Privacy Notice

Effective Date: September 5, 2025

Carnegie Mellon University (“CMU,” “we,” “us,” or “our”) is committed to privacy and data protection. This Privacy Notice applies to all personal information CMU collects from you, through websites under the CMU domain cmu.edu and any other CMU websites or online services (collectively the “Services”) that link to this Privacy Notice, as well as how we use and protect personal information about you. You may download a copy (.pdf) of this Privacy Notice here.

This Privacy Notice does not apply to any third-party applications or software that integrate with the Services, or any other third-party products, services or businesses (collectively, “Third-party Services”). Third-party Services are governed by their own privacy policies. We recommend you review the relevant privacy notice governing any Third-party Services before using them.

CMU is the controller of the personal information collected by CMU through the Services. Any questions or concerns regarding CMU’s privacy and data protection practices can be directed to our Data Protection Officer at privacy@andrew.cmu.edu.
 

1.    WHAT INFORMATION DOES CMU COLLECT ABOUT ME AND WHY?

We collect information that identifies, describes, or is reasonably capable of being associated with you (“personal information”). The following discusses the categories of personal information we may collect and/or may have collected in the preceding 12 months, the sources we collect information from, and the business or commercial purposes use of personal information about you.

We may collect the following categories of personal information: 

  • Identifiers. Such as a real name, postal address, phone number, unique personal identifier, Internet Protocol address, email address, account name, unique identifier of device, or other similar identifiers.
  • Your opinions or other information. For example, when you respond to surveys or studies for us, or when you review or provide information to the Services we offer.
  • Protected Classification Characteristics. Such as age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status. Some of this information may be considered “sensitive personal information” or “special categories of personal information.”
  • Financial information. Such as your payment card number, CVV, billing address, and related financial information. This may be considered sensitive personal information in some jurisdictions.
  • Commercial information. Records of Services enrolled, purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
  • Geolocation Data. Such as physical location or movements, which could include collecting your IP address and inferring location such as city or postcode therefrom.
  • Internet or other similar network activity. As described in more detail in the section titled “Cookies & Other Technologies,” if you use our website, we automatically collect information about your browsing and search history, interaction with the features of our website, and responses to advertisements.
  • Professional or employment-related information. Such as current or past job history or performance evaluations.
  • Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)). Such as education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.
  • Inferences drawn from other personal information. Such as profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
  • Sensitive personal information. Such as data revealing racial or ethnic origin, religious beliefs, mental or physical health conditions or diagnoses, sexual orientation, citizenship or immigration status, and genetic or biometric data used for uniquely identifying a person.

We may use these categories of personal information for the following purposes:

  • To provide you with the Services that you have requested - We may process personal information in connection with any Services we provide and pursuant to our contract with you to provide such Services, to administer our relationship with you and to carry out our obligations arising from the relationship between you and us, internal accounting and administration purposes, to process payment for purchases or other Services, and to create and manage your account with us.

    To provide you with Services we may collect: Identifiers; Your opinions or other information; Financial information; Commercial information; Geolocation Data; or Internet or other similar network activity. 
     
  • To evaluate you for admission to enroll as a student to CMU, for participation in a CMU program, to become a visitor to CMU - We will collect personal information about you when you apply for admission to CMU, to participate in a CMU program, or as a visitor. Such information will be used pursuant to our legitimate interest of evaluating individuals who apply to CMU.

    To evaluate enrollees and visitors we may collect: Identifiers; Your opinions or other information; Protected Classification Characteristics; Financial information; Professional or employment-related information; Non-public education information; or Sensitive personal information.
     
  • To perform surveys and studies - We may ask you to participate in a survey or study; and may request personal information from you. Participation is voluntary, and you have the choice of whether to disclose any requested information. You may be asked to sign a separate consent form in connection with many surveys and studies. The consent form will include additional disclosures regarding the personal information collected and processed in connection with the study or survey. 

