Harvard University Privacy Statement

We use the Personal Data that we collect to carry out various institutional and educational activities as described in more detail below. The ways in which we collect and use your data vary depending on the relationship between you and us, and include:

• Directly from you, when you provide information to us or interact with our Services:
  • Contact information and other identifiers: for example, name, phone number, mailing address and email address and any other contact information you choose to include when you communicate with us via e-mail, mail, phone, or other channels such as applications for admission to a program, sign-up sheets, intake forms, contest entries, or other means. In some cases, we may collect other identifiers, including government identifiers, such as Social Security numbers, or Harvard ID numbers
  • Demographic information: for example, gender, age, and other information you may provide in an application or other contexts
  • Education and personal history: for example, grades or prior educational experience when you apply for a program, as well as school activities, personal interests, charitable activities, disciplinary records, course engagement, and assessment data
  • Family information: for example, family member names, ages, and occupations
  • Student information: for example, your courses, programs and training, housing and alumni status, and other educational records subject to the Family Educational Rights and Privacy Act (“FERPA”)
  • Financial contribution and payment information: for example, when you directly apply for financial aid or make a payment to the University, or financial or payment information is submitted on your behalf
  • Health and dietary information: for example, accommodation requirements, immunization records or dietary needs if you attend a program or reside on-campus
  • Mobile device sensor information: for example, information collected via mobile applications that use your camera or microphone
  • Employment history: for example, employer, job title, location, union membership, and work experience
  • Your image or voice: for example, when a photograph or other image is used on Harvard identification cards or in online networking or announcements, or when your image or voice is captured by photography or video. We also record telephone conversations with our customer service center for record-keeping, training, and quality assurance purposes
  • Building access information: for example, when you swipe into an access-restricted Harvard building such as a library or athletic facility using a Harvard identification card
  • Academic resource usage information: for example, if you borrow library materials or save resources while logged in via Harvard online platforms
  • Any additional information you choose to provide us, including questions and feedback
• Automatically from you, when you utilize or interact with our Services:
  • Device information and online user activity when you utilize our technology platforms, as described in the next section
• From third parties:
  • Education and personal history from schools you may have attended, recommenders, prior employers, and others
  • Information about your interests, contact information, demographic information, and marketing inferences, from third-party sources that provide such information, which we may use in connection with applications, donor or alumni outreach, and other contexts
  • Information about the marketing and advertisements you have seen or clicked on, from online advertising companies

Some of this information may be collected by external parties on our behalf. For example, in some cases, we use a payment processor when you engage in a transaction through our platforms, applications or websites. 

Additionally, some of the information we collect that is described above may constitute “sensitive” or “special categories” of Personal Data under applicable laws. The definition of “sensitive” or “special categories” of Personal Data varies by applicable law (and in many cases will not apply); however, examples include health information and in some cases government identifiers such as Social Security number.

When you interact with our Services, certain information about your use of our Services may be automatically collected. This includes:

• Usage Details about your interaction with our Services (such as the date, time, and length of visits, and specific pages or content accessed during the visits, search terms, frequency of the visits, and referring website addresses)
  • Device Information including the IP address and other details of a device that you use to access our Services (such as device type and unique device identifier, operating system, browser type, mobile network information, and the device’s telephone number)
• Location information, such as the city or ZIP Code that correlates with the location of a WiFi service access point or with your device IP, or more specific information where you choose to provide the University with access to information about your device’s location
  • Session information about your interaction with our websites. For example, we may log the details of your visits to our websites and information generated in the course of using our websites, such as mouse movements, clicks, page visits, text entered, how long you spent on a page, and other details of your actions on our websites

Much of this information is collected through cookies, web beacons, and other tracking technologies, which may be operated by our vendors who assist us in collecting information about usage of our Services, serving ads, or providing other services to you. For example, in some cases we use Google Analytics to collect usage details. You can learn more about privacy and Google Analytics by visiting https://support.google.com/analytics/answer/6004245. We may also use cookies set by other third-party services.

You may be able to opt out of tracking by cookies or control how information collected by cookies is used via a number of means. For example, you may opt out of data collection by Google Analytics by visiting https://tools.google.com/dlpage/gaoptout.

Because there is no consensus or common recognition of “Do Not Track” signals, we do not currently alter any of our online practices when those signals are sent. 

