Privacy Policy
 

Effective Date: May 28, 2026

Carnegie Mellon University (“CMU,” “we,” “us,” or “our”) is committed to privacy and data protection. This Privacy Policy applies to all personal data CMU collects from you, through the CMU Internet of Things (IoT) Privacy Infrastructure Project, including the Internet of Things Assistant (“IoTA”) mobile app (“IoTA Mobile App”), and the IoT Privacy Infrastructure portal (“IoT PI”) which includes Internet of Things registries for IoT Resources (“IoT Resource Registries” or “IRRs”) (collectively the “Services”), as well as how we use and protect personal data.

This Privacy Policy covers personal data CMU collects when you use the Services. It does not govern the substantive accuracy, completeness, or legality of User-Submitted Registry Content — meaning IoT Resource Listings, IoT Resource Templates, and other content submitted by users for publication in IoT Resource Registries ("IRRs"). This term is used interchangeably with 'User Content' as defined in the Terms of Use.

CMU acts as a hosting intermediary with respect to User-Submitted Registry Content provided by others and does not create, independently verify, or endorse such content.

This Privacy Policy does not apply to: any third-party applications or software that integrate with the Services, the IoT Resources (defined below), or any other third-party products, services or businesses (collectively, “Third Party Services”). Third Party Services are governed by their own privacy policies. We recommend you review the privacy policy governing any Third Party Services before using them.

Do not submit content through the Services that could facilitate harassment, stalking, or doxxing of private individuals — including content that links a private individual's home address or precise location to their identity in a way that is not necessary to describe an IoT Resource and could reasonably expose that person to harm. Violations may result in content removal and account suspension as described in the Terms of Use, Section 'Prohibited Uses/Activities' and 'Content Removal Rights’.

As used in this Privacy Policy and the Terms of Use, a 'private individual' means a natural person who is not identified in their professional, organizational, or official capacity, and whose personal information is not already publicly available through governmental registries, regulatory disclosures, or widely distributed public sources. This includes individuals not acting as officers, directors, or authorized representatives of organizations operating IoT Resources.

Any questions or concerns regarding CMU’s privacy and data protection practices can be directed to privacy@andrew.cmu.edu.

If you have not done so already, please also review the IoT PI Terms of Use https://www.iotprivacy.io/terms-of-use and the IoTA Mobile Application End-User License Agreement https://www.iotprivacy.io/end-user-license-agreement as applicable to the Services you are using.

1. OVERVIEW

The Internet of Things Privacy Infrastructure Project is a system developed at the School of Computer Science at Carnegie Mellon University, under the coordination of Prof. Norman Sadeh. Its purpose is to provide a tool to publicize the presence of IoT devices, IoT services, IoT systems (collectively referred to as “IoT Resources”) in a given area, such as a university campus, a building, a shopping mall, a room, a stadium, a city block, an entire neighborhood, or a larger geographical area, such as an entire city. The Internet of Things Privacy Infrastructure Project has two components:

1) The IoTA Mobile App, which helps users discover IoT Resources deployed in their vicinity by identifying and querying IoT Resource Registries that pertain to the user’s current location. The IoTA informs the user about the data collection and use practices associated with the IoT Resources it discovers. The IoTA also enables users to discover and configure privacy settings that may be offered by IoT Resources (e.g., data deletion, opting in or out of some data collection or sharing practices, or data access requests).

2) The IoT PI, which enables people and organizations to inform the public about the presence of IoT Resources deployed in different areas. Individuals and organizations can request the creation of IRRs through the IoT PI. Individuals and organizations can use the IoT PI to create descriptions of IoT Resources (“IoT Resource Listings”) and request their publication in IRRs, enabling mobile users to discover them using their IoTA Mobile App. The IoT PI also enables users to create partial descriptions of IoT Resources that can later be used as a starting point to create IoT Resource Listings ('IoT Resource Templates'). IoT Resource Templates may be reused and edited by their creator, and in the future may be made available for use by others, subject to additional terms. The Services support ongoing research at Carnegie Mellon University conducted under the direction of Prof. Norman Sadeh. The Services may be instrumented to collect anonymous usage statistics. Where research activities involve the collection of personal data, such collection will occur only under a protocol approved by CMU's Institutional Review Board ('IRB') and with the explicit consent of participating individuals. The Services may be supported in part by third-party sponsors; see the 'About' section for current funding information.

3) The Services are designed to promote transparency about IoT Resources in physical spaces. However, structured publication of location-linked information can increase safety and privacy risks when it enables identification or targeting of individuals. CMU therefore applies data-minimization principles and content-safety controls as described in this Privacy Policy and the applicable Terms of Use. Where User-Submitted Registry Content presents a safety or privacy concern, CMU reserves the right to review, restrict, or remove that content.

4) Your use of the Services is also governed by the IoT PI Terms of Use ("Terms of Use"), which contain additional provisions relating to user-submitted content, prohibited uses, content moderation, and your representations and warranties as a contributor to IoT Resource Registries or as an administrator of an IoT Registry. In the event of a conflict between this Privacy Policy and the Terms of Use with respect to the collection, use, or disclosure of personal data, this Privacy Policy governs.

2. PERSONAL DATA WE COLLECT

We collect, use, retain, and share personal data only as reasonably necessary and proportionate to provide the Services, protect the security and integrity of the Services, and support approved research activities as described in this Privacy Policy.

If we materially change what we collect or how we use it in a way that is inconsistent with user expectations for the Services, we will provide additional notice and, where required, obtain consent before the new processing begins.

Children's Data. The Services are not directed to children under the age of 18, and we do not knowingly collect personal data from children under 18. If we become aware that we have collected personal data from a child under 18 without verifiable parental consent, we will take reasonable steps to delete that information promptly. If you believe we may have collected information from a child under 18, please contact us at privacy@andrew.cmu.edu.

User-Submitted Registry Content may be publicly accessible. If you submit IoT Resource Listings for publication in an IRR, that content may be made publicly viewable by registry administrators and others.

Please avoid including personal information — including information about private individuals — in those submissions unless it is necessary and appropriate for the stated transparency purpose of the relevant registry.

CMU collects data to provide the Services you request, addressing security issues and potential abuse, ease your navigation of Services supported by our IoTA Mobile App and our IoT PI, communicate with you, improve your experience using the Services and also collect data for research conducted under our project – in the latter case, when such research includes the collection of personal data, it follows research protocols approved by CMU's Institutional Review Board.

Some of this data is provided by you directly, such as when you register for the Services. Some of the information is collected through your interactions with the Services. We may collect such data using technologies like cookies and other tracking technologies, error reports, and usage data collected when you interact with CMU Services running on your device.

