Privacy Notice

Effective Date: June 4, 2020

Carnegie Mellon University (“CMU,” “we,” “us,” or “our”) is committed to privacy and data protection. This Privacy Notice applies to all personal data CMU collects from you, through websites under the CMU domain cmu.edu and any other CMU websites or online services (collectively the “Services”) that link to this Privacy Notice, as well as how we use and protect your personal data. You may download a copy (.pdf) of this Privacy Notice.

This Privacy Notice does not apply to any third-party applications or software that integrate with the Services, or any other third-party products, services or businesses (collectively, “Third Party Services”). Third Party Services are governed by their own privacy policies. We recommend you review the Privacy Notice governing any Third Party Services before using them.

CMU is the controller of the personal data collected through the Services. Any questions or concerns regarding CMU’s privacy and data protection practices can be directed to our Data Protection Officer, Melanie Lucht, Associate Vice President and Chief Risk Officer at GDPR-info@andrew.cmu.edu.

Personal Data We Collect

CMU collects data to provide the Services you request, ease your navigation on our websites, communicate with you, and improve your experience using the Services. You provide some of this information directly, such as when you register for the Services. Some of the information is collected through your interactions with the Services. We collect such data using technologies like cookies and other tracking technologies, error reports, and usage data collected when you interact with CMU Services running on your device.

The data we collect depends on the Services and features thereof that you use, and includes the following:

Name and contact information. We may collect your first and last name, email address, postal address, phone number, and other similar contact data. We may use this information to contact you or provide you with information on CMU or the Services.

Credentials. We process passwords and related security information used for authentication and account access and information security purposes.

Payment information. We collect data necessary to process your payment if you make purchases, such as your payment instrument number (such as a credit card number) (“Payment Information”).

Job application and employment data. We collect information regarding your employment history, resume, references, education, and other information to help us evaluate you for an internship or employment with CMU.

Admissions and course registration data. When you apply for admission to or register to take a course at CMU, we will ask you to provide personal data to process your registration such as your: name, address, telephone number, email address, contact preferences, educational information (including grades and transcripts), and other information relevant to your registration.

Conference, program, event and visitor registration data. When you apply and/or register to participate in a program, become a visitor and/or attend an event, we will ask you to provide personal data to process your application or registration such as your: name, address, telephone number, email address, contact preferences, social media identifier, disabilities (for compliance with the American’s with Disabilities Act), dietary needs, emergency contact information, professional and personal interests, job title, company, business address and phone number, website, and blog. We may also ask for Payment Information (described below).

Sensitive personal data. Under certain circumstances, we may ask you to provide sensitive personal data such as racial or ethnic origin, political opinions, religious or philosophical beliefs, data concerning health, sexual orientation, or criminal offenses (“Sensitive Personal Data”). We may also ask for Sensitive Personal Information. Providing Sensitive Personal Information is voluntary, we will only collect and process Sensitive Personal Information with your consent.

Usage data. We collect personalized information about your use of the Services, to better understand uses thereof and identify potential improvements, as well as to send you promotional communications or offers tailored to your use of the Services and interests thereto.

Examples include:

  • Information on the web pages you visit on the Services and the search terms you enter on the Services.
  • Information regarding the performance of the Services and any problems you may experience while using them. This information enables us to diagnose problems and offer support in resolution.
  • Data about your device and the network you use to connect to the Services, including IP address, device identifiers, and regional and language settings.

Web requests. We collect information regarding every web request sent to our servers. This information is used to provide support, as well as to assess usage and performance of the Services. The data collected for each request can include such things as timestamps, any exception messages, user agent, IP address, and request time and duration.

Location data. We collect your IP address and infer location such as city or postcode therefrom, when necessary in order to provide you with the Services or to send you promotional communications or for relationship management purposes.

Content. We may collect the content of messages you send to us, such as feedback or questions you ask our technical support representatives, when necessary to provide you with the Services. We will collect and utilize any data files you send to us for troubleshooting and improving the Services.

