How we collect, use, and protect your information across all DigiRoad platforms
Last updated: June 30, 2025DigiRoad Inc. ("DigiRoad," "we," "our," or "us") operates digiroad.co and a suite of related digital platforms designed to serve universities, higher education institutions, and the students they educate. Our mission is to unify the fragmented digital infrastructure of higher education — and doing so responsibly means treating the personal data you share with us with the highest degree of care.
This Privacy Policy explains what information we collect, why we collect it, how we use and share it, how long we retain it, and the rights available to you as a user or an institutional partner. It applies to all DigiRoad products and services, including eCampus, Connect, UniPay, associated mobile applications, web portals, and API integrations.
By using any DigiRoad service, you acknowledge that you have read and understood this Privacy Policy. If you are using DigiRoad services on behalf of an institution, you confirm that the institution has authorised such use and that you have the authority to bind the institution to the terms herein.
If you have questions or concerns about this policy or our data practices at any time, please contact us at legal@digiroad.co.
The data controller for personal information processed through DigiRoad platforms is:
Where DigiRoad processes personal data on behalf of a university or institution, DigiRoad acts as a data processor and the institution acts as the data controller for that data. The institution's own privacy policies and data agreements will apply in addition to this policy.
This Privacy Policy applies to the full range of DigiRoad products and services, including but not limited to:
Where third-party services are embedded within DigiRoad platforms (such as payment processors or analytics providers), those third parties may have their own privacy policies. We recommend reviewing those policies directly — see Section 7 for a full list.
We collect information in a number of ways depending on how you interact with our services:
Precise location data (GPS) is only collected through mobile applications and only with your explicit consent. You may revoke location permissions at any time through your device settings. Approximate location derived from your IP address may be used for security, fraud prevention, and service regionalisation.
We do not intentionally collect sensitive personal data such as racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, health data, or sexual orientation, except where strictly necessary for a specific service feature (such as accessibility accommodations) and only with your explicit consent.
We use personal data for the following purposes, relying on the legal bases noted in parentheses where applicable under GDPR and equivalent frameworks:
To create and manage your account, authenticate your identity, provide access to the features you are enrolled for, process transactions, and deliver the core functionality of DigiRoad platforms. (Legal basis: Performance of a contract.)
To send transactional notifications (account changes, payment receipts, security alerts), important service updates, and institutional communications on behalf of your university. We may also send you information about new DigiRoad features or related services where you have opted in. (Legal basis: Legitimate interests / Consent for marketing.)
To understand how users interact with our platforms, identify bugs and performance issues, and make data-driven improvements to the user experience. Analytics data is aggregated and de-identified wherever possible. (Legal basis: Legitimate interests.)
To monitor for suspicious activity, detect and prevent unauthorised access, investigate security incidents, and protect the safety and integrity of our platforms and users. (Legal basis: Legitimate interests / Legal obligation.)
To comply with applicable laws, regulations, court orders, and requests from public authorities, including data protection laws, financial regulations, and export control requirements. (Legal basis: Legal obligation.)
To provide universities with aggregated and/or individual usage reports, credential issuance records, and payment reconciliation data as required under our institutional service agreements. (Legal basis: Performance of a contract with the institution.)
DigiRoad uses cookies and similar tracking technologies (including local storage and session storage) to operate our services, remember your preferences, and understand how our platforms are used.
We use Google Analytics 4 and Google Firebase for usage analytics. Data collected by these services is subject to Google's Privacy Policy. We have enabled IP anonymisation and have configured data retention periods consistent with our obligations.
You can manage your cookie preferences at any time by adjusting your browser settings or using the cookie settings interface available in your DigiRoad account. Note that disabling non-essential cookies will not affect the core functionality of the platform.
DigiRoad integrates with carefully selected third-party providers to deliver a secure, scalable, and full-featured platform. Each provider has been evaluated for their security practices and compliance posture. Where required, we have executed Data Processing Agreements (DPAs) with these providers.
Open-source PostgreSQL database and backend infrastructure provider. Handles data storage, real-time subscriptions, and user authentication services for DigiRoad platforms.
Transactional email delivery service used to send account notifications, password reset emails, payment confirmations, and institutional communication on behalf of DigiRoad.
Used for web and mobile app hosting, push notification delivery, and in-app usage analytics. Subject to Google's terms and privacy policies.
Content delivery network, DDoS mitigation, DNS management, and web application firewall. All traffic to DigiRoad platforms is routed through Cloudflare's global network for performance and protection.
Industry-leading physical and digital identity credentialing provider. Powers DigiRoad's virtual student ID card issuance, mobile credential management, and NFC/Bluetooth access control integration.