The data we collect depends on the Services and features thereof that you use, and includes the following:

Data Collected through the IoTA Mobile App:

Profile Data: Your Email ID, username, and password are required to create an account that will enable you to fully use the IoTA Mobile App will also enable us to communicate with you. An account is not needed if you only want to use the IoTA Mobile App to locate IoT resources near you and learn about their data practices. An account is needed if you want to configure notifications and/or take advantage of privacy options made available by some IoT resources.

Optional Device Authentication: The IoTA Mobile App offers an optional security feature that allows you to require device-level authentication — including Face ID, fingerprint recognition, or your device PIN — each time the app opens. This feature operates entirely through your device's operating system authentication functionality. CMU does not collect, access, store, or process any biometric data in connection with this feature, and no biometric information is transmitted to CMU's servers or shared with any third party.

Location Data: If you authorize our IoTA Mobile app to access your device's location, the app uses your device's location data to show you IoT Resource Registries and IoT Resources near you, and, depending on your notification settings, to also notify you of relevant resources. You can grant or deny permission to access your device's location at any time through your device's operating system's settings. You can also modify your notification settings at any time within the IoTA Mobile app and can turn off notification at any time through your device's operating system settings. When you authorize the IoTA Mobile app to access your device's location and the app shows you resources and registries around you, it will display this information using Google Maps and also show your location on the map as a blue dot. To protect your privacy, we have designed this feature to minimize what is shared with Google and to prevent your location from being linked to your identity. Your device's location is obtained directly from your device's operating system; we do not allow the Google Maps software running in our app to independently access your device's location. We use your location on our own servers to identify nearby IoT Resource Registries and IoT Resources, and we do not send your name, email address, or account identifier to Google. Google does receive the coordinates needed to display the map, information about the map area being viewed and your interactions with the map (such as panning and zooming), your device's IP address, and standard request metadata such as device type and operating system version. Google receives this information as an independent data controller and processes it in accordance with Google's own privacy policy and the Google Maps Platform Terms of Service. For more information on how Google handles data through Google Maps, please see Google's Privacy Policy at https://policies.google.com/privacy.

Sensitive location caution. Precise location information can be sensitive — for example, it can reveal visits to certain locations that a person may wish to keep private. We designed the IoTA Mobile App to minimize the collection and retention of location-linked data and to provide you with meaningful controls through your device's permission settings. We provide notice of location access through your device's operating system permission prompt, which appears the first time the IoTA Mobile App requests access to your device's location. You may modify this permission at any time through your device's operating system settings. We do not use location data — whether precise or approximate — to build advertising profiles, to engage in cross-context behavioral advertising, or for any commercial purpose unrelated to the Services. We do not sell or share your location data for such purposes.

Motion & Physical Activity Data:This data is used to minimize battery consumption on your mobile device. Our app only requests this permission after you have granted "Location (always)" and "Notification" permissions, since motion data is only useful in conjunction with those features. Both iOS and Android will request your permission the first time the app needs to access this information, and the data can only be accessed if you grant this permission. In iOS (Apple devices) the permission is called "Motion & Fitness Activity"; in Android, it is called "Activity Recognition."

When the permission is granted, our app accesses your device's motion and physical activity classification (provided by iOS Core Motion or Android Activity Recognition) to detect whether you are stationary or moving (e.g., walking, in a vehicle). This lets us avoid recomputing your location when you haven't moved, which conserves battery life and reduces unnecessary location queries — this makes a significant difference in battery usage.

We do not access raw sensor readings (such as accelerometer or gyroscope data), and we do not use this information for fitness tracking, health analysis, or profiling. The motion classification is computed on your device by the operating system and delivered only to our app. It is not stored by the IoTA mobile app or anywhere in our databases, is not transmitted to our servers, and is not shared with any third-party service such as analytics or advertising providers. This data is used solely to determine when to refresh location data in order to conserve battery life, and for no other purpose.

Technical Data: Metadata that is used for the research purpose of understanding how you interact with our Mobile App. This data will be analyzed to learn about the usability of the IoTA Mobile App. This will include time spent using the app, navigation of different menu options, types of IoT Resources and data practices you look at, and crash reports. Crash reports may include technical information such as device identifiers, app state, and error logs; we use this information solely to diagnose and improve the Services and do not use it to identify individual users. Crash reporting is handled through software hosted on CMU's own servers; crash data is not transmitted to third-party crash reporting services. Note that the IoTA Mobile App includes the Adjust SDK for deferred deep linking purposes, which transmits certain technical and device data to Adjust's servers as described in Section 4 of this Privacy Policy. Adjust does not receive crash data and is not used for crash reporting.

Data We Collect to Manage your Privacy Requests: The IoT PI helps users manage privacy requests made available to them by some IoT resources. Currently, two different approaches are available to handle such requests. In all cases, to handle privacy requests, IoT resources (or the entities managing these resources) need to be able to identify the particular user associated with a given request and locate relevant information for that user (e.g., information they may have collected about that user). Each approach involves a slightly different process and each resource description has the option of selecting from the two currently supported approaches. Privacy requests may include requests to opt in or opt out of some data practices (e.g., opt-out of certain data practices, access to one's data, or deletion of one's data, where available under applicable law), requests to receive a copy of one's data, requests to delete one's data and more. The following outlines how each of the two approaches works and what data they require:

1. IoT Resource portal requests: In the simplest option, an IoT resource description publicizes a URL that IoTA Mobile App users can access by clicking a button in the resource description shown in their app. When they do so, users get redirected to a portal where they authenticate and access privacy options made available for the IoT resource, by that IoT resource . This portal is not under our control and will typically be operated by the entity managing that IoT resource or a third party entity acting on behalf of it. Authentication with this portal, information possibly requested to verify that the user qualifies to submit some privacy requests as well as the privacy requests themselves are all handled by the portal and are not under our control.