    When conducting a survey or study we may collect: Identifiers; Your opinions or other information; Protected Classification Characteristics; Professional or employment-related information; Inferences drawn from other personal information; Geolocation Data; or Internet or other similar network activity; or Sensitive personal information
     
  • Registering you for a course, conference, program or event - When you register for a course, conference, program, or event (each a “program”) at CMU, we will collect personal information to process the registration, provide you with updates, and facilitate the program. Many programs will request that you sign a separate consent form for participation. This consent form may include additional disclosures regarding any additional personal information collected and processed in connection with the program.

    In connection with programs, we may collect: Identifiers; Your opinions or other information; Protected Classification Characteristics; Financial information; Professional or employment-related information; Inferences drawn from other personal information; Geolocation Data; Internet or other similar network activity, or Sensitive personal information.
     
  • To process your requests - We may collect the content of messages you send to us, such as feedback or questions you ask our technical support representatives, when necessary to provide you with the Services and fulfill our contract with you. We will collect and utilize any data files you send to us for troubleshooting and improving the Services.

    To process your requests, we may collect: Identifiers; Your opinions or other information; Commercial information; Geolocation Data; or Internet or other similar network activity.
     
  • To process your payments - If you make a payment to CMU, we will ask for financial information and other information requested for processing your payment and performing our contract with you. We use third-party payment processors to assist in securely processing your financial information. If you pay with a credit card, the financial information that you provide through the Services is encrypted and transmitted directly to the payment processor. We do not store your financial information and do not control and are not responsible for the payment processors or their collection or use of your information.

    CMU’s payment processing vendors are required to process all credit card payments securely using measures that comply with the Payment Card Industry Data Security Standard (“PCI DSS”).

    To process payments, we may collect and process: Identifiers; Financial information; or Commercial information. 
     
  • For analytics purposes - For example, we may analyze personal information about you including your location, and Services requested, age, time zone, IP address and URL visited, against our wider customer base for internal business purposes, such as generating statistics and developing marketing plans, based on our legitimate interest to improve our Services and the website. We may also aggregate and de-identify your information to create customer segments and share with our affiliates and partners.

    To perform analytics, we may collect and process: Internet and network information.
     
  • To provide you with marketing communications that you might be interested in - If you choose to receive marketing communications from us, we may use personal information about you to keep you up to date with our latest Services, surveys, announcements, upcoming events, sweepstakes, contests and other promotions via our newsletters, emails, or other communications. If you no longer wish to receive these marketing communications, details of how to opt out are described in the section below marked “How do I stop receiving marketing communications?” We send marketing communications based on your consent or our legitimate interest.

    To provide marketing communications we may collect and process: Identifiers; or Commercial information.
     
  • For non-marketing communications - We may use personal information about you to communicate with you about important information in relation to an account you have with us, the service you have requested or other non-marketing communications, for fulfillment of any contractual obligations we may have with you. This includes: (i) to process and respond to your questions and/or inquiries; (ii) emailing you to verify your identity when you sign-up; (iii) emailing you where you have requested a password and/or username reset; (iv) notifying you that a particular service has been suspended for maintenance or terminated; (v) letting you know that we have updated this Privacy Notice or other legal notices; or (vi) letting you know about any Services that you have requested or purchased. We will never contact you to ask for your password, please be careful if you receive any communications from people requesting this information.

    To provide non-marketing communications we may collect and process: Identifiers; or Commercial information.
     

  • For site optimization and management - For example we may use personal information about you provided to us to:

    • administer the website;
    • ensure the security of our networks and of your information;
    • customize your future visits to the website based on your interests to ensure the most user-friendly online navigation experience;
    • improve the website and our other digital offerings (including to fix operational problems such as pages crashing and software bugs); and
    • provide services to our partners such as tools, analyses, data and insights to see how their website or mobile applications are used.


    To support our legitimate interest in site optimization and management we may collect and process: Internet and network information.

  • For service and business development purposes - For example, we will use information we collect from you based on our legitimate interest to improve our Services and develop new Services, features, and capabilities. Data is collected throughout your interactions with the Services that enable us to understand usage and tailor future capabilities.

    To support product development, product improvement, and business development we may collect and process: Identifiers; Commercial information; or Internet and network information.
     