Institutional email integration enabling DigiRoad platforms to authenticate against Microsoft Entra ID (formerly Azure AD), synchronise calendars, and interact with university Microsoft 365 tenants.
Third-party payment processing infrastructure used for card and bank payment transactions within UniPay. DigiRoad does not store card data. All payment data is processed under Stripe's PCI DSS-compliant environment.
Customer support and live chat platform. Used for in-app support, onboarding guidance for institutional administrators, and helpdesk ticket management.
Web and mobile usage analytics service by Google. Collects anonymised interaction data to help DigiRoad understand user behaviour, session flows, and feature engagement. IP anonymisation is enabled.
Cloud infrastructure provider used for certain backend compute, storage, and media processing workloads. Data processed on AWS is subject to applicable AWS data residency configurations and the AWS Data Processing Addendum.
Each third-party provider operates under its own privacy policy and terms of service. We encourage you to review these directly. DigiRoad is not responsible for the privacy practices of external services. Where a provider is located outside your jurisdiction, data transfers are governed by appropriate safeguards as described in Section 13.
DigiRoad does not sell your personal data. We do not trade, rent, or monetise your information to third parties. We share data only in the following limited circumstances:
Where you access DigiRoad services through a university or institution, that institution has authorised access to data relating to their students and staff members. This may include usage records, credential activity, and payment status reports. The institution's privacy policy governs how they handle data they receive from us.
We share data with the third-party service providers listed in Section 7 to the extent necessary for them to provide services on our behalf. All providers operate under contractual obligations that restrict their use of your data to the specified purposes.
We may disclose your information if we are required to do so by law, court order, or governmental authority. We will notify you of such requests where legally permitted to do so.
In the event of a merger, acquisition, reorganisation, or sale of assets, your data may be transferred to the successor entity. We will notify you via email or prominent notice on our platforms before any such transfer occurs, and your data will remain subject to the commitments made in this Privacy Policy.
In any other circumstances not listed above, we will seek your explicit consent before sharing your personal data with third parties.
We retain your personal data for as long as your account is active, or as long as necessary to provide you with our services. Specifically:
Upon expiry of the applicable retention period, data is securely deleted or anonymised. You may request earlier deletion subject to the exceptions noted in Section 11.
DigiRoad implements a comprehensive set of technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. Our security practices include:
While we take all reasonable steps to protect your data, no system is completely infallible. We encourage users to choose strong, unique passwords and to report any suspected security incidents to legal@digiroad.co immediately.
Depending on your jurisdiction, you may have the following rights with respect to your personal data. We honour these rights in accordance with the General Data Protection Regulation (GDPR), the UK GDPR, and equivalent frameworks in other jurisdictions.
To exercise any of these rights, please submit a request to legal@digiroad.co. We will respond within 30 days. Where requests are complex or numerous, we may extend this period by a further 60 days and will notify you accordingly. We may ask you to verify your identity before processing your request.
DigiRoad services are designed for use by university students, academic staff, and institutional administrators. Our services are not intended for individuals under the age of 16.
We do not knowingly collect personal data from children under 16. In certain jurisdictions or institutional contexts where DigiRoad services are used by students under 16 (such as vocational colleges or further education institutions), use must be authorised and supervised by the institution, and the institution must have obtained appropriate parental or guardian consent in accordance with applicable law.
If you become aware that a child under 16 has provided us with personal data without appropriate authorisation, please contact us immediately at legal@digiroad.co and we will take steps to delete such information promptly.
DigiRoad operates globally and serves institutions across multiple regions. As a result, your personal data may be transferred to, processed in, and stored in jurisdictions outside your country of residence, including but not limited to the European Union, the United States of America, and Southeast Asia.
Where such transfers involve countries that do not provide an equivalent level of data protection to your home jurisdiction, we implement appropriate safeguards, which may include:
You may request a copy of the safeguards we have put in place for international transfers by contacting legal@digiroad.co.
We may update this Privacy Policy from time to time to reflect changes in our services, technology, legal requirements, or best practices. We are committed to keeping you informed of any material changes.
When we make significant changes to this policy, we will notify you by:
Your continued use of DigiRoad services after the effective date of any updated policy constitutes your acceptance of the revised terms. If you do not agree with the changes, you should discontinue use of the affected services and contact us to close your account.
We encourage you to review this policy periodically. Previous versions of this policy are available upon request by contacting legal@digiroad.co.
If you have questions, concerns, or requests relating to this Privacy Policy or our data practices, our team is here to help. Please do not hesitate to reach out through any of the channels below.
You also have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction if you believe we have not handled your personal data lawfully. In the UK this is the Information Commissioner's Office (ICO); in the EU, it is the supervisory authority in the member state of your residence, place of work, or the place of the alleged infringement.
These terms are also available in our Terms & Conditions.