2. Email-based requests: IoT resources also have the option of supporting privacy requests via email - as required under some privacy laws. In this case, the resource description includes an email address that can be used by users to submit their privacy requests. Under this scenario, the IoTA Mobile App will list available privacy requests supported by the IoT resource and indicate that these requests are supported via email. When IoTA app user clicks one of the requests supported by the the resource, the app opens the user's email client and shows a draft email crafted to submit this particular request. The app pre-fills the email's sender field with the email address the user used to register with the IoTA Mobile App. The user may edit this field before sending. The draft is based on templates used by the IoTPI for different types of privacy requests. The user is given an option to review the email draft and then send it. Users should avoid including sensitive personal information beyond what is necessary to identify themselves and communicate the nature of their request. CMU does not review the content of emails sent through users' email clients. The user is further instructed that the IoT resource owner may follow up directly with the user prior to acting on the request. When a IoTA app user submits a privacy request using this approach, the app fills the email's sender field with the email address used by the user to register with the app. When reviewing the draft message, the user has the option to edit this field as well as the content of the email. The IoTA app and more generally the IoT PI do not have access to any follow-up emails the user might receive and send in regard to requests they submit when using this approach. The IoTA Mobile App does not send the email on the user's behalf and has no access to the content of the email once the user's email client has transmitted it. Any follow-on communications between the user and the IoT resource operator occur entirely outside of CMU's Services and are not under CMU's control. CMU cannot guarantee the IoT resource operator will honor, acknowledge, or respond to the request. The IoTA app does however record the particular request submitted by the user, including the date and time when it was submitted. This information is stored in the IoTA app's database and is not sent to our servers or shared with any third party (besides the entity receiving the email request from user's email account). This record is retained in your app for as long as your account is active and is used solely to display your privacy request history within the IoTA Mobile App.

Unique identifiers Used to Keep Track of User-Specific Privacy requests: These identifiers are used to keep track of your privacy requests about options made available by IoT Resources, whether directly or via third party privacy options management functionality - when such options are available. The unique identifiers are used by the IoT resource operators themselves or by third party privacy options management functionality to communicate your decisions to our IoT PI. They are also used by our IoT PI to communicate your decisions back to your IoTA Mobile App. Examples of privacy requests include opting in, opting out, requesting deletion of your data, and more.

Your Privacy Requests: Privacy requests that you make using the IoTA Mobile App such as opting in or out of some data collection and use practices, requesting that your data be deleted or exercising other privacy choices made available by individual IoT Resources published in the IoT Privacy Infrastructure. These decisions are directly communicated by you to the IoT Resource or to third party privacy options management functionality responsible for implementing them.

Please bear in mind that actual implementation of privacy requests you submit for IoT Resources is not the responsibility of the IoT PI. Instead, processing of these requests is the responsibility of the entities controlling these IoT Resources. These entities are the Controllers of any data collected by their IoT Resources. Our IoT PI privacy requests help you communicate your privacy requests but has no control over the actual processing of your requests.

As part of our research, we may collect information about the privacy requests you submit to help evaluate the engagement of our users, learn about the types of privacy requests they submit and to explore the development of models of people's privacy preferences.

Device and Technical Data:

When you access or use the Services, we and our service providers may automatically collect certain technical information from your device and browser, including:

• your Internet Protocol (IP) address and approximate geographic location derived from it;
• device type, operating system, and operating system version;
• browser type, language, and settings;
• referring and exit pages, clickstream data, and pages or features of the Services you access;
• date and time of access; and
• other usage details and interaction data collected through cookies, server logs, and similar technologies, as described in Section 9 (Cookies & Other Technologies).

This technical information may in some cases constitute personal data or may be combined with personal data we hold about you. If we combine technical or usage data with personal data so that it directly or indirectly identifies an individual, we treat the combined information as personal data subject to this Privacy Policy.

Data From Third-Party Sources:

We may receive information about you from third parties who assist us in operating the Services, including hosting providers and authentication or account-verification services. We may combine that information with data we collect directly from you. Any data we receive from third parties is subject to this Privacy Policy and is used only for the purposes described herein.

Aggregated and Statistical Data:

We may derive statistical or aggregated data from personal data we collect. Aggregated or de-identified data does not directly identify you and is not treated as personal data under this Privacy Policy. However, if we combine or associate aggregated or de-identified data with personal data in a way that could directly or indirectly identify an individual, we will treat that combined data as personal data.

Information About Non-User Third Parties in Registry Listings:

IoT Resource Listings may include information about third parties — such as organizations or individuals identified as IoT resource operators or owners — who are not themselves users of the Services. Such information is submitted entirely by contributing users, not by CMU. CMU does not independently verify the accuracy of information identifying third-party operators or owners. If you believe that an IoT Resource Listing contains inaccurate or privacy-invasive information about you or your organization, please use the Reporting and Content Removal procedures described in this Privacy Policy.

Data Collected through the IoT PI:

Profile Data and Identity Data: Email, legal name, and password of IoT PI users (namely IRR contributors, IRR owners/administrators, IoT Resource Template contributors) to enable them to create an account and use the IoT PI. In the case of IRR owners/administrators, we also require the street address of registry owners, whether individuals or organizations. Optionally, if the owner is an organization, we also collect the role within the organization of the individual entering the information. Profile data is used to communicate with IoT PI users, hold users accountable and mitigate abuse.

IoT Resource Listings: Information you contribute regarding IoT Resources. This information may include resource names, locations, descriptions, links to privacy policies and privacy settings, and other information. Resource listings only include personal data to the extent you enter such information as part of the resource listing.

IoT Resource Templates: Information you contribute regarding IoT Resource Templates. This information may include IoT Resource Template names, IoT Resource Template descriptions, links to privacy policies and privacy settings, and other information. IoT Resource Templates only include personal data to the extent you enter such information as part of the IoT Resource Template.

Registry submission restrictions: When submitting IoT Resource Listings or IoT Resource Templates, do not include: (i) information that identifies the home addresses of private individuals or other personal information or identifiers not necessary to describe an IoT Resource; (ii) personally identifying information about individuals when these individuals have not explicitly consented to the public disclosure of their information; or (iii) content designed to harass, intimidate, stalk, or facilitate doxxing. Submissions may be reviewed and may be removed, edited for safety, or restricted in visibility if they present a safety, privacy, or legal risk.

Unique identifiers Used to Keep Track of User-Specific Privacy Requests: As indicated under "Data Collected Through the IoTA App", the IoT PI supports multiple approaches to handle privacy options selected by users for particular IoT resources. Some of these approaches involve the use of unique request IDs, including unique request IDs for the IoT PI to communicate with the IoTA app about specific requests submitted by a user. Some also involve the use of unique request IDs for the IoT PI to communicate with entities involved in processing privacy requests submitted by users, whether the owner of a given IoT Resource or a third party service used by the owner of the IoT resource to help it manage privacy requests.

Technical Data: Metadata that is used for the research purpose of understanding how you interact with the IoT PI. For instance, we may look at the number of times you click on “more information” icons, the amount of time you spend in creating an IoT Resource listing or an IoT Resource Template, and other actions indicative of how you interact with the IoT PI.

Information stored by session cookies. We use session cookies that allow you to be recognized within the IoT PI without requiring you to re-authenticate from page to page. These session cookies expire once you log out or after 2 hours of inactivity.

