Privacy Policy
This policy explains what personal data Youth Impacts International collects when you apply to YIMUN 2026, why we collect it, how long we keep it, and the rights you have under GDPR, UK GDPR and US state privacy law. We do not sell personal data. We never have.
1. Who we are
"Youth Impacts" / "we" refers to Youth Impacts International, an organisation operating from New York, United States. For privacy questions or to exercise any of the rights listed below, write to info@youthimpacts.com.
2. What we collect
| Data | Purpose | Legal basis |
|---|---|---|
| Name, email, date of birth | Identify the applicant, confirm eligibility, communicate admissions decisions | Contract (your application) |
| Country, institution, MUN experience, track | Assess fit and committee placement | Contract |
| Motivation statement | Admissions review (by a human and by Anthropic's Claude AI) | Contract |
| Financial-aid interest | Route to the scholarships team if relevant | Contract |
| Preferred package | Recommend the right tier on acceptance | Contract |
| IP address (rate limit) | Prevent abuse of the application form | Legitimate interest |
| Payment details | Process your registration payment | Contract — handled entirely by Stripe; we never see your card |
3. How we use AI
Each application is read by an AI assistant (Anthropic's Claude) to generate a recommendation (accept / waitlist / decline), a score, and a short summary for the admissions team. The AI does not make the final decision — a human admissions reviewer does. The motivation statement, name, country and institution are sent to Anthropic's API for this purpose. Anthropic does not train on this data. Read Anthropic's commercial terms at anthropic.com/legal.
4. Sub-processors
We share the minimum necessary data with the following providers to run the admissions and payment system:
| Provider | What they receive | Where |
|---|---|---|
| Vercel (hosting, KV store) | Full application record | US (with EU regional edge) |
| Upstash (Vercel KV backend) | Full application record | US |
| Anthropic (AI vetting) | Motivation statement + a few identifying fields | US |
| Resend (transactional email) | Email address + email body | US |
| Stripe (payment processing) | Name, email, payment card | US |
All transfers from the EU/UK to the US rely on each provider's published Standard Contractual Clauses.
5. How long we keep your data
- Application records — kept while admissions decisions are open + 12 months after the conference for alumni follow-up, then deleted on request.
- Audit log — kept for 24 months for compliance. Contains your application ID and the timestamps of decisions, but no application content.
- Stripe payment records — controlled by Stripe per their retention policy (typically 7 years for tax purposes). We cannot shorten this.
- Email logs (Resend) — 30 days.
6. Your rights
Under GDPR / UK GDPR you can:
- Access — request a copy of your data
- Rectify — correct anything inaccurate
- Erase — request deletion ("right to be forgotten")
- Object — to the AI-assisted review specifically; we will assign a human-only reviewer
- Port — receive your data in a machine-readable format
- Complain — to your local supervisory authority (e.g. ICO in the UK)
For California residents, equivalent rights exist under the CCPA / CPRA. The fastest way to exercise the access or erasure rights is the self-service tool at youthimpacts.com/my-data.html — enter your email, confirm via a one-time link, and we'll either email you a full data export or permanently delete your record. For any other right (rectify, port, object, complain), email info@youthimpacts.com. We respond within 30 days.
7. Cookies
The public site uses Vercel Analytics and Vercel Speed Insights only — both privacy-friendly, no personal identifiers. The admin panel uses one HttpOnly cookie (`yi_admin`) to keep an admin signed in.
8. Security
Data at rest is encrypted by our hosting providers. Transmission to and from the site is over TLS. Admin access is single-account and protected by a strong password and HMAC-signed session tokens. Payment card data never touches our servers — Stripe handles it under PCI-DSS SAQ-A.
9. Changes
If we make material changes to this policy we will update the date at the top and, where the change affects rights you have already exercised, contact you directly.