Surveys and Studies. We may ask you to participate in a survey or study; and may request information from you. Participation is voluntary, and you have the choice of whether to disclose any requested information.

How We Use Personal Data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data for the following lawful purposes:

  • Where we need such information to perform the contract (e.g., Terms of Use) we are about to enter into or have entered into with you (“performance of a contract”).
  • Where we receive your consent (“consent”).
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (“legitimate business interest”).
  • Where we need to comply with a legal or regulatory obligation (“legal obligation”).

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where it is required or permitted by law.

CMU uses information that we collect from students, employees, and visitors for the purposes of:

  • providing the Services (performance of a contract);
  • providing ongoing support (performance of a contract);
  • evaluating you for admission to enroll as a student to CMU or to become a visitor to CMU (legitimate business interest);
  • evaluating you for a job or internship (legitimate business interest);
  • processing your payments (performance of a contract);
  • registering you for a course, conference, program or event (performance of a contract);
  • conducting surveys and studies (legitimate business interest);
  • communicating with you, including promotional communications (legitimate business interest);
  • providing information about other Services (legitimate business interest);
  • helping us run our organization, for example, to improve the Services or our security, train staff or perform marketing activities (legitimate business interest);
  • complying with our legal obligations (legal obligation); and
  • accounting and other administrative purposes (legitimate business interest).

Examples of the uses of information include:

Providing Services. We use data to carry out your transactions with us and to provide Services to you. Often, this includes personal data such as email, name and address. We may collect additional information when you register to use the Services, including contact information and credentials. We may use this data to diagnose and address problems and provide other support services.

Improving the Services. We use data to continually improve the Services, including adding new features or capabilities. Data is collected throughout your interactions with the Services that enable us to understand usage and tailor future capabilities.

We track general, non-personalized information (e.g., operating system, browser version and type of device being used) to know how many people visit specific pages of the Services or utilize specific areas of the Services so that we may improve those Services. We may use your IP address to customize services to your location, such as the language displayed on the Services.

Please note that we use IP addresses on a highly restrictive basis to analyze trends, to administer the site, and to collect general information for aggregate use.

Services Communications. We use data we collect to deliver and personalize our communications with you. For example, we may contact you by email or other means to notify you of changes in information and updates to the Services or to our Privacy Notice.

Marketing and event communication. We use personal data to deliver informational, marketing, and event communications to you across various platforms, such as email, direct mail, social media, and online via the Services. We also may send you invitations to events relating to the Services that occur nearby you, based on your address.

If we send you a marketing email, it will include instructions on how to opt out of receiving these emails in the future. We also maintain email preference centers for you to manage your information and marketing preferences. For information about managing email subscriptions and promotional communications, please visit the Your Rights Regarding Personal Data section of this privacy statement. Please remember that even if you opt out of receiving marketing emails, we may still send you important Services information related to your accounts and subscriptions.

Processing Payments. If you make a payment to CMU, we will ask for Payment Information and other information requested for processing your payment. We use third party payment processors to assist in securely processing your Payment Information. If you pay with a credit card, the Payment Information that you provide through the Services is encrypted and transmitted directly to the payment processor. We do not store your Payment Information and do not control and are not responsible for the payment processors or their collection or use of your information.

All payments received via credit card are processed securely by CMU’s payment processing vendors using measures that comply with the Payment Card Industry Data Security Standard (“PCI DSS”).

Surveys and Studies. We may ask you to participate in a survey or study; and may request information from you. Participation is voluntary, and you have the choice of whether to disclose any requested information.

How We Share Personal Data

It is the practice of CMU to protect users’ information. Access to our users’ information is restricted to only those employees or agents, contractors or subcontractors of CMU who have valid reasons to access this information to perform any service you have requested or authorized, or for any other purpose described in this Privacy Notice. The information you provide will not be sold or rented to third parties.