3. HOW WE USE PERSONAL DATA

We will only use personal data when the law allows us to. Most commonly, we will use personal data for the following lawful purposes:

• Where we need such information to perform the contract (i.e. Terms of Use or End-User License Agreement) we are about to enter into or have entered into with you (“performance of a contract”).
• Where we receive your consent (“consent”).
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (“legitimate interest”).
• Where we need to comply with a legal or regulatory obligation (“legal obligation”).

Geolocation purpose limitation:We use personal data — including location-related data — only for the purposes described in this Privacy Policy and in a manner consistent with user expectations for the Services. We do not use precise geolocation data for targeted advertising, we do not sell it, and we do not permit third parties to use it for their own independent commercial purposes except as necessary to provide the Services as described (for example, map-tile retrieval).

Please note that we may process personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

We have set out below, in a table format, a description of all the ways we plan to use personal data about you, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Purpose/Activity	Type of data	Lawful basis for processing
To manage our relationship with you, which will include: Notifying you about changes to our Terms of Use, to our End-User License Agreement or to our Privacy Policy Providing Services	(a) Profile and Identity Data (IoT PI) (b) Profile and Identity Data (IoTA Mobile App and IoT PI)	Performance of an applicable contract
To maintain your user account information and authenticate you.	(a) Profile and Identity Data (IoT PI) (b) Profile and Identity Data (IoTA Mobile App and IoT PI)	Performance of an applicable contract
To center the IoT PI’s map tool. The IoT PI has a map tool for you to define the area of coverage of Registries and of IoT Resource Listings. To the extent your browser settings allow for it, we use your geographical location as obtained by your browser to center the map. Otherwise, the IoT PI’s map tool will not be re-centered to adjust for your location. This location data from your browser is accessed by a third-party map provider to retrieve map tiles, but not transmitted to or stored in the IoT PI.	(a) Location (IoT PI)	Performance of an applicable contract
To show you and notify you about relevant Registries and IoT Resources, namely (1) to identify IoT Resources near your location and to identify the data collection and use practices of these IoT Resources, and (2) to notify you of nearby IoT Resources when you select “Always” and “The First Time” in your notification frequency settings.	(a) Location (IoTA Mobile App)	Performance of an applicable contract
To minimize battery consumption on your mobile device when it comes to using your location to notify you about nearby resources. This is only used if you grant “Location (always)” and “Notification” permissions to the IoTA Mobile App. This data is only accessed to refresh readings of your location used to notify you about nearby resources. This information is not stored by the IoTA Mobile App.	(a) Your Motion & Fitness Activity data on your device (IoTA Mobile App).	Performance of an applicable contract
To allow for the publication of IoT resource listings	IoT Resource Listings (IoT PI)	Performance of an applicable contract
To analyze the contents of the IoT Resource listings you create	(a) IoT Resource Listings (IoT PI)	Necessary for our legitimate interests (to improve our service, to provide accurate information, and to prevent fraud and abuse)
To allow for the publication of IoT Resource Templates you create	(a) IoT Resource Templates (IoT PI), including information about the registry owner, whether an individual or an organization (including street address)	Performance of an applicable contract
To analyze the contents of the IoT Resource Templates you create	(a) IoT Resource Templates (IoT PI)	Necessary for our legitimate interests (to improve our service, to provide accurate information, and to prevent fraud and abuse)
To keep track of your specific privacy requests as communicated by you either directly to individual IoT Resources or to third party privacy options management functionality responsible for capturing and implementing privacy requests	(a) Your Privacy Requests (IoTA Mobile App and IoT PI) (b) Unique identifiers Used to Communicate and Keep Track of User-Specific Privacy requests (IoTA Mobile App and IoT PI)	Performance of an applicable contract
To conduct scientific research, including the ability to contact users and ask them to participate in studies (e.g. conducting surveys).	(a) Identity (IoT PI) (b) Profile (IoT PI) (c) IoT Resource Listings (IoT PI) (d) IoT Resource Templates (IoT PI) (e) Technical data (IoT PI) (f) Your privacy requests (IoT PI) (g) Location (IoT PI)	Necessary for our legitimate interests (to conduct scientific research under applicable research protocols and sponsor requirements, as described in this Privacy Policy and related research documentation).
To administer and protect our Services (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data, preventing fraud and abuse)	(a) Identity (IoT PI) (b) Profile (IoTA Mobile App and IoT PI) (c) IoT Resource Listings (IoT PI) (d) IoT Resource Templates (IoT PI) (e) Technical data (IoTA Mobile App and IoT PI) (f) Your privacy requests (IoTA Mobile App and IoT PI) (g) Location (IoT PI and IoTA Mobile App)	Necessary for our legitimate interests (for running our Services, provision of administration and IT services, network security, and to prevent fraud and abuse)
To use data analytics to improve our Services, our marketing, user relationships and experiences	(a) Technical data (IoTA Mobile App and IoT PI)	Necessary for our legitimate interests (to keep our Services updated and relevant, and to promote adoption and use of our Services)
To support deferred deep linking in the IoTA Mobile App via the adjust SDK, enabling users who scan a QR code for a specific IoT Resource to be directed to the correct page within the app after download.	Device and technical data transmitted to Adjust including IP address, device identifiers, install referrer data, and session information (iota Mobile App).	Necessary for our legitimate interests (to provide core app navigation functionality) and performance of an applicable contract.

4. HOW WE SHARE PERSONAL DATA

It is the practice of CMU to protect users’ information. Access to our users’ information is restricted to only those employees or agents, contractors or subcontractors of CMU who have valid reasons to access this information to perform any Service you have requested or authorized, or for any other purpose described in this Privacy Policy.

The information you provide will not be sold or rented to third parties. Personal data may be disclosed to trusted service providers, contractors, and (as applicable) subrecipients who perform functions necessary for the operation, security, or research administration of the Services, subject to written agreements designed to maintain effective internal controls and safeguard personal data and other sensitive information.

Such parties are prohibited from using personal data for any purpose other than as instructed by CMU and must implement reasonable security measures appropriate to the sensitivity of the data they process.

CMU evaluates and monitors vendor and subrecipient compliance with applicable privacy, confidentiality, and information-security obligations. When instances of noncompliance are identified, CMU takes corrective action, which may include suspension of data access, contract termination, or notification as required by applicable award conditions or law.

Legal disclosures. We may disclose personal data to governmental authorities, regulators, courts, or law enforcement agencies: (i) to comply with applicable law, legal process, or a lawful governmental request; (ii) to enforce or apply our Terms of Use or other agreements; (iii) to protect the rights, property, or safety of CMU, our users, or others; or (iv) in connection with fraud prevention, security investigations, or research compliance audits. Where feasible and legally permissible, we will notify affected users of such disclosures. We may also share information — including account information and submission records — with law enforcement in emergency circumstances where CMU, in good faith, believes that disclosure is necessary to prevent imminent harm to an individual, consistent with the Terms of Use.

Aggregated or de-identified data. We may disclose aggregated, anonymized, or de-identified information that does not identify any individual to third parties — including academic partners, research sponsors, and the public — without restriction. This may include aggregate statistics about Services usage, registry activity, or IoT resource discovery patterns.

We may provide personal data to:

• Outsourced service providers who perform functions on our behalf, located inside or outside of the EU territory (in such case, we will use appropriate legal framework to operate data transfers). For example, personal data may be stored on cloud hosting services such as Amazon Web Services.
• our authorized agents and representatives, located inside or outside of your country of residence (in such case, we will use appropriate legal framework to operate data transfers), who provide services on our behalf, such as training service providers; and
• anyone expressly authorized by you to receive personal data about you.

Provided personal data may also be disclosed to government agencies or regulatory authorities only as required by law, regulation, or binding grant/IRB obligations (such as audit by approved research sponsors including the NSF or DoD for compliance with research protocols, or to federal oversight offices for human subject protection).

We do not provide personal data to government entities except under valid and enforceable legal process or in furtherance of legal or grant-related responsibilities.

In order for the IoTA Mobile App and the IoT Privacy Infrastructure to function, we rely on the following third party service providers:

• Amazon Cloud - Amazon Web Services (AWS)
• Mapbox - Third party map tile provider for the IoT web portal
• Google Maps - Map provider for the IoTA Mobile App
• Adjust - CMU uses the Adjust SDK to support deferred deep linking in the IoTA Mobile App. Deferred deep linking is the functionality that directs a user who scans a QR code for a specific IoT Resource to the correct page within the IoTA Mobile App after the app has been downloaded. To support this functionality, the Adjust SDK collects and transmits to Adjust's servers certain technical and device information, which may include your IP address, device model, operating system version, app version, session timestamps, install referrer data, and a persistent device identifier generated by Adjust. On iOS devices, the Adjust SDK may also receive your device's advertising identifier (IDFA) if you have granted consent through Apple's App Tracking Transparency (ATT) prompt. On Android devices, the advertising identifier (GAID) is not collected. CMU has configured the Adjust SDK to disable third-party data sharing, meaning the information collected by Adjust is used solely to enable deferred deep linking and is not shared with third-party advertising networks or used for behavioral advertising or attribution for commercial purposes. Adjust processes this data as a service provider acting on CMU's behalf and subject to CMU's instructions. Adjust may process this data on servers operated by its authorized sub-processors, which include server hosting providers located in Germany, the Netherlands, and the United States. Cross-border transfers of personal data are governed by standard contractual clauses or other appropriate transfer mechanisms. For further information about Adjust's data processing and sub-processors, please see Adjust's Privacy Policy
• Third party libraries (e.g., Laravel PHP framework, Bootstrap front-end framework, NPM package manager, Vue.js JavaScript framework, Flutter framework)
• Third party email providers (Google G Suite, Amazon Simple Email Services)

Please note that some of the Services may direct you to services of third parties whose privacy practices differ from CMU’s. If you provide personal data to any of those services, your data is governed by their privacy statements or policies. Carnegie Mellon University is not responsible for the privacy practices of these Third Party Services. Please review the privacy policies for these Third Party Services to understand how they process your information.

No sale of personal data. CMU does not sell personal data to third parties and does not share personal data with third parties for their own independent commercial advertising or marketing purposes.

5. HOW YOU MAY SHARE PERSONAL DATA

Certain features of the Services may allow you to share information with others or to submit content for publication in registries. Do not share personal data about yourself or others — including home addresses or other personally identifying information about private individuals — through the Services' sharing features or registry submission forms, unless you have the right to do so and it is appropriate for public disclosure. You are responsible for the content you choose to submit or share through these features, and CMU does not verify or endorse user-submitted content. CMU reserves the right to remove content that violates applicable policies or applicable law.

Reporting and Content Removal

This section describes the content reporting process from a privacy and data protection perspective. For complete terms governing user conduct, prohibited content, and CMU's enforcement authority, see the Terms of Use, Sections 'Prohibited Uses/Activities,' 'Content Removal Rights,' and 'Content Removal and Reporting.'

CMU is committed to addressing content that is unlawful, harmful, harassing, or otherwise in violation of applicable law or policy. This section describes how to report concerns relating to User-Submitted Registry Content — including IoT Resource Listings and IoT Resource Templates - , privacy, accuracy, and unlawful content.

If you believe that User-Submitted Registry Content — including an IoT Resource Listing or IoT Resource Template — is inaccurate, harassing, unlawful (including, but not limited to, content that violates applicable privacy, defamation, or consumer protection law), or discloses personally identifying information in a way that creates a safety or privacy risk (including content that could facilitate doxxing, stalking, or targeted harassment of a private individual), you may report it by contacting CMU at cmu-iotpi@lists.andrew.cmu.edu with the subject line 'Registry Content Concern.' For general privacy inquiries unrelated to content moderation, contact privacy@andrew.cmu.edu.

To assist CMU in evaluating your report, please include:

• A description of the content you are reporting and why you believe it violates applicable law or policy;
• The URL, registry path, or other location of the content within the Services; and
• Any supporting information — such as screenshots or documentation — that would assist CMU in assessing the concern.

CMU's Response and Moderation Authority

Upon receiving a credible report, CMU may:

• Review the flagged content;
• Remove, restrict visibility of, or correct content where appropriate to address copyright, safety, legal, or policy concerns; and
• Suspend or terminate access for users who submit content in violation of applicable policies or applicable law.
• Where CMU reasonably believes that User-Submitted Registry Content violates criminal law or presents an imminent risk of harm to an identifiable individual, CMU may refer the matter to appropriate law enforcement authorities.

CMU may respond promptly in cases where there is a credible risk of harm to an identifiable individual or where a compliant DMCA notice has been received. CMU may contact the reporting party to request additional information necessary to evaluate the report.

No Proactive Monitoring Obligation; No Liability for Undetected Content

CMU relies in the first instance on IoT resource operators to review content submitted to their respective registries. IoT resource operators are responsible for deciding whether to publish, restrict, or remove IoT Resource Listings within their registries in accordance with CMU's policies and applicable law. CMU's content review and moderation activities under this section are supplementary to, and do not replace, the independent responsibility of registry administrators. Nothing in this section creates an obligation for CMU to monitor all User-Submitted Registry Content proactively or creates liability for CMU's failure to detect or remove content that was not reported to CMU through the procedures described above. CMU's response to a report under this section does not constitute an admission that the reported content is unlawful or that CMU bears any responsibility for it.