We use the Personal Data we collect from you for the following purposes:

• Conducting our operations and administering and developing our educational offerings
• Furthering research and understanding in fields of academic study
• Processing and responding to your requests or inquiries
• Providing you with newsletters, articles, service alerts, or announcements, event invitations, volunteer opportunities, and other information that we believe may be of interest to you
• Providing you with access to Harvard housing, facilities, events, and transportation
• Identifying you when you visit our facilities or websites
• Operating, maintaining, and improving our platforms, applications, and websites
• Requesting and processing gifts and donations
• Processing and fulfilling transactions for enrollment, merchandise, or other Harvard products or Services
• Providing you with services related to courses and programs, including assistance with travel, residential lodging, and dietary or medical needs
• Alerting you about a safety or security announcement
• Alerting designated contacts in the event of a relevant emergency
• Conducting research, surveys, and similar inquiries to help us understand trends and needs of our applicants, students, and others
• Evaluating candidates for employment and administering employment relationships
• Meeting the requirements of our accreditors
• Performing marketing, promotions, and advertising, either directly or through third parties. These activities may include interest-based advertising, targeted advertising, and online behavioral advertising in order to increase the likelihood that the content will be of interest to you
• Managing subscriptions
• Ensuring the rights and freedoms, safety, and security of our students, faculty, fellows, employees, and others
• Preventing, investigating, taking action regarding, or providing notice of fraud, unlawful or criminal activity, other misconduct, security or technical issues, or unauthorized access to or use of Personal Data, our website, or data systems
• Responding to subpoenas, court orders, or other legal processes; fulfilling and enforcing our agreements and legal rights; protecting the health, safety, rights, or property of you, us, or others; and meeting legal obligations

We may use and share information in an aggregated or de-identified manner data at our discretion, including for research, analysis, modeling, marketing, and improvement of our Services.

• Internally Within Harvard and to its Affiliates. We may share your information internally with schools, centers, or other Harvard units or Harvard-affiliated entities to facilitate and manage the purposes above.
• Service Providers. We may share your information with service providers that perform a technology, business, or other professional function for us such as processing admissions applications and applications for financial aid; online course registration and administration; event registration; IT services; maintenance and hosting of our Services and platforms; payment processors; marketing services; accounting, auditing, and tax services; and other professional services.
• Analytics and Advertising Vendors. We may work with analytics providers, who collect information via tracking technologies on our websites, to assist us with measuring visits and traffic on our websites so we can improve the performance of the sites. We work with third parties who assist us in serving advertising regarding our Services to persons who may be interested in our Services, or who use cookies to display interest-based advertising to you on our Services. These third parties may use tracking technologies to collect or receive information from our Services and elsewhere on the internet and use that information to provide measurement services and target ads. Third parties may allow other companies to access information about you so that they may market other products you may be interested in. For additional information about the information collected by Analytics and Advertising Vendors, refer to “Online User Activity, Cookies, and Information Collected by Other Automated Means.”
• Social Media Platforms. If you interact with us on social media platforms, the platform may be able to collect information about you and your interaction with us. If you interact with social media objects on our Services (for example, by clicking on a Facebook “like” button), both the platform and your connections on the platform may be able to view that activity. To control this sharing of information, please review the privacy policy of the relevant social media platform.
• Other Educational Institutions. We may share your Personal Data with other institutions for the purposes of delivering programs and services, such as cross-registration for courses, course registration and administration, course evaluation and assessment; study abroad, online education, research arrangements with other universities or institutions, and events and activities of Harvard-affiliated clubs and shared interest groups.
• Transactions and Reorganizations. We reserve the right to transfer to another entity or its affiliates or service providers some or all information about you in connection with, or during negotiations of, a merger or other transaction, including asset sales, ownership changes, and financing transactions. We cannot promise that an acquiring party or the merged entity will have the same privacy practices or treat your information the same as described in this Statement.
• Legal. We share information where necessary to comply with applicable law; to respond to requests from law enforcement agencies or other government authorities; third parties, as permitted by law and without your consent when it is necessary to protect our customers, employees, or property; in emergency situations; or to defend against legal claims and enforce our rights, including under our terms of service and policies.
• Payment Processors: In some cases, we may use a vendor to process your payment transactions with us. These vendors act as our processor when providing services to us; however, they may also use Personal Data you provide them through our platforms, applications and websites to operate and improve their services and for fraud detection, loss prevention, authentication, and analytics related to the performance of their services.  As of the last updated date of this Privacy Statement, examples include Stripe and CyberSource. To learn more about their privacy practices, you can access the Stripe privacy policy at https://stripe.com/privacy and the CyberSource privacy policy at https://usa.visa.com/legal/global-privacy-notice.html. 