We may provide your personal data to:

  • outsourced service providers who perform functions on our behalf, located inside or outside of the European Union (“EU”) territory (in such case, we will use the appropriate legal framework to operate data transfers). For example, your personal information may be stored on cloud hosting services such as Amazon Web Services.
  • our authorized agents and representatives, located inside or outside of your country of residence (in such case, we will use appropriate legal framework to operate data transfers), who provide services on our behalf, such as training service providers;
  • anyone expressly authorized by you to receive your personal data; or
  • anyone to whom we are required by law to disclose personal data, upon valid and enforceable request thereof.

We will access, disclose and preserve personal data, when we have a good faith belief that doing so is necessary to:

  • comply with applicable law or respond to valid legal processes, including from law enforcement or other government agencies, upon valid and enforceable request thereof; or
  • operate and maintain the security of the Services, including to prevent or stop an attack on our computer systems or networks.

Please note that some of the Services may direct you to services of third parties whose privacy practices differ from CMU’s. If you provide personal data to any of those services, your data is governed by their privacy statements or policies. Carnegie Mellon University is not responsible for the privacy practices of these other websites. Please review the privacy policies for these websites to understand how they process your information.

How You May Share Personal Data

Certain features of the Services may allow you to share information with others. Please do not share your personal data or the personal data of others through the sharing features. You are the controller of personal information you share through the sharing features of the Services.

Handling of Personal Data

Security of Personal Data

CMU is committed to protecting the security of your personal data. Depending on the circumstances, we may hold your information in hard copy and/or electronic form. For each medium, we use technologies and procedures to protect personal data. We review our strategies and update as necessary to meet our business needs, changes in technology, and regulatory requirements.

These measures include, but are not limited to, technical and organizational security policies and procedures, security controls and employee training.

We may suspend your use of all or part of the Services without notice if we suspect or detect any breach of security, abuse, or illegal or questionable activity. If you believe that information you provided to us is no longer secure, please notify us immediately using the contact information provided below.

If we become aware of a breach that affects the security of your personal data, we will provide you with notice as required by applicable law. To the extent permitted by applicable law, CMU will provide any such notice that CMU must provide to you at your account’s email address. By using the Services, you agree to accept notice electronically.

Storage and Transfer of Personal Data

Personal data collected by CMU may be stored and processed in your region, in the United States or in any other country where CMU, its affiliates or contractors maintain facilities, including outside the EU. We take steps to ensure that the data we collect under this Privacy Notice is processed pursuant to the terms thereof and the requirements of applicable law wherever the data is located.

CMU also collaborates with third parties such as cloud-hosting services and suppliers located around the world to serve the needs of our business, workforce, and users. In some cases, we may need to disclose or transfer your personal data within CMU or to third parties in areas outside of your home country. When we do so, we take steps to ensure that personal data is processed, secured, and transferred according to applicable law.

If you would like to know more about our data transfer practices, please contact our Data Protection Officer at GDPR-info@andrew.cmu.edu.

Retention of Personal Data

CMU retains personal data in a form which permits identification of data subjects for as long as necessary to provide the Services and fulfill the transactions you have requested, or for other business purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements. We are required by law to keep some types of information for certain periods of time (e.g., statute of limitations).

Your Rights Regarding Your Personal Data

CMU respects your right to access and control your personal data. You have choices about the data we collect. When you are asked to provide personal data that is not necessary for the purposes of providing you with the Services, you may decline. However, if you choose not to provide data that is necessary to provide the Services, you may not have access to certain features of the Services.

We aim to keep all personal data that we hold accurate, complete and up-to-date. While we will use our best efforts to do so, we encourage you to tell us if you change your contact details. If you believe that the information we hold about you is incorrect, incomplete or out-of-date, please contact GDPR-info@andrew.cmu.edu.

