDPA requirements.

9. Data Security

We implement appropriate technical and organisational measures to protect your data, including HTTPS encryption in transit, Firebase security rules restricting access to your own data, server-side authentication token verification, and rate limiting on all API endpoints.

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay. In accordance with the Nigeria Data Protection Act 2023 (NDPA), we will also report the breach to the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of it. Notifications will include the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed to address it.

11. Enforcement & Penalties

Travgenix Solutions Limited is committed to full compliance with the Nigeria Data Protection Act 2023 (NDPA). Non-compliance with the NDPA may attract fines of up to ₦10,000,000 (ten million naira) or 2% of annual gross revenue of the preceding financial year, whichever is higher, as imposed by the Nigeria Data Protection Commission (NDPC).

12. Children’s Privacy

GlobalPathway is not directed at children under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us immediately and we will delete it.

13. Changes to This Policy

We may update this policy from time to time. When we do, we will update the effective date at the top of this page and, where the changes are material, notify you by email. Continued use of GlobalPathway after any update constitutes acceptance of the revised policy.

14. Contact & Complaints

For any privacy-related questions or to exercise your rights, contact our Data Protection Officer:

If you are unsatisfied with our response, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC), the supervisory authority responsible for NDPA enforcement in Nigeria.