Our collection, use and disclosure of Personal Data in certain contexts may be subject to other privacy regulatory frameworks, including, but not limited to:

• Education Records: The Family Educational Records Privacy Act (“FERPA”) includes specific requirements around the privacy of education records. Certain information we collect is classified as an education record, and we supply additional notices regarding our practices under FERPA. For additional information about our practices under FERPA, see the FERPA disclosures provided by individual schools. For example, Harvard College’s disclosure can be viewed by visiting https://registrar.fas.harvard.edu/student-information-privacy.
• Protected Health Information: The Health Insurance Portability and Accountability Act (“HIPAA”) applies to “covered entities” and their “business associates” and includes specific requirements around the protection of “protected health information.” Where relevant, we provide you with any required notice of privacy practices describing our processing of protected health information subject to HIPAA.
• Financial Information: Some information we collect, including certain student loan data, is subject to the Gramm-Leach-Bliley Act (“GLBA”), which includes specific requirements around the protection of nonpublic financial information maintained by financial institutions.
• Research: Our researchers, research collaborators, and service providers may collect, use, and share your Personal Data as part of a research study in which you have agreed to participate as a research subject, or in which your existing data are used. Most often, before any Personal Data are collected for research purposes, as a research subject you will be provided a consent and/or authorization form relating to the specific research project that explains the types of data collected and the purposes for which such data will be processed and shared.

We may provide you with additional privacy notices that disclose our data collection, use, and other practices that are subject to other privacy regulations. In the event any disclosure in the supplemental notice is inconsistent with the disclosures made under this privacy notice, the relevant disclosure in the more targeted supplemental notice will control.

We keep your Personal Data for different lengths of time depending on the type of information, the purpose for which it was collected and used, and applicable operational and legal requirements. 

For example, we generally retain Personal Data as follows:

• For as long as may be required under applicable law
• As needed to resolve disputes or protect our legal rights
• For as long as is necessary for the purposes set out in this Statement, in accordance with law and, if applicable, the legal bases for acquiring the data.

Consistent with the foregoing guidance, some data may be retained indefinitely. 

Where appropriate, we may seek to remove personal identifiers or use aggregation, pseudonymization, or other anonymization methodologies to “de-identify” information.

Much of our Personal Data processing takes place in the United States, though sometimes we or third parties with whom we share data may process data in other countries. The data protection laws in the United States and other countries may provide less protection than such laws in your country of residence. In the event we transfer your Personal Data outside your country of residence as part of our processing, we may utilize safeguards or specific legal provisions permitting such transfers.

When transferring Personal Data from a country in the European Economic Area (“EEA”) or from the United Kingdom (“UK”) to a country outside the EEA and the UK, we may base such transfers on contracts containing legally authorized data protection clauses referred to as Standard Contractual Clauses. You may request more information by contacting us as set forth in the “Contact Us” section below.

You may have certain data subject rights. These rights vary by state and country, and we reserve the right to reject some or all of your request to exercise these rights to the extent permitted by applicable law in the relevant jurisdiction (“Relevant Law”).

To the extent required by Relevant Law, upon your reasonable and good faith request, we will inform you whether we hold any of your Personal Data as part of our processing. With respect to your Personal Data collected and used in our processing, under the Relevant Law you may also be able to:

• obtain a copy of your Personal Data in an easily accessible format
• request that we correct or update any of your Personal Data that is inaccurate
• restrict or limit the ways in which we use your Personal Data, including sensitive Personal Data
• object to the processing of your Personal Data for certain purposes, including sale, targeted advertising, and automated decision-making
• request the deletion of your Personal Data
• request that we transmit your Personal Data to another party

To submit a request, please complete the Data Subjects Rights Request Form. Because we want to avoid taking action regarding your Personal Data at the direction of someone other than you, we may need to ask you for information verifying your identity. Under some laws, you may authorize another individual or a business, called an authorized agent, to make requests on your behalf through these means. We will respond to your request within a reasonable timeframe.    

If our processing of your Personal Data is solely based on your consent, in certain cases you may also have the right under a Relevant Law to withdraw your consent to our processing. If you withdraw your consent to the use or sharing of your Personal Data for the purposes set out in this Statement, or otherwise limit our use of your Personal Data or request its deletion, we may no longer be able to provide you with some or all of the related services.  

Please note that, in certain cases, we may continue to process your Personal Data after you have withdrawn consent or requested that we delete your Personal Data, if we have a right to do so under applicable law. For example, we may need to retain certain data to comply with an independent legal obligation, for achieving the lawful purposes for which we obtained the data, or for such reasons as keeping our Services and operations safe and secure or safeguarding our rights or the rights or safety of others. 

If you have any complaints regarding our privacy practices, you may be able to make a complaint to your national data protection authority, supervisory authority, state attorney general, or other legal authority. Additionally, to appeal the denial of a data subject rights request, you may complete the Data Subjects Rights Request Form and supply sufficient information for us to identify your prior request.