Access to personal data. In some jurisdictions, you have the right to request access to your personal data. In these cases, we will comply, subject to any relevant legal requirements and exemptions, including identity verification procedures. Before providing data to you, we will ask for proof of identity and sufficient information about your interaction with us so that we can locate any relevant data. We may also charge you a fee for providing you with a copy of your data (except where this is not permissible under local law).

Correction and deletion. In some jurisdictions, you have the right to correct or amend your personal data if it is inaccurate or requires updating. You may also have the right to request deletion of your personal data. Please note that such a request could be refused because your personal data is required to provide you with the Services you requested, e.g., to send an invoice to your email address, or that it is required by the applicable law.

Portability. If you reside within the EU, you have the right to ask for a copy of your personal data and/or ask for it to be ported to another provider of your choice. Please note that such a request could be limited to only personal data you provided us with or that we hold at that given time and subject to any relevant legal requirements and exemptions, including identity verification procedures.

Marketing preferences. If you have provided us with your contact information, we may, subject to any applicable Spam Act or similar regulation, contact you via e-mail, postal mail or telephone about CMU Services and events that may be of interest to you, including our newsletter.

Marketing e-mail communications you receive from CMU will generally provide an unsubscribe link or instructions on how to opt-out of receiving future e-mail or to change your contact preferences. E-mail communications may also include a link to directly update and manage your marketing preferences. You can also request changes to your contact preferences by contacting CMU via email at it-help@cmu.edu.

Please remember that even if you opt out of receiving marketing emails, we may still send you important Services information related to your accounts and subscriptions.

California Shine the Light Law: California Civil Code Section 1798.83 permits users who are California residents to obtain from us once a year, free of charge, a list of third parties to whom we have disclosed personal information (if any) for direct marketing purposes in the preceding calendar year. If you are a California resident and you wish to make such a request, please send an e-mail with “California Privacy Rights” in the subject line to GDPR-info@andrew.cmu.edu or write us at: Carnegie Mellon University, Attention: Data Protection Officer.

Cookies & Other Technologies

CMU uses cookies (small, often encrypted, text files that are stored on your computer or mobile device) and similar technologies (“Cookies”) to provide the Services and help collect data.

How We Use Cookies

We use Cookies to track how you use the Services by providing usage statistics. Cookies are also used to deliver CMU information (including updates) based upon your browsing history and previous visits to the Services. Information supplied to us using Cookies helps us to provide a better online experience to our visitors and users and send marketing communications to them, as the case may be. Information supplied to us upon launching of the Services will enable CMU to improve the functionality of the Services.

While this information on its own may not constitute your “personal data”, we may combine the information we collect via Cookies with personal data that we have collected from you to learn more about how you use the Services to improve them.

Types of Cookies

We use both session Cookies (which expire once you close your web browser) and persistent Cookies (which stay on your device until you delete them). To make it easier for you to understand why we need them, the Cookies we use on the Services can be grouped into the following categories:

  • Strictly Necessary: These Cookies are necessary for the Services to work properly. They include any essential authentication and authorization Cookies for the Services.
  • Functionality: These Cookies enable technical performance and allow us to “remember” the choices you make while browsing the Services, including any preferences you set. They also include sign-in and authentication Cookies and IDs that enable you to return without additional sign-in.
  • Performance/Analytical: These Cookies allow us to collect certain information about how you navigate the Services. They help us understand which areas you use and what we can do to improve them.
  • Targeting: These Cookies are used to deliver relevant information related to the Services to an identified machine or other device (not a named or otherwise identifiable person) which has previously been used to visit the Services. Some of these types of Cookies on the Services are operated by third parties with our permission and are used to identify advertising sources that are effectively driving users to the Services.