Limitation of Liability

CMU's liability with respect to User-Submitted Registry Content, content moderation decisions, and platform operation is governed by the limitation of liability and disclaimer provisions set forth in the Terms of Use sections titled “LIMITATION OF LIABILITY; LIMITATION ON DAMAGES”, which are incorporated herein by reference. CMU does not warrant the accuracy, completeness, or legality of User-Submitted Registry Content and is not liable for harm arising from reliance on such content.

6. HANDLING OF PERSONAL DATA

Security of Personal Data

CMU is committed to protecting the security of personal data. Depending on the circumstances, we may hold your information in hard copy and/or electronic form.

For each medium, we use technologies and procedures to protect personal data. We review our strategies and update as necessary to meet our needs, changes in technology, and regulatory requirements.

These measures include, but are not limited to, technical and organizational security policies and procedures, security controls and employee training. Where personal data or personally identifiable information (PII) is processed within the scope of a federally sponsored research activity under a CMU IRB-approved protocol, CMU additionally maintains incident response procedures designed to support prompt investigation, containment, remediation, and required notifications consistent with applicable award conditions, federal agency data management requirements, and applicable law.

We may suspend your use of all or part of the Services without notice if we suspect or detect any breach of security, any abuse, or any illegal or questionable activity. If you believe that information you provided to us is no longer secure, please notify us immediately using the contact information provided below.

If we become aware of a breach that affects the security of personal data about you, we will provide you with notice as required by applicable law. To the extent permitted by applicable law, CMU will provide any such notice that CMU must provide to you at your account’s email address.

By using the Services, you agree to accept notice electronically. However, no website, mobile application, electronic storage system, or online service is completely secure, and CMU cannot guarantee the security of personal data transmitted to, through, or stored in connection with the Services.

Any transmission of personal data is at your own risk. You are also responsible for taking appropriate steps to protect your own personal data, including keeping your account credentials confidential.

Storage and Transfer of Personal Data

Personal data collected by CMU may be stored in the United States or in any other country where CMU or its service providers maintain facilities, which may include countries outside the European Union.

We take steps to ensure that the data we collect under this Privacy Policy is processed pursuant to the terms thereof and the requirements of applicable law wherever the data is located.

CMU also collaborates with third-party service providers, including cloud hosting services and suppliers located around the world, to support the operation and security of the Services.

In some cases, we may need to disclose or transfer personal data within CMU or to third parties in areas outside of your home country. When we do so, we take steps to ensure that personal data is processed, secured, and transferred according to applicable law.

If you would like to know more about our data transfer practices, please contact our Information Security Office at privacy@andrew.cmu.edu.

Retention of Personal Data

We retain personal data only for as long as necessary to fulfill the specific purposes described in this policy and as required by applicable law and grant requirements. Where applicable, retention periods are informed by academic research protocols, regulatory guidance, and the principle of data minimization. Personal data is not retained for longer than necessary to fulfill those stated purposes. The retention period may depend on the way in which we process data:

Location Data: Your browser location (if allowed) is only retained for the time necessary to center our map tool and is not stored thereafter. Our third party map tile provider, Mapbox, may collect your browser location information when providing the required map tiles. They delete this location information after 24 hours. More details can be found in their privacy policy. Your IoTA Mobile App location data is only retained for the time necessary to identify and notify you of IRRs and IoT Resources around you. Under some of the approaches we support to communicate and monitor the handling of privacy requests users submit via their IoTA Mobile app, we do keep track of these decisions in the IoTA Mobile app and in the IoT PI. This data is only retained for as long as needed. Please note that submitting a privacy request through the Services does not require you to be physically near the relevant IoT Resource. However, be aware that the entity receiving your request may be able to infer information about your location from the nature or timing of the request. CMU is not responsible for how entities that receive privacy requests use or interpret that information. Where we maintain server-side access logs for security, fraud prevention, abuse prevention, or research protocol integrity purposes — including logs that may be indicative of your approximate location — we limit such logs to what is reasonably necessary for the documented purpose, restrict access to authorized personnel, and retain them for no longer than 12 months (or such shorter period as is necessary for the documented purpose) before deletion or anonymization.

Profile Data: Email address, password, and account name (username or legal name, depending on account type) associated with your IoT PI and IoTA accounts will be retained as long as your account is active. Upon account deletion, all personally identifiable profile data — including your full legal name, preferred name, email address, password, authentication token, and associated user roles — will be permanently and irreversibly anonymized. CMU retains the anonymized record in its database for research record integrity and referential consistency purposes.

Technical Data: Technical Data is retained for as long as your account is active and for a reasonable period thereafter to support security, fraud prevention, and service improvement purposes. Where Technical Data is collected as part of a CMU IRB-approved research protocol, it is retained for a minimum of three years following the conclusion of the relevant study, in accordance with 45 CFR 46 and applicable sponsor requirements.

Unique identifiers Used to Keep Track of User-Specific Privacy requests: These identifiers are retained for as long as your account is active on our infrastructure.

Your Privacy requests: Your privacy request history is retained for as long as your account is active. Where such data is collected under an IRB-approved research protocol, it is retained for the period required under applicable federal regulations.

The IoT Resource Listings and IoT Resource Templates you create are retained as long as your account is active or until you request deletion, subject to your right to transfer ownership. Where Listings or Templates constitute research records under a CMU IRB-approved protocol, applicable federal retention requirements apply.

Identity Data: Name, country or countries, and organization of users who request the creation of an IoT Resource Registry (IRR) will be retained as long as the users maintain an account with the IoT Privacy Infrastructure.

If the Services are discontinued or the underlying research project concludes, CMU will provide reasonable advance notice to users, will offer users an opportunity to download or transfer their data, and will delete or anonymize personal data in accordance with applicable law, grant requirements, and CMU policy. Personal data collected under IRB-approved protocols will be handled in accordance with applicable federal requirements.

7. YOUR RIGHTS REGARDING PERSONAL DATA

Depending on your jurisdiction, you may request access to, deletion of, or to correct an error or omission in personal data about you by contacting us at privacy@andrew.cmu.edu or write us at: Carnegie Mellon University, Attention: Data Protection Officer, 5000 Forbes Avenue, Pittsburgh, PA 15213. We will make good faith efforts to resolve requests to correct inaccurate information except where the request is unreasonable, requires disproportionate technical effort or expense, jeopardizes the privacy of others, or would be impractical. Residents of some jurisdictions may have additional rights concerning personal data; please see Section 10 – “The General Data Protection Regulation” regarding these rights.

8. WHAT ARE MY DATA PROTECTION CHOICES AND RIGHTS?

General privacy rights. Regardless of where you live, you may have certain rights with respect to the personal data we hold about you, to the extent required by applicable law and subject to verification of your identity. These rights may include:

• Access. You may request confirmation of whether we process personal data about you and, if so, a copy of the categories and specific pieces of personal data we hold.

• Correction. You may request that we correct inaccuracies in personal data we hold about you, taking into account the nature of the data and the purposes for which it is processed.

• Deletion. You may request that we delete personal data we hold about you, subject to applicable exceptions (for example, data we are required to retain under applicable law, research protocol, or sponsor requirements). You may also delete your account directly through the Services by using the in-app account deletion feature. If your account is associated with any published IoT Resources or IoT Resource Registries for which you are the owner, you will be prompted to transfer ownership of those resources before deletion can proceed. Upon completing account deletion, CMU will permanently and irreversibly anonymize all personally identifiable information associated with your account — including your full legal name, preferred name, email address, password, authentication token, and associated user roles — such that the information can no longer be linked to you. CMU retains the anonymized account record in its database for research record integrity and referential consistency purposes. Additional data associated with your account may be retained to the extent required by applicable law, research protocol, or sponsor requirements, as described in the Retention section below.

• Opt-out of certain uses. To the extent we engage in any processing that you have the right to opt out of under applicable law (such as targeted advertising or profiling), you may exercise that right as described in this section.

To submit a request to exercise any of these rights, please contact us at privacy@andrew.cmu.edu. We will respond within the timeframe required by applicable law. We may need to verify your identity before processing your request. Please note that certain exceptions and limitations may apply, and we will explain the basis for any decision to limit or decline a request.

Appeal. If we decline to act on a privacy rights request, you may appeal that decision by sending a written appeal to privacy@andrew.cmu.edu with the subject line "Privacy Rights Appeal." We will review your appeal and respond within the timeframe required by applicable law. If your appeal is denied, we will provide you with information about any additional avenues available under applicable state law.

US state consumer privacy laws may provide their residents with additional rights regarding our use of personal information. The following Section applies to individuals who reside in specific jurisdictions that provide additional privacy rights. Please note that, as a nonprofit academic institution, CMU is generally not subject to the California Consumer Privacy Act (CCPA) or California Privacy Rights Act (CPRA) and does not provide those statutory rights except as required by law or organizational policy.

8.1 Your Rights and Choices

Right to Access Specific Information and Data Portability Right. You have the right to request that we disclose certain information to you about our collection and use of personal information over the past twelve (12) months. Once we receive and confirm your verifiable consumer request, we will disclose to you:

• The categories of personal information we collected about you.
• The categories of sources for the personal information we collected about you.
• Our business or commercial purpose for collecting or selling that personal information.
• The categories of third parties with whom we share that personal information.
• The specific pieces of personal information we collected about you (also called a data portability request).
• If we disclosed personal information for a business purpose, the business purpose for which personal information was disclosed, and the personal information categories that each category of recipient obtained.

Right to Correct Information. You have the right to request we update personal information about you that is incorrect in our systems. You can also review and change personal information about you by logging into the Services and visiting your account profile page.

Right to Delete. You have the right to request that we delete any personal information about you that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) the personal information from our records, unless an exception applies.

Right to Opt-out of the sale or sharing of Personal Information for Cross-Contextual Behavioral Advertising. CMU does not sell personal information and does not share personal information for cross-context behavioral advertising. Accordingly, no opt-out mechanism for sale or sharing of personal information is required at this time. If this practice changes, we will update this Privacy Policy and provide appropriate opt-out mechanisms.

Right to Limit Sensitive Personal Information Use. You have the right to limit the use of sensitive personal information regarding you.

Non-Discrimination. We will not discriminate against you for exercising any of your rights.

Right to Opt-Out. You have the right to opt-out of personal data processing for targeted advertising, sales, or either limit (opt-out of) or require consent to process sensitive personal data.

8.2 How to Exercise these Rights. The exact scope of these rights may vary by state. To submit a request to exercise these rights you may use one of these two methods:

• Email: privacy@andrew.cmu.edu
• Submit a Request

For all requests, please clearly state that the request is related to “Your Privacy Rights,” indicate which type of request you are making, and provide your name, street address, city, state, zip code and an e-mail address or phone number where we may contact you. We are not responsible for notices that are not labeled or sent properly or that do not include complete information.

To appeal a decision regarding a consumer rights request, please submit your appeal using one of the methods above.

Your appeal should include an explanation of the reason you disagree with our decision. Within 60 days of receipt of an appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions.

Only you, or a person registered with the applicable Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to personal information about you.

You may also make a verifiable consumer request on behalf of your minor child. You may only make such a request for access or data portability twice within a 12-month period. The verifiable consumer request must provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative and describe your request with sufficient detail that allows us to properly understand, evaluate and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.

Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing.

We will deliver our written response electronically. Any disclosures we provide will only cover the 12-month period preceding the receipt of the verifiable consumer request. The response we provide will also explain the reasons we cannot comply with a request, if applicable.

For data portability requests, we will select a format to provide the personal information that is readily usable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

California Shine the Light Law: California Civil Code Section 1798.83 permits California residents to request information about whether we have disclosed personal information to third parties for direct marketing purposes. CMU does not disclose personal information to third parties for direct marketing purposes, and no list of third-party marketing recipients is therefore available.

9. COOKIES & OTHER TECHNOLOGIES

This Cookies Policy explains how we use Cookies to collect information about the way you use the Services, and how you can control them.

How We Use Cookies

We use cookies solely as necessary to provide authentication and security functionality for the Services. We do not use cookies to compile analytics or usage statistics.

While this information on its own may not constitute your “personal data”, we may combine the information we collect via Cookies with personal data that we have collected from you to learn more about how you use the Services to improve them.

Types of Cookies

We use session Cookies that expire once you log out or following a period of inactivity. To make it easier for you to understand why we need them, the Cookies we use on the Services can be grouped into the following category:

• Strictly Necessary: These Cookies are necessary for the Services to work properly. They include any essential authentication and authorization Cookies for the Services.

CMU does not use third-party tracking technologies — such as advertising pixels, marketing cookies, or cross-site tracking tools — to track your use of the Services for marketing, advertising, or commercial profiling purposes.

The following is a complete list of the cookies we use on the Services:

Strictly Necessary

Name	Provided By	Persistent or Session	Purpose
iotpi_session	CMU	Persistent: 2 hours after inactivity or when user logs out	These cookies are used to recognize users once they have been authenticated and to maintain their session state.
XSRF-TOKEN	CMU	2 hours after inactivity or when user logs out	This cookie is used to protect against cross-site request forgery (CSRF) attacks.

Third-party Embedded Content

The Services may contain links to, or may load content from, third-party websites, applications, and services that are not operated by CMU. This includes map providers, external privacy policy links referenced in IoT Resource Listings, and any other third-party content accessible through or in connection with the Services. This Privacy Policy applies only to personal data collected by CMU through the Services. CMU does not control and is not responsible for the privacy practices, data collection, or content of third-party websites or services. If you choose to access a third-party website or service through a link in the Services, you do so at your own risk and subject to that third party's own privacy policy and terms of use. We encourage you to review the privacy policies of any third-party websites or services you visit. The inclusion of a link to a third-party website does not imply CMU's endorsement of that website or its operators.

How to Control and Delete Cookies

Cookies can be controlled, blocked or restricted through your web browser settings. Information on how to do this can be found within the Help section of your browser. All Cookies are browser specific. Therefore, if you use multiple browsers or devices to access websites, you will need to manage your cookie preferences across these environments.

If you are using a mobile device to access the Services, you will need to refer to your instruction manual or other help/settings resource to find out how you can control Cookies on your device.

Please note: If you restrict, disable or block any or all Cookies from your web browser or mobile or other device, the Services may not operate properly, and you may not have access to the Services. CMU shall not be liable for any impossibility to use the Services or degraded functioning thereof, where such are caused by your settings and choices regarding Cookies.

To learn more about Cookies, visit www.allaboutCookies.org.

Do Not Track

Some web browsers (including Safari, Internet Explorer, Firefox and Chrome) incorporate a “Do Not Track” (“DNT”) or similar feature that signals to websites that a user does not want to have his or her online activity and behavior tracked. If a website that responds to a particular DNT signal receives the DNT signal, the browser can block that website from collecting certain information about the browser’s user. Not all browsers offer a DNT option and DNT signals are not yet uniform. For this reason, many website operators, including CMU, do not respond to DNT signals.

10. CHILDREN’S PRIVACY

IF YOU ARE UNDER THE AGE OF 18, DO NOT USE THE SERVICES.

The Services are intended to be used by individuals who are at least 18 years old. Consistent with the requirements of the U.S. Children’s Online Privacy Protection Act, if we learn that we received any information directly from a child under age 13 without his or her parent’s verified consent, we will use that information only to inform the child (or his or her parent or legal guardian) that he or she cannot use the Services.

California Minors: If you are a California resident who is under age 18 and you are unable to remove publicly available Content that you have submitted to us, you may request removal by contacting us at: privacy@andrew.cmu.edu. When requesting removal, you must be specific about the information you want removed and provide us with specific information, such as the URL for each page where the information was entered, so that we can find it. We are not required to remove any Content or information that: (1) federal or state law requires us or a third party to maintain; (2) was not posted by you; (3) is anonymized so that you cannot be identified; (4) you don’t follow our instructions for removing or requesting removal; or (5) you received compensation or other consideration for providing the Content or information. Removal of your Content or information from the Services does not ensure complete or comprehensive removal of that content or information from our systems or the systems of our service providers. We are not required to delete the Content or information posted by you; our obligations under California law are satisfied so long as we anonymize the content or information or render it invisible to other users and the public.

11. THE GENERAL DATA PROTECTION REGULATION (“GDPR”)

If you are a resident of the European Union (“EU”) and United Kingdom (“UK”) you may be entitled to other rights under the GDPR. These rights are summarized below. We may require you to verify your identity before we respond to your requests to exercise your rights. If you are entitled to these rights, you may exercise these rights with respect to personal data about you that we collect and store:

• the right to withdraw your consent to data processing at any time (please note that this might prevent you from using certain aspects of the Services);
• the right of access to personal data about you;
• the right to request a copy of personal data about you;
• the right to correct any inaccuracies in personal data about you;
• the right to erase personal data about you;
• the right to data portability, meaning to request a transfer of personal data about you from us to any other person or entity as chosen by you;
• the right to request restriction of the processing of personal data about you; and
• the right to object to processing of personal data about you.

You may exercise these rights free of charge. These rights will be exercisable subject to limitations as provided for by the GDPR. Any requests to exercise the above listed rights may be made to: GDPR-info@andrew.cmu.edu.

If you are a resident of the EU or UK, you may have the right to lodge a complaint with a Data Protection Authority about how we process personal data about you at the following website: https://edpb.europa.eu/about-edpb/board/members_en (for EU residents) and https://ico.org.uk/make-a-complaint/ (for UK residents).

Processing EU Personal Data

In the event that personal data is subject to the GDPR, we will only use personal data for the original purpose for which we collected it, unless we reasonably consider that we need to use it for another purpose and that purpose is compatible with the original purpose. If we need to use EU personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. We require third parties to only use EU personal data for the specific purpose for which it was given to us and to protect the privacy of personal data. If personal data is no longer necessary for the legal or business purposes for which it is processed, we will generally destroy or anonymize that data.

International Transfers of Personal Data

Whenever we transfer personal data out of the EU or UK, we ensure a similar degree of protection is afforded to it. Transfers are effected in accordance with Article 46 of the GDPR, using Standard Contractual Clauses approved by the European Commission, or other lawful transfer mechanisms as may be applicable. For additional information on our data transfer practices, please contact us at privacy@andrew.cmu.edu.

For additional information on the mechanisms used to protect personal data, please contact us at GDPR-info@andrew.cmu.edu.

12. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy based upon evolving laws, regulations and industry standards, or as we may make changes to our Services. We will post changes to our Privacy Policy on this page and encourage you to review our Privacy Policy when you use the Services to stay informed. We will notify you of material changes to this Privacy Policy by updating the "last updated" date at the top of the policy and, where appropriate, by providing additional notice through the Services (such as through an in-app notification or a notice on the IoT PI website). If you disagree with the changes to this Privacy Policy, you should discontinue your use of the Services. You may also request access and control of personal data about you as outlined in Section 7 -Your Rights Regarding Personal Data of this Privacy Policy. Your continued use of the Services after a policy update constitutes your acknowledgment of the revised Privacy Policy. We encourage you to review this Privacy Policy periodically.

13. QUESTIONS OR COMPLAINTS HANDLING

We understand that you may have questions or concerns about this Privacy Policy or our privacy practices or may wish to file a complaint. In such case, please contact us in one of the following ways:

Email: privacy@andrew.cmu.edu

Mail:

Carnegie Mellon University
Attention: Data Protection Officer
5000 Forbes Avenue
Pittsburgh, PA 15213

If you are not satisfied with our answer or how CMU manages personal data about you, you may also have the right to make a complaint to a data protection regulator. If you are a resident of the European Union, a list of National Data Protection Authorities can be found here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.