You may have certain choices when it comes to how we collect and use your information.

Email Marketing. If at any time you no longer wish to receive marketing communications from us, you can click the unsubscribe link at the bottom of the relevant email.

SMS Marketing. Consent to receive automated marketing text messages is not a condition of any service or purchase. You can opt out of receiving commercial text messages by responding to any of our text messages with any of the following replies: STOP, END, CANCEL, UNSUBSCRIBE, or QUIT. If you opt out, we may still send you non-marketing messages, such as messages regarding the status of your orders, service-related communications, campus-wide alerts, or ticketed event reminders.

Some of our online activities, such as course websites, listservs, and community forums, enable users to submit their own content. Please remember that any Personal Data you submit or post as user-generated content in these circumstances could be seen by others or become public. You should exercise caution when deciding to disclose your personal, financial, or other information in such submissions or posts. We cannot prevent others from using that information in a manner that may violate this Statement, the law, or your personal privacy and safety. We are not responsible for the results of such postings.

Occasionally we provide links, redirection or access to other third-party websites or embedded content for your convenience and information. These third parties operate independently from us and are not under our control. These third parties may have their own privacy notices or terms of use, which you should review if you visit or access any sites or embedded content through our website. We are not responsible for the content or use of these sites or third-party embedded content.

We use a combination of physical, technical, and administrative safeguards to protect the information we collect. While we use these precautions to safeguard your information, we cannot guarantee the security of the networks, systems, servers, devices, and databases we operate or that are operated on our behalf.

In most cases, the platforms, applications, and websites we provide are not directed toward children under 16, and we do not intentionally collect Personal Data from children on those platforms, applications, or websites. If we have inadvertently collected the Personal Data of a child under 16, or equivalent minimum age depending on jurisdiction, a parent or guardian of that child may contact us as set forth in the “Contact Us” section below to request that we delete the information from our records or otherwise cease the use of that information. 

Outside of our platforms, applications, and websites, we may collect information about children in limited instances, such as in the provision of health services, employment benefits, research, and certain educational programs. In most of these cases, we do not collect information directly from the children themselves.

We process Personal Data pursuant to the following legal bases under the European Union’s General Data Protection Regulation (GDPR) and similar laws:

• to facilitate transactions requested by you and meet our contractual obligations, including
  • registering you for events
  • processing your application for admission
  • processing of donations
  • registering you for an online education course
  • providing educational programs
  • managing employment or other work relationships
  • paying faculty, employees, research collaborators, and research subjects
• as necessary for compliance with a legal obligation, including
  • to provide required tax information
  • to report adverse events to regulatory authorities like the U.S. Food & Drug Administration that oversee the safety of medical products and research
• on the basis of your consent, where applicable
• to pursue our legitimate interests, including
  • providing educational offerings and conducting admissions research
  • requesting gifts or donations
  • providing educational offerings and evaluating your performance
  • managing internal administrative tasks
  • conducting analytics (including website analytics) to improve program offerings
  • conducting research
• as necessary for the performance of tasks we carry out in the public interest (for example, to further research and understanding in fields of academic study)
• where processing is necessary for scientific or historical research purposes and performed consistent with required data protection safeguards

Please note that where we process your Personal Data on the basis of your consent, you have the right to withdraw your consent at any time.

We may update this Statement from time to time without prior notice by posting a revised Statement. You can determine when this Statement was last revised by checking the Last Updated date at the top of this Statement.

This Privacy Statement describes activities where Harvard University is acting as the controller of the Personal Data collected and used. In limited circumstances, Harvard may act as a processor where it is providing services to third parties, and in those cases the third party is responsible for providing privacy disclosures. 

In some cases, Harvard is required to appoint a representative in jurisdictions outside of the United States. Harvard has appointed the following representatives:

Representative in the European Economic Area:

• Name: Harvard Global Research Support Centre Ireland DAC
• Online: Representative Form
• Address: Harvard Global Research Support Centre Ireland DAC
  Attention: GDPR Representative
  10 Earlsfort Terrace, Dublin 2, D02 T380, Ireland

Representative in the UK:

• Harvard Global UK
• Online: Representative Form
• Address: Harvard Global UK
  Attention: GDPR Representative
  71 Queen Victoria Street
  London, United Kingdom EC4V 4BE

If you have any questions, comments, requests, or concerns about this Statement or other privacy-related matters, you may contact us in the following ways:

• Online: Request Form
• Address: Harvard University
  Attention: Harvard Information Security and Data Privacy
  8 Story Street
  5th Floor
  Cambridge, MA 02138 USA