  • For fraud prevention and detection purposes and to protect and defend the rights and property of CMU, our employees and business partners.

    To support our legitimate interest in fraud prevention and detection we may collect and process: Identifiers; or Internet or other electronic network activity information. 
     
  • For employment application purposes - For example, if you contact us in relation to your employment prospects, we will use personal information about you, based on our legitimate interest, to consider you for current and future employment opportunities and to contact you with respect to employment opportunities at CMU that you have expressed an interest in.

    To support our employment application process, we may collect and process: Identifiers; or Professional or employment-related information. 
     
  • To verify your identity - For example, we may collect your real name, alias, postal address, unique personal identifier, online identifier, email address, account name, or other similar identifiers to determine if you already have an account with us or comply with a request from you to exercise your rights, as required by law.
  • Information that we collect automatically. When you engage with CMU, we may use Cookies and similar tracking technology to collect the following information about you automatically (for further information please see the section titled “Cookies & Other Technologies” for more information):
    • Internet or other electronic network activity information. Such as browsing history, search history, information on your interaction with a website, application, or advertisement.
      • For example, when you visit the website, engage with CMU content or with us digitally, we may collect certain information from your computer, tablet or mobile phone (“Device”) such as your IP address, Device type (i.e. make and model), unique device identification numbers, browser-type and time zone settings
      • We may also collect information about how your Device has interacted with us including: the pages accessed and links clicked; how you navigate to and from the website (such as how you scroll over the site, which parts you click and how long you spend on each page); your preferences, the Services that you have viewed or searched for; and crashes, download errors and response times.
    • Geolocation Data. Such as physical location or movements. We collect your IP address and infer location such as city or postcode therefrom.
      • For example, when you visit the website, engage with CMU content or with us digitally, we may collect your broad geographic location (e.g. country or city-level location) from your Device.
    • Inferences drawn from other personal information. Such as a profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
      • For example, when you visit the website, we may use the personal information indicated above to provide you with tailored advertising, content and Services that we think you may like. This is described in further detail in the section below marked “How does CMU use personal information?”.
    • Information that we obtain from third-party sources. From time to time, we may receive personal information about you from third-party sources, but only where we have contracts in place requiring the third-party to receive your consent or otherwise reasonably believe the third-party is legally permitted or required to disclose personal information about you to us. The types of personal information we collect from third parties may include:
      • Social Media Partners. For example, if you use functionality such as “like” or “share” buttons, that social media site may pass information to us, including: the user ID for that third-party site, the name, email address and location associated with the user ID and any other information permitted under the privacy policy for that website.
      • Technology partners and market research organizations. For example, where permitted by applicable data protection law and if applicable where you have specifically consented, our preferred technology partners may share information with us, including your browser patterns, geo-location and Device identifiers.

Research partners or data providers.  For example, where permitted by applicable data protection law and if applicable where you have specifically consented, we may receive personal information from our research sponsors, research collaborators and/or other data providers, such as Identifiers, Your opinions or other information, Protected Classification Characteristics, Professional or employment-related information, Inferences drawn from other personal information, Geolocation Data, or Internet or other similar network activity.

Use of Artificial Intelligence

We may use artificial intelligence to process personal information for any purpose set forth in this Privacy Notice. We may rely on third-party processors, servers, deployers, and developers in connection with our use of artificial intelligence. Unless set forth in Section 4 – Does CMU Share Personal Information with Anyone? or otherwise disclosed, we do not share personal information we collect with third parties. 

Change of purpose

We will only use personal information about you for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use personal information about you for an unrelated purpose, we will notify you and we will explain the business purpose which allows us to do so.

Please note that we may process personal information about you without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

2.    HOW LONG DOES CMU KEEP PERSONAL INFORMATION?

We retain personal information in identifiable form only for as long as necessary to fulfill the purposes for which the personal information was provided to us or, if longer, to comply with legal obligations, to resolve disputes, to enforce agreements and similar essential purposes. To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of personal information about you, the purposes for which we process personal information about you and whether we can achieve those purposes through other means, and the applicable legal requirements. We are required by law to keep some types of information for certain periods of time (e.g., statute of limitations).