Cookies Set by Third Parties

To enhance our content and to deliver a better online experience for our users, we sometimes embed images and videos from other websites on the Services. We currently use, and may in future use content from services such as Facebook, LinkedIn and Twitter. You may be presented with Cookies from these third-party websites. Please note that we do not control these Cookies. The privacy practices of these third parties will be governed by the parties’ own privacy statements or policies. We are not responsible for the security or privacy of any information collected by these third parties, using Cookies or other means. You should consult and review the relevant third-party privacy statement or policy for information on how these Cookies are used and how you can control them.

We also use Google, a third-party analytics provider, to collect information about Services usage and the users of the Services, including demographic and interest-level information. Google uses Cookies in order to collect demographic and interest-level information and usage information from users that visit the Services, including information about the pages where users enter and exit the Services and what pages users view on the Services, time spent, browser, operating system, and IP address. Cookies allow Google to recognize a user when a user visits the Services and when the user visits other websites. Google uses the information it collects from the Services and other websites to share with us and other website operators’ information about users including age range, gender, geographic regions, general interests, and details about devices used to visit websites and purchase items. We do not link information we receive from Google with any of your personally identifiable information. For more information regarding Google’s use of Cookies, and collection and use of information, see the Google Privacy Notice (available at https://policies.google.com/privacy?hl=en). If you would like to opt out of Google Analytics tracking, please visit the Google Analytics Opt-out Browser Add-on (available at https://tools.google.com/dlpage/gaoptout).

How to Control and Delete Cookies

Cookies can be controlled, blocked or restricted through your web browser settings. Information on how to do this can be found within the Help section of your browser. All Cookies are browser specific. Therefore, if you use multiple browsers or devices to access websites, you will need to manage your cookie preferences across these environments.

If you are using a mobile device to access the Services, you will need to refer to your instruction manual or other help/settings resource to find out how you can control Cookies on your device.

Please note: If you restrict, disable or block any or all Cookies from your web browser or mobile or other device, the Services may not operate properly, and you may not have access to the Services. CMU shall not be liable for any impossibility to use the Services or degraded functioning thereof, where such are caused by your settings and choices regarding Cookies.

To learn more about Cookies and web beacons, visit www.allaboutCookies.org.

Social Sharing

We also embed social sharing icons throughout the Services. These sharing options are designed to enable users to easily share content from the Services with their friends using a variety of different social networks. If you choose to connect using a social networking or similar service, we may receive and store authentication information from that service to enable you to log in and other information that you may choose to share when you connect with these services. These services may collect information such as the web pages you visited and IP addresses, and may set cookies to enable features to function properly. We are not responsible for the security or privacy of any information collected by these third parties. You should review the privacy statements or policies applicable to the third-party services you connect to, use, or access. If you do not want your personal data shared with your social media account provider or other users of the social media service, please do not connect your social media account with your account for the Services and do not participate in social sharing on the Services.

Do Not Track

Some web browsers (including Safari, Internet Explorer, Firefox and Chrome) incorporate a “Do Not Track” (“DNT”) or similar feature that signals to websites that a user does not want to have his or her online activity and behavior tracked. If a website that responds to a particular DNT signal receives the DNT signal, the browser can block that website from collecting certain information about the browser’s user. Not all browsers offer a DNT option and DNT signals are not yet uniform. For this reason, many website operators, including CMU, do not respond to DNT signals.

Children's Privacy

Certain Services are intended to be used by individuals who are under the age of 13 years old (“Children” or “Child”). Services directed to Children require verifiable parental consent and acknowledgement of the CMU Children’s Online Privacy Protection Act (“COPPA”) Notice prior to a Child’s participation. Consistent with the requirements of the COPPA, if we learn that we received any information directly from a Child without his or her parent’s verified consent, we will use that information only to inform the Child (or his or her parent or legal guardian) that he or she cannot use the Services.

