College Monte Carlo ("College Monte Carlo," "we," "us," or "our") is an independent college-admissions planning tool built by its two founders. This Privacy Policy explains what information we collect when you use our websites at collegemontecarlo.com and app.collegemontecarlo.com (the "Service"), how we use it, and the choices you have.
The short version: we built this to put personalized admissions modeling in reach of every student — not to harvest or sell data. We do not sell your personal information, and we do not use it for advertising.
1. Information we collect
a. Information you provide directly
- Account email. To create an account you give us an email address — either by requesting a sign-in link or by signing in with Google. We use it to identify your account and to send sign-in links and essential service messages.
- Your academic profile. When you use the planning tools you may enter information such as your name, GPA, test scores (SAT/ACT) and score history, number of AP courses, intended field of study, graduation year, high school, state, and self-described strengths.
- Demographic information (optional). You may choose to provide attributes such as gender, race or ethnicity, and whether you are a first-generation student. The simulation uses these only to model admissions outcomes; providing them is optional.
- Financial information (optional). To estimate net cost and aid, you may enter household income, assets, family size, home ownership, and similar figures. We do not collect bank-account or payment-card numbers for this purpose (see "Payments").
- Application activity. As you plan, the Service stores the items you create: your college list, application and essay tracking, extracurricular notes, timeline items, and saved careers.
- Waitlist. Before the full product launches, you may give us your email to join our waitlist.
b. Information we receive from Google (only if you choose "Sign in with Google")
If you sign in with Google, Google sends us your verified email address and a Google account identifier. We request only the basic "email" scope — we do not receive your password, contacts, Gmail, Drive, or other Google data. Your use of Google sign-in is also subject to Google's Privacy Policy.
c. Information collected automatically
- Essential cookies. We set a small number of strictly necessary cookies to keep you signed in and to protect the sign-in process (see "Cookies").
- Privacy-friendly analytics. We use Plausible Analytics, a cookieless service, to understand aggregate traffic (such as how many people visited a page). Plausible does not use cookies, does not collect personal data, and does not track you across sites or over time.
- Standard server logs. Like most websites, our infrastructure provider records technical request data (such as IP address, browser type, and timestamps) for security and reliability.
2. How we use your information
We use the information above to:
- create and operate your account and keep you signed in;
- run the simulation and produce your personalized estimates;
- save your work and sync it across your devices when you are signed in;
- send you sign-in links and essential messages about the Service;
- maintain security, prevent abuse, and debug problems; and
- understand, in aggregate, how the Service is used so we can improve it.
We do not sell your personal information, and we do not use it to serve you ads.
3. Where your information is stored
- On your device. The planning tools run in your browser, and your inputs are saved in your browser's local storage even if you never create an account.
- In our database (when signed in). When you are signed in, your profile and saved work are synced to our database so you can pick up on any device. Our database and servers run on Cloudflare's infrastructure.
If you use the Service without an account, your data stays on your device and is not sent to our database (beyond what is needed to load the pages and run the cookieless analytics described above).
4. Cookies
We use only essential, first-party cookies:
cmc_session— keeps you securely signed in (HttpOnly; not readable by scripts).cmc_has_session— a non-sensitive flag that lets the app show signed-in state quickly.cmc_oauth_state— a short-lived cookie used only during Google sign-in to protect against cross-site request forgery.
We do not use advertising or cross-site tracking cookies, and our analytics (Plausible) is cookieless.
5. How we share information
We do not sell or rent your personal information. We share it only with service providers ("subprocessors") that help us run the Service, and only as needed for them to perform their function:
- Cloudflare — website hosting, edge computing, and database storage.
- Google — identity verification, only if you choose to sign in with Google.
- Resend — delivery of sign-in and essential emails (receives the recipient email address).
- Plausible Analytics — cookieless, aggregate usage analytics.
- Stripe — payment processing, only if and when you purchase a paid feature (see "Payments").
We may also disclose information if required by law, to protect our rights or users' safety, or in connection with a future business transfer — in which case we will continue to protect it under terms consistent with this policy.
6. Payments
The full product is not yet publicly available. If and when we offer paid features, payments will be processed by Stripe. We do not collect or store your full payment-card number; Stripe handles card data directly under its own terms and privacy policy.
7. Data retention
We keep your account information and saved work for as long as your account is active. Sign-in links expire within 15 minutes, and sessions expire after 30 days of inactivity. You can delete your data at any time (see "Your choices and rights"); when you delete your account, we remove your profile, saved work, sessions, and sign-in tokens from our database, and the email becomes free to register again. Aggregate, non-identifying analytics may be retained.
8. Your choices and rights
- Edit or update. You can change your profile and saved work at any time in the app.
- Sign out. Signing out removes your saved data from that device's local storage; it remains in your account so you can sign back in.
- Start over. The app's "start over" / clear options remove your saved work from your account.
- Delete your account. From the account page you can permanently delete your account and all associated data. This cannot be undone.
- Access or export. To request a copy of your personal data, email us at [email protected].
Depending on where you live, you may have additional rights (such as access, correction, deletion, or objection) under laws like the GDPR or CCPA. We honor these requests — contact us to exercise them. Because we do not sell personal information, there is nothing to opt out of in that respect.
9. Students and minors
The Service is designed for prospective college students, many of whom are in high school. The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you are under 18, you should review this policy with — and use the Service with the involvement of — a parent or guardian. If you believe a child under 13 has provided us personal information, contact us and we will delete it.
10. Security
We protect your account with standard measures: sign-in links and session tokens are random and short-lived, are stored only as cryptographic hashes, and sign-in cookies are HttpOnly and sent only over HTTPS. No system is perfectly secure, but we work to safeguard your information.
11. International users
We operate from the United States and use providers that may process data in the United States and other countries. By using the Service, you understand that your information may be processed in these locations.
12. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date above, and significant changes will be reflected here.
13. Contact
Questions about this policy or your data? Email us at [email protected].