3.    FOR WHAT BUSINESS PURPOSE CAN CMU USE PERSONAL INFORMATION IN THIS WAY?

We are required to satisfy one or more of the reasons set out by applicable data privacy law before we can collect and use personal information about you.

Generally, our business purpose for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it. However, we will normally rely on the following reasons to collect and use personal information about you:

  • Performance of a contract

    Using your information may be necessary for us to perform our obligations under a contract with you or with a view to entering into such a contract. For example, where you have: (i) purchased or enroll in our Services, we will need to use your information to provide those Services; or (ii) approached us in relation to employment opportunities, the collection and use of personal information about you is necessary to enable us to offer you the job role, process your acceptance of the offer, on-board you as an employee and fulfil our obligations as an employer.
     
  • Compliance with our legal obligations

    The collection and use of personal information about you may be necessary to enable us to meet our legal obligations. For example, to verify your identity and undertake necessary due diligence checks.
     
  • Pursuing our legitimate interests

    Where such processing is not overridden by your interests or fundamental rights, we are permitted to use personal information about you where it is necessary to pursue our legitimate interests, for example to operate the website and our other digital offerings, to improve our Services, content and our other digital offerings or to undertake marketing. We may have other legitimate interests and if appropriate we will make this clear to you at the relevant time.
     
  • Consent

    In some limited circumstances, we may rely on your consent to collect and use personal information about you. For example, we may rely on consent: (i) where you have approached us in relation to employment or study opportunities and have provided us with sensitive personal information, such as information in relation to your racial and ethnic origin, sexual orientation, religion, physical and mental health, disabilities or trade union membership; or (ii) in relation to the sending of e-marketing or communications.
    • If we rely on consent, this will be made clear to you at the time we request your information. You can withdraw your consent at any point by using the mechanism provided at the time, or by contacting us using the contact details provided in the section of this Privacy Notice titled “How do I contact CMU?”

You may not always be required to provide the personal information that we have requested. However, if you choose not to provide certain information, you may not be able to take advantage of some of our Services. Any information that is so required is clearly marked as mandatory. If you would prefer that we not collect certain personal information from you, please do not provide us with any such information, or opt out of providing this information where applicable.

If we collect and use personal information about you in reliance on our legitimate interests (or those of any third-party), these interests will normally be as set out in this Privacy Notice; however, if this changes we will make clear to you at the relevant time what those legitimate interests are.

If you have any questions or need further information concerning the business purpose on which we collect and use personal information about you, please contact us using the contact details provided in the section below marked “How do I contact CMU?”

4.    DOES CMU SHARE PERSONAL INFORMATION WITH ANYONE?

It is the practice of CMU to protect the personal information. Access to personal information controlled or processed by CMU is restricted to only those employees or agents, contractors or subcontractors of CMU who have valid reasons to access this information to perform any service you have requested or authorized, or for any other purpose described in this Privacy Notice. The personal information you provide will not be sold or rented to third parties.

We may provide personal information about you to:

  • outsourced service providers who perform functions on our behalf, located inside or outside of the jurisdiction in which you reside (in such case, we will use the appropriate legal framework to operate data transfers). For example, personal information about you may be stored on cloud hosting services such as Amazon Web Services.
  • our authorized agents and representatives, located inside or outside of your country of residence (in such case, we will use appropriate legal framework to operate data transfers), who provide Services on our behalf, such as training service providers;
  • anyone expressly authorized by you to receive personal information about you; or
     
  • anyone to whom we are required by law to disclose personal information, upon valid and enforceable request thereof.

We will access, disclose and preserve personal information, when we have a good faith belief that doing so is necessary to:

  • comply with applicable law or respond to valid legal processes, including from law enforcement or other government agencies, upon valid and enforceable request thereof; or
  • operate and maintain the security of the Services, including to prevent or stop an attack on our computer systems or networks.

Please note that some of the Services may direct you to services of third parties whose privacy practices differ from CMU’s. If you provide personal information to any of those services, that data is governed by their privacy statements or policies. Carnegie Mellon University is not responsible for the privacy practices of these other websites. Please review the privacy policies for these websites to understand how they process your information.

How You May Share Personal information

Certain features of the Services may allow you to share information with others. Please do not share personal information about you or the personal information of others through the sharing features. You are the controller of personal information you share through the sharing features of the Services.

5.    COOKIES & OTHER TECHNOLOGIES

CMU uses cookies (small, often encrypted, text files that are stored on your computer or mobile device) and similar technologies (“Cookies”) to provide the Services and help collect data.

How We Use Cookies

We use Cookies to track how you use the Services by providing usage statistics. Cookies are also used to deliver CMU information (including updates) based upon your browsing history and previous visits to the Services. Information supplied to us using Cookies helps us to provide a better online experience to our visitors and users and send marketing communications to them, as the case may be. Information supplied to us upon launching of the Services will enable CMU to improve the functionality of the Services.

While this information on its own may not constitute “personal information”, we may combine the information we collect via Cookies with personal information that we have collected from you to learn more about how you use the Services to improve them. 

Types of Cookies

We use both session Cookies (which expire once you close your web browser) and persistent Cookies (which stay on your device until you delete them). To make it easier for you to understand why we need them, the Cookies we use on the Services can be grouped into the following categories:

  • Strictly Necessary: These Cookies are necessary for the Services to work properly. They include any essential authentication and authorization Cookies for the Services.
  • Functionality: These Cookies enable technical performance and allow us to “remember” the choices you make while browsing the Services, including any preferences you set. They also include sign-in and authentication Cookies and IDs that enable you to return without additional sign-in.
  • Performance/Analytical: These Cookies allow us to collect certain information about how you navigate the Services. They help us understand which areas you use and what we can do to improve them.
  • Targeting: These Cookies are used to deliver relevant information related to the Services to an identified machine or other device (not a named or otherwise identifiable person) which has previously been used to visit the Services. Some of these types of Cookies on the Services are operated by third parties with our permission and are used to identify advertising sources that are effectively driving users to the Services.

Cookies Set by Third Parties

To enhance our content and to deliver a better online experience for our users, we sometimes embed images and videos from other websites on the Services. We currently use and may in future use content from services such as Facebook, LinkedIn and Twitter. You may be presented with Cookies from these third-party websites. Please note that we do not control these Cookies. The privacy practices of these third parties will be governed by the parties’ own privacy statements or policies. We are not responsible for the security or privacy of any information collected by these third parties, using Cookies or other means. You should consult and review the relevant third-party privacy statement or policy for information on how these Cookies are used and how you can control them.

We also use Google, a third-party analytics provider, to collect information about Services usage and the users of the Services, including demographic and interest-level information. Google uses Cookies in order to collect demographic and interest-level information and usage information from users that visit the Services, including information about the pages where users enter and exit the Services and what pages users view on the Services, time spent, browser, operating system, and IP address. Cookies allow Google to recognize a user when a user visits the Services and when the user visits other websites. Google uses the information it collects from the Services and other websites to share with us and other website operators’ information about users including age range, gender, geographic regions, general interests, and details about devices used to visit websites and purchase items. We do not link information we receive from Google with any of your personally identifiable information. For more information regarding Google’s use of Cookies, and collection and use of information, see the Google Privacy Notice (available at https://policies.google.com/privacy?hl=en ). If you would like to opt out of Google Analytics tracking, please visit the Google Analytics Opt-out Browser Add-on (available at https://tools.google.com/dlpage/gaoptout).


How to Control and Delete Cookies

Cookies can be controlled, blocked or restricted through your web browser settings. Information on how to do this can be found within the Help section of your browser. All Cookies are browser specific. Therefore, if you use multiple browsers or devices to access websites, you will need to manage your cookie preferences across these environments.

If you are using a mobile device to access the Services, you will need to refer to your instruction manual or other help/settings resource to find out how you can control Cookies on your device.

Please note: If you restrict, disable or block any or all Cookies from your web browser or mobile or other device, the Services may not operate properly, and you may not have access to the Services. CMU shall not be liable for any impossibility to use the Services or degraded functioning thereof, where such are caused by your settings and choices regarding Cookies.

To learn more about Cookies and web beacons, visit www.allaboutCookies.org.

Social Sharing

We also embed social sharing icons throughout the Services. These sharing options are designed to enable users to easily share content from the Services with their friends using a variety of different social networks. If you choose to connect using a social networking or similar service, we may receive and store authentication information from that service to enable you to log in and other information that you may choose to share when you connect with these services. These services may collect information such as the web pages you visited and IP addresses, and may set Cookies to enable features to function properly. We are not responsible for the security or privacy of any information collected by these third parties. You should review the privacy statements or policies applicable to the third-party services you connect to, use, or access. If you do not want your personal information shared with your social media account provider or other users of the social media service, please do not connect your social media account with your account for the Services and do not participate in social sharing on the Services.

Do Not Track

Some web browsers (including Safari, Internet Explorer, Firefox and Chrome) incorporate a “Do Not Track” (“DNT”) or similar feature that signals to websites that a user does not want to have his or her online activity and behavior tracked. If a website that responds to a particular DNT signal receives the DNT signal, the browser can block that website from collecting certain information about the browser’s user. Not all browsers offer a DNT option and DNT signals are not yet uniform. For this reason, many website operators, including CMU, do not respond to DNT signals.

6.    WHAT ARE MY DATA PROTECTION CHOICES AND RIGHTS?

The privacy laws of some jurisdictions may provide their residents with additional rights regarding our use of personal information. The following Section applies to individuals who reside in specific jurisdictions that provide additional privacy rights.

5.1 Your Rights and Choices

Right to Access Specific Information and Data Portability Right. You may have the right to request that we disclose certain information to you about our collection and use of personal information. Once we receive and confirm your verifiable request, we may disclose to you any and/or all of the following when required under applicable privacy laws:

  • The categories of personal information we collected about you.
  • The categories of sources for the personal information we collected about you.
  • Our business or commercial purpose for collecting such information.
  • The categories of third parties with whom we share that personal information.
  • The specific pieces of personal information we collected about you (also called a data portability request).
  • If we disclosed personal information for a business purpose, the business purpose for which personal information was disclosed, and the personal information categories that each category of recipient obtained.

Right to Correct Information. You may have the right to request we update personal information about you that is incorrect in our systems.

Right to Delete. You may have the right to request that we delete any personal information about you that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable request, we will delete (and direct our service providers to delete) the personal information from our records, unless an exception applies. 

Right to Withdraw Consent. You may have the right to withdraw your consent at any point by using the mechanism provided at the time, or by contacting us using the contact details provided in the section of this Privacy Notice titled “How do I contact CMU?”

Right to Limit Sensitive Personal Information Use. You may have the right to limit the use of sensitive personal information regarding you. 

Right to Object to Processing Personal Information. You may have the right to object to the processing of personal information for the purposes of profiling or our legitimate interest. 

Non-Discrimination. We will not discriminate against you for exercising any of your rights. 

5.2 How to Exercise these Rights

To submit a request to exercise these rights you may use one of these two methods:

For all requests, please clearly state that the request is related to “Your Privacy Rights,” indicate which type of request you are making, and provide your name, street address, city, state, zip code and an e-mail address or phone number where we may contact you. We are not responsible for notices that are not labeled or sent properly or that do not include complete information. 

To appeal a decision regarding an individual rights request, please submit your appeal using one of the two methods above. Your appeal should include an explanation of the reason you disagree with our decision. Within 60 days of receipt of an appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions.

You may only make such a request for access or data portability twice within a 12-month period. The verifiable request must provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative and describe your request with sufficient detail that allows us to properly understand, evaluate and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable request does not require you to create an account with us. We will only use personal information provided in a verifiable request to verify the requestor’s identity or authority to make the request.

We endeavor to respond to a verified request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. We will deliver our written response electronically. Any disclosures we provide will only cover the 12-month period preceding the receipt of the verifiable request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide the personal information that is readily usable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

5.3 California Shine the Light Law

California Civil Code Section 1798.83 permits users who are California residents to obtain from us once a year, free of charge, a list of third parties to whom we have disclosed personal information (if any) for direct marketing purposes in the preceding calendar year. If you are a California resident and you wish to make such a request, please send an e-mail with “California Privacy Rights” in the subject line to privacy@andrew.cmu.edu or write us at: Carnegie Mellon University, Attention: Data Protection Officer, 5000 Forbes Avenue, Pittsburgh, PA 15213.

7.    WHAT IF I ACCESS A THIRD-PARTY SITE THROUGH THE WEBSITE?

The website may contain links to or from third-party sites. Please be aware that we are not responsible for the privacy practices of such third parties. This Privacy Notice applies only to the personal information we collect as described above. We encourage you to read the privacy policies of third-party sites you access from links on the website or otherwise visit.

8.    WHAT IF I ACCESS OR USE A SOCIAL NETWORK OR PUBLIC FORUM THROUGH THE SERVICES?

Our website may facilitate easy access to certain social networking sites and other websites or services with user-generated content features, such as Facebook, Instagram, YouTube, Pinterest, and X (formerly Twitter) (“Social Sites”). You understand that we do not control such services and are not liable for the manner in which they operate or for the content generated and shared by other users. Please review the Social Sites’ privacy policies if you would like more information about how they collect, use and share personal information about you, your privacy rights and how to change your privacy settings.

Our website may enable you to:

  • Access Social Sites: This may include access to websites such as a Facebook, Instagram, YouTube, Pinterest, and X (formerly Twitter); or activation of third-party websites when you make a ‘comment’, ‘share’ or ‘like’ something on the Social Site using a third-party social network plug-in. In each instance, such third-party’s privacy policy will apply to your interaction with that website or service;
  • Submit content to Social Sites: For reviews, discussion forums, message boards, photographs and other public features (“Public Forums”). We do not restrict the distribution of personal information that you voluntarily disclose in these Public Forums, so please be aware that any information you disclose there may be collected and used by us and others. For this reason, we encourage you to refrain from providing or sharing personal information about yourself in the Public Forums. We cannot prevent third parties from using such information in a way that may violate this Privacy Notice or applicable law;
  • Sign-in to the Site using a Social Site: For example, for a harmonized user experience.

Signing-in using a Social Site or other third-party account may allow us to access information that you have given the Social Site permission to share. The sign-in feature may also transfer information to the Social Site or third-party, such as your username or social media handle, to authenticate you. The Social Site or third-party may also automatically collect information such as your IP address, information about your browser and device, and the web page address of the Site. The sign-in feature may also place and read Cookies from that third-party that may contain a unique identifier the Social Site or other third-party assigns to you. The functionality of and your use of the sign-in is governed by the privacy policy and terms of the Social Site.

We may use personal information about you to identify you on Social Sites and to show you ads that are more relevant for you. 

Our use of personal information about you in relation to the Social Sites will be as set out in this Privacy Notice or as otherwise notified to you. Again, please note that third-party sites (including the Social Sites) may be under the control of a third-party, and we encourage you to familiarize yourself with the privacy policies and terms of use of each third-party site.

9.    HOW DO I STOP RECEIVING MARKETING COMMUNICATIONS?

If you have provided us with your contact information, we may, subject to any applicable Spam Act or similar regulation, contact you via e-mail, postal mail or telephone about CMU Services and events that may be of interest to you, including newsletters.

Marketing e-mail communications you receive from CMU will generally provide an unsubscribe link or instructions on how to opt-out of receiving future e-mail or to change your contact preferences. E-mail communications may also include a link to directly update and manage your marketing preferences. You can also request changes to your contact preferences by contacting CMU via email at it-help@cmu.edu or, to stop text messages by texting STOP in response to any text message.

Please remember that even if you opt out of receiving marketing emails, we may still send you important Services information related to your accounts and subscriptions.

10.    DOES CMU TRANSFER PERSONAL INFORMATION TO OTHER COUNTRIES?

CMU also collaborates with third parties such as cloud-hosting services and suppliers located around the world to serve the needs of our business, workforce, and users. To provide our Services, we may need to transfer and process personal information about you in the United States or in any other country where CMU, its affiliates or contractors maintain facilities (including to destinations outside the country in which you are located).

As a result, your information may be transferred to and/or processed in countries which may not guarantee the same level of protection for personal information as the country in which you reside. However, we have taken appropriate safeguards to ensure that personal information about you will remain protected in accordance with this Privacy Notice and the requirements of applicable law wherever the data is located. For more information on how CMU transfers personal information please visit our “Transfer of Personal information Between Countries” page.

Further information can be provided on request: please contact us using the details found in the section “How do I contact CMU?” We have also implemented similar appropriate safeguards with our third-party service providers and partners and further details can be provided upon request.

11.    HOW DOES CMU SECURE PERSONAL INFORMATION?

CMU is committed to protecting the security of personal information about you. Depending on the circumstances, we may hold your personal information in hard copy and/or electronic form. For each medium, we use technologies and procedures to protect personal information. We review our strategies and update as necessary to meet our business needs, changes in technology, and regulatory requirements.

These measures include, but are not limited to, technical and organizational security policies and procedures, security controls and employee training.

We may suspend your use of all or part of the Services without notice if we suspect or detect any breach of security, abuse, or illegal or questionable activity. If you believe that personal information you provided to us is no longer secure, for example, if your access credentials have been compromised, please notify us immediately using the contact information provided below.

If we become aware of a breach that affects the security of personal information about you, we will provide you with notice as required by applicable law.

12.    HOW DOES CMU PROCESS CHILDREN’S DATA?

Certain Services are intended to be used by individuals who are under the age of 13 years old (“Children” or “Child”). Services directed to Children require verifiable parental consent and acknowledgement of the CMU Children’s Online Privacy Protection Act (“COPPA”) Notice prior to a Child’s participation. Consistent with the requirements of the COPPA, if we learn that we received any information directly from a Child without his or her parent’s verified consent, we will use that information only to inform the Child (or his or her parent or legal guardian) that he or she cannot use the Services.

California Minors: If you are a California resident who is under age 18 and you are unable to remove publicly-available content that you have submitted to us, you may request removal by contacting us at: Privacy@andrew.cmu.edu  When requesting removal, you must be specific about the information you want removed and provide us with specific information, such as the URL for each page where the information was entered, so that we can find it. We are not required to remove any content or information that: (1) federal or state law requires us or a third-party to maintain; (2) was not posted by you; (3) is anonymized so that you cannot be identified; (4) you don’t follow our instructions for removing or requesting removal; or (5) you received compensation or other consideration for providing the content or information. Removal of your content or information from the Services does not ensure complete or comprehensive removal of that content or information from our systems or the systems of our service providers. We are not required to delete the content or information posted by you; our obligations under California law are satisfied so long as we anonymize the content or information or render it invisible to other users and the public.

13.    DOES THIS PRIVACY NOTICE EVER CHANGE?

We may update this Privacy Notice based upon evolving Laws, regulations and industry standards, or as we may make changes to our business including the Services. We will post changes to our Privacy Notice on this page and encourage you to review our Privacy Notice when you use the Services to stay informed. 

If we make changes that materially alter your privacy rights, CMU will provide additional notice, such as via email or through the Services. If you disagree with the changes to this Privacy Notice, you should discontinue your use of the Services. You may also request access and control of personal information about you as outlined in the Your Rights Regarding Personal information section of this Privacy Notice.

14.    HOW DO I CONTACT CMU?

We understand that you may have questions or concerns about this Privacy Notice or our privacy practices or may wish to file a complaint. In such case, please contact us in one of the following ways:

Email: privacy@andrew.cmu.edu

Mail:
Carnegie Mellon University
Attention: Data Protection Officer
5000 Forbes Avenue
Pittsburgh, PA 15213