California Minors: If you are a California resident who is under age 18 and you are unable to remove publicly-available content that you have submitted to us, you may request removal by contacting us at: GDPR-info@andrew.cmu.edu. When requesting removal, you must be specific about the information you want removed and provide us with specific information, such as the URL for each page where the information was entered, so that we can find it. We are not required to remove any content or information that: (1) federal or state law requires us or a third party to maintain; (2) was not posted by you; (3) is anonymized so that you cannot be identified; (4) you don’t follow our instructions for removing or requesting removal; or (5) you received compensation or other consideration for providing the content or information. Removal of your content or information from the Services does not ensure complete or comprehensive removal of that content or information from our systems or the systems of our service providers. We are not required to delete the content or information posted by you; our obligations under California law are satisfied so long as we anonymize the content or information or render it invisible to other users and the public.

The General Data Protection Regulation (“GDPR”)

If you reside within the EU you may be entitled to other rights under the GDPR. These rights are summarized below. We may require you to verify your identity before we respond to your requests to exercise your rights. If you are entitled to these rights, you may exercise these rights with respect to your personal data that we collect and store:

  • the right to withdraw your consent to data processing at any time (please note that this might prevent you from using certain aspects of the Services);
  • the right of access your personal data;
  • the right to request a copy of your personal data;
  • the right to correct any inaccuracies in your personal data;
  • the right to erase your personal data;
  • the right to data portability, meaning to request a transfer of your personal data from us to any other person or entity as chosen by you;
  • the right to request restriction of the processing of your personal data; and
  • the right to object to processing of your personal data.

You may exercise these rights free of charge. These rights will be exercisable subject to limitations as provided for by the GDPR. Any requests to exercise the above-listed rights may be made to: GDPR-info@andrew.cmu.edu.

If you reside within the EU, you have the right to lodge a complaint with a Data Protection Authority about how we process your personal data at the following website: https://edpb.europa.eu/about-edpb/board/members_en.

Processing EU Personal Data

In the event that your personal data is subject to the GDPR, we will only use your personal data for the original purpose for which we collected it, unless we reasonably consider that we need to use it for another purpose and that purpose is compatible with the original purpose. If we need to use your EU personal data for an unrelated purpose, we will notify you and we will explain the legal basis, which allows us to do so. We require third parties to only use your EU personal data for the specific purpose for which it was given to us and to protect the privacy of your personal data. If your personal data is no longer necessary for the legal or business purposes for which it is processed, we will generally destroy or anonymize that data.

International Transfers of Personal Data

Whenever we transfer your personal data out of the EU, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • European Commission Standard Contractual Clauses: We may use specific contracts approved by the European Commission, which give personal data the same protection it has in the EU.
  • Privacy Shield. Where we use providers based in the U.S., we may transfer data to them if they are part of the Privacy Shield, which requires them to provide similar protection to personal data shared between the Europe and the U.S.

For additional information on the mechanisms used to protect your personal data, please contact our Data Protection Officer at GDPR-info@andrew.cmu.edu.

Changes To This Privacy Notice

We may update this Privacy Notice based upon evolving Laws, regulations and industry standards, or as we may make changes to our business including the Services. We will post changes to our Privacy Notice on this page and encourage you to review our Privacy Notice when you use the Services to stay informed. If we make changes that materially alter your privacy rights, CMU will provide additional notice, such as via email or through the Services. If you disagree with the changes to this Privacy Notice, you should discontinue your use of the Services. You may also request access and control of your personal data as outlined in the Your Rights Regarding Personal Data section of this Privacy Notice.

Questions or Complaints Handling

We understand that you may have questions or concerns about this Privacy Notice or our privacy practices or may wish to file a complaint. In such case, please contact us in one of the following ways:

Email: GDPR-info@andrew.cmu.edu

Mail:

Carnegie Mellon University
Attention: Data Protection Officer
5000 Forbes Avenue
Pittsburgh, PA 15213

If you are not satisfied with our answer or how CMU manages your personal data, you may also have the right to make a complaint to a data protection regulator. If you reside within the EU, a list of National Data Protection Authorities can be found here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm