Privacy Policy
 

Effective Date: Nov 24, 2020

Carnegie Mellon University (“CMU,” “we,” “us,” or “our”) is committed to privacy and data protection. This Privacy Policy applies to all personal data CMU collects from you, through the CMU Internet of Things (IoT) Privacy Infrastructure Project, including the Internet of Things Assistant (“IoTA”) mobile app (“IoTA Mobile App”), and the IoT Privacy Infrastructure (“IoT PI”) ,  which includes Internet of Things registries of IoT Resources (“IoT Resource Registries” or “IRRs”) (collectively the “Services”),  as well as how we use and protect your personal data.

This Privacy Policy does not apply to the IoT Resource Listings (defined below) that IRR contributors input into the Services and that IRR administrators publicize through their IRRs, or to IoT Resource Templates (defined below) that template contributors input into the Services (both referred to as “Your Content” below). You act as the Controller of Your Content.  As used in this Privacy Policy, “Controller” shall have the definition given to it under the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).

This Privacy Policy does not apply to: any third-party applications or software that integrate with the Services, the IoT Resources (defined below), or any other third-party products, services or businesses (collectively, “Third Party Services”). Third Party Services are governed by their own privacy policies. We recommend you review the privacy policy governing any Third Party Services before using them.

Any questions or concerns regarding CMU’s privacy and data protection practices can be directed to GDPR-info@andrew.cmu.edu.

If you have not done so already, please also review the IoT PI Terms of Use https://www.iotprivacy.io/terms-of-use  and the IoTA Mobile Application End-User License Agreement https://www.iotprivacy.io/end-user-license-agreement  as applicable to the Services you are using.

OVERVIEW

The Internet of Things Privacy Infrastructure Project is a system developed at the School of Computer Science at Carnegie Mellon University, under the coordination of Prof. Norman Sadeh. Its purpose is to provide a tool to publicize the presence of IoT devices, IoT services, IoT apps (collectively referred to as “IoT Resources”) in a given area, such as a university campus, a building, a shopping mall, a room, a stadium, a city block, an entire neighborhood, or a larger geographical area. The Internet of Things Privacy Infrastructure Project has two components:

1)        The IoTA Mobile App, which helps users discover IoT Resources deployed in their vicinity by identifying and querying IoT Resource Registries that pertain to the user’s current location. The IoTA informs the user about the data collection and use practices associated with the IoT Resources it discovers. The IoTA also enables users to discover and configure privacy settings that may be offered by IoT Resources (i.e. data deletion, opting in or out of some data collection or sharing practices, or data access requests).

2)        The IoT PI, which enables people and organizations to inform the public about the presence of IoT Resources deployed in different areas. Individuals and organizations can request the creation of IRRs through the IoT PI.  Individuals and organizations can use the IoT PI to create descriptions of IoT Resources (“IoT Resource Listings”) and request their publication in IRRs, enabling mobile users to discover them using their IoTA Mobile App. The IoT PI also enables users to create partial descriptions of IoT Resources that others could use as a starting point to create IoT Resource Listings (“IoT Resource Templates”). These IoT Resource Templates can be shared with, re-used and edited by others to publicize the presence of identical or similar IoT Resources.  The IoT PI involves the collection of research data under the direction of Prof. Norman Sadeh (the Principal Investigator) in accordance with a research protocol approved by CMU’s Institutional Review Board.

The research project related to the IoT PI is funded by the U.S. Department of Defense (DoD) under the Defense Advanced Research Projects Agency’s Brandeis Privacy Initiative (Grant FA8750-15-2-0277) and by the U.S. National Science Foundation under its Secure and Trustworthy Computing program (Grant SBE-1513957).

PERSONAL DATA WE COLLECT

CMU collects data to provide the Services you request, addressing security issues and potential abuse, ease your navigation of Services supported by our IoTA Mobile App and our IoT PI, communicate with you, improve your experience using the Services and also collect data for research conducted under our project – the latter follows research protocols approved by the Institutional Review Board. Some of this data is provided by you directly, such as when you register for the Services. Some of the information is collected through your interactions with the Services. We collect such data using technologies like cookies and other tracking technologies, error reports, and usage data collected when you interact with CMU Services running on your device.

The data we collect depends on the Services and features thereof that you use, and includes the following:

Data Collected through the IoTA Mobile App:

Profile Data: Your Email ID, username and password: to create an account that will enable you to use the IoTA Mobile App and that will enable us to communicate with you.

Location Data:  Your Location Data is used to show you relevant IoT Resource Registries and IoT Resources, namely to identify IoT Resource Registries that might be publicizing the presence of IoT Resources near your location, identify nearby IoT Resources, identify the data collection and use practices of these IoT Resources, and to notify you of this information via the IoTA Mobile App. Location data is not accessed or stored anywhere in our databases. The IoTA Mobile App keeps track of the IoT Resources you have been near and the most recent date and time you were near each IoT Resource (“Proximity Data”, a subcategory of Location Data). Proximity Data enables us to provide you with personalized notifications of nearby IoT Resources and avoid sending you repetitive notifications, depending on your notification settings. Proximity Data is only stored on your mobile device; is encrypted; and is deleted (1) when you change your notification settings (selecting between “always”, “the first time” and “never”) or (2) when you uninstall the IoTA mobile app from your device. Proximity Data could be used to infer your location.

Motion & Fitness Activity Data : This data is used to minimize battery consumption on your mobile device and is only accessed when you grant “Location (always)” and “Notification” permissions to the IoTA Mobile App on your mobile device. This data is collected by your mobile device and only accessed by the IoTA Mobile App to determine when to refresh the data it displays and when to check whether there are new IoT Resources near you that you should be notified about. This data is not stored by the IoTA Mobile App or anywhere in our databases.

Technical Data:  Metadata that is used for the research purpose of understanding how you interact with our Mobile App. This data will be analyzed to learn about the usability of the IoTA Mobile App. This will include time spent using the app, navigation of different menu options, types of IoT Resources and data practices you look at, and crash reports.

Unique identifiers Used to Keep Track of User-Specific Privacy Decisions:  These identifiers are used to keep track of your privacy decisions about options made available by IoT Resources, whether directly or via third party privacy options management functionality - when such options are available. The unique identifiers are used by the IoT Resources themselves or by third party privacy options management functionality to communicate your decisions to our IoT PI. They are also used by our IoT PI to communicate your decisions back to your IoTA Mobile App. Examples of privacy decisions include opting in, opting out, requesting deletion of your data, and more.

Your Privacy Decisions: Privacy decisions that you make using the IoTA Mobile App such as opting in or out of some data collection and use practices, requesting that your data be deleted or exercising other privacy choices made available by individual IoT Resources published in the IoT Privacy Infrastructure. These decisions are directly communicated by you to the IoT Resource or to third party privacy options management functionality responsible for implementing them. Please bear in mind that actual implementation of privacy decisions you make about any options made available by IoT Resources is not the responsibility of the IoT PI. Instead these decisions are implemented by the IoT Resources themselves, possibly via third party privacy options management functionality. Such implementation is the responsibility of the IoT Resource owner, who is the Controller of any data collected by the IoT Resource. Our IoT PI collects your privacy decisions, in part for research purposes and in part to be able to show these decisions to you via your IoTA Mobile App. As part of our research, we use your privacy decisions to support the development of models of your privacy preferences using machine learning. Your privacy decisions are uniquely identified and linked to your email ID.

Data Collected through the IoT PI  

Profile Data: Email, username and password of IoT PI users (namely IRR contributors, IRR owners/administrators, IoT Resource Template contributors) to enable them to create an account and use the IoT PI. This data is also used to communicate with IoT PI users and mitigate abuse.

Identity Data: First and last name, country (or countries) within which the area covered by an IRR falls for users who request an IRR, and organization for users who interact with the IoT PI on behalf of an organization (e.g., employee or member of an organization).

Location Data: Browser location of IRR contributors and administrators/owners is accessed to center maps on pages for IoT Resource creation and IRR configuration.

IoT Resource Listings: Information you contribute regarding IoT Resources. This information may include resource names, locations, descriptions, links to privacy policies and privacy settings, and other information. Resource listings only include personal information to the extent you enter such information as part of the resource listing.

IoT Resource Templates : Information you contribute regarding IoT Resource Templates. This information may include IoT Resource Template names, IoT Resource Template descriptions, links to privacy policies and privacy settings, and other information. IoT Resource Templates only include personal information to the extent you enter such information as part of the IoT Resource Template.

Unique identifiers Used to Keep Track of User-Specific Privacy Decisions:  These identifiers are used to keep track of your privacy decisions about options made available by IoT Resources, whether directly or via third- party privacy options management functionality - when such options are available. The unique identifiers are used by the IoT Resources themselves or by third party privacy options management functionality to communicate your decisions to our IoT PI. They are also used by our IoT PI to communicate your decisions back to your IoTA Mobile App. Examples of privacy decisions include opting in, opting out, requesting deletion of your data, and more.

Technical Data:  Metadata that is used for the research purpose of understanding how you interact with the IoT PI. For instance, we may look at the number of times you click on “more information” icons, the amount of time you spend in creating an IoT Resource listing or an IoT Resource Template, and other actions indicative of how you interact with the IoT PI.

Information stored by session cookies . We use session cookies that allow you to be recognized within the IoT PI without requiring you re-authenticate from page to page. These session cookies expire once you log out or after 2 hours of inactivity.

HOW WE USE PERSONAL DATA

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data for the following lawful purposes:

  • Where we need such information to perform the contract (i.e. Terms of Use or End-User License Agreement) we are about to enter into or have entered into with you (“ performance of a contract ”).
  • Where we receive your consent (“ consent ”).
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (“ legitimate interest ”).
  • Where we need to comply with a legal or regulatory obligation (“ legal obligation ”).

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Purpose/Activity

 

Type of data

 

Lawful basis for processing

 

To manage our relationship with you, which will include:

  • Notifying you about changes to our Terms of Use, to our End-User License Agreement or to our Privacy Policy
  • Providing Services

(a) Identity (IoT PI)

(b) Profile (IoTA Mobile App and IoT PI)

 

Performance of an applicable contract

 

To maintain your user account information and authenticate you.

(a) Identity (IoT PI)

(b) Profile (IoTA Mobile App and IoT PI)

 

Performance of an applicable contract

 

To center the IoT PI ’s map tool.

The IoT PI has a map tool for you to define the area of coverage of Registries and of IoT Resource Listings. To the extent your browser settings allow for it, we use your geographical location as obtained by your browser to center the map. Otherwise, the IoT PI ’s map tool will not be re-centered to adjust for your location. This location data from your browser is accessed by a third-party map provider to retrieve map tiles, but not transmitted to or stored in the IoT PI.

(a) Location (IoT PI)

 

Performance of an applicable contract

 

To show you and notify you about relevant Registries and IoT Resources, namely (1) to identify  IoT Resources near your location and to identify the data collection and use practices of these IoT Resources, and (2) to notify you of nearby IoT Resources when you select “Always” and “The First Time” in your notification frequency settings.

(a) Location (IoTA Mobile App)

Performance of an applicable contract

 

To minimize battery consumption on your mobile device when it comes to using your location to notify you about nearby resources. This is only used if you grant “Location (always)” and “Notification” permissions to the IoTA Mobile App. This data is only accessed to refresh readings of your location used to notify you about nearby resources. This information is not stored by the IoTA Mobile App.

(a) Your Motion & Fitness Activity data on your device (IoTA Mobile App).

Performance of an applicable contract

To allow for the publication of IoT resource listings

 IoT Resource Listings (IoT PI)

Performance of an applicable contract

 

To analyze the contents of the IoT Resource listings you create

(a) IoT Resource Listings (IoT PI)

Necessary for our legitimate interests (to improve our service, to provide accurate information, and to prevent fraud)

 

To allow for the publication of IoT Resource Templates you create

(a) IoT Resource Templates (IoT PI)

Performance of an applicable contract

 

To analyze the contents of the IoT Resource Templates you create

(a) IoT Resource Templates (IoT PI)

Necessary for our legitimate interests (to improve our service, to provide accurate information, and to prevent fraud)

 

To keep track of your specific privacy decisions as communicated by you either directly to individual IoT Resources or to third party privacy options management functionality responsible for capturing and implementing your personal privacy decisions for individual IoT Resources

 (a) Your Privacy Decisions (IoTA Mobile App and IoT PI)

 (b) Unique identifiers Used to Keep Track of User-Specific Privacy Decisions (IoTA Mobile App and IoT PI)

Performance of an applicable contract

 

To conduct scientific research, including the ability to contact users and ask them to participate in studies (e.g. conducting surveys).

(a) Identity (IoT PI)

(b) Profile (IoT PI)

(c) IoT Resource Listings (IoT PI)

(d) IoT Resource Templates (IoT PI)

(e) Technical data (IoT PI)

(f) Your privacy decisions (IoT PI)

(g) Location (IoT PI)

Necessary for our legitimate interests (to conduct scientific research under Grant FA8750-15-2-0277 and Grant SBE-1513957 as mentioned above)

To administer and protect our Services (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data, preventing fraud and abuse)

 

(a) Identity (IoT PI)

(b) Profile (IoTA Mobile App and IoT PI)

(c) IoT Resource Listings (IoT PI)

(d) IoT Resource Templates (IoT PI)

(e) Technical data (IoTA Mobile App and IoT PI)

(f) Your privacy decisions (IoTA Mobile App and IoT PI)

(g) Location (IoT PI and IoTA Mobile App)

Necessary for our legitimate interests (for running our Services, provision of administration and IT services, network security, and to prevent fraud and abuse,

 

 

To use data analytics to improve our Services, our marketing, user relationships and experiences

(a) Technical data (IoTA Mobile App and IoT PI)

 

Necessary for our legitimate interests to keep our Services updated and relevant, and to promote adoption and use of our Services)

HOW WE SHARE PERSONAL DATA

It is the practice of CMU to protect users’ information. Access to our users’ information is restricted to only those employees or agents, contractors or subcontractors of CMU who have valid reasons to access this information to perform any Service you have requested or authorized, or for any other purpose described in this Privacy Policy. The information you provide will not be sold or rented to third parties.

We may provide your personal data to:

  • Outsourced service providers who perform functions on our behalf, located inside or outside of the EU territory (in such case, we will use appropriate legal framework to operate data transfers). For example, your personal information may be stored on cloud hosting services such as Amazon Web Services.
  • our authorized agents and representatives, located inside or outside of your country of residence (in such case, we will use appropriate legal framework to operate data transfers), who provide services on our behalf, such as training service providers;
  • anyone expressly authorized by you to receive your personal data;
  • anyone to whom we are required by law to disclose personal data, upon valid and enforceable request thereof.
  • the Federal government offices that oversee the protection of human subjects in research will also have access to research records to ensure protection of research subjects. The research sponsor (DoD and NSF) representatives are authorized to review research records.

In order for the IoTA Mobile App and the IoT Privacy Infrastructure to function, we rely on the following third party service providers:

  • Amazon Cloud - Amazon Web Services (AWS)
  • Mapbox - Third party map tile provider for the IoT web portal
  • Google Maps - Map provider for the IoTA Mobile App
  • Google Firebase Dynamic Links - Third party library that provides a way for the user to scan a QR code to open the IoTA Mobile App to a specific IoT Resource page and to first download the IoTA Mobile App on the user’s phone if it is not yet installed on it.
  • Third party libraries (e.g., Laravel PHP framework, Bootstrap front-end framework, NPM package manager, Vue.js JavaScript framework, Flutter framework)
  • Third party email providers (Google G Suite, Amazon Simple Email Services)

We will access, disclose and preserve personal data, when we have a good faith belief that doing so is necessary to:

  • comply with applicable law or respond to valid legal processes, including from law enforcement or other government agencies, upon valid and enforceable request thereof; or
  • operate and maintain the security of the Services, including to prevent or stop an attack on our computer systems or networks.

Please note that some of the Services may direct you to services of third parties whose privacy practices differ from CMU’s. If you provide personal data to any of those services, your data is governed by their privacy statements or policies. Carnegie Mellon University is not responsible for the privacy practices of these Third Party Services. Please review the privacy policies for these Third Party Services to understand how they process your information.

HOW YOU MAY SHARE PERSONAL DATA

Certain features of the Services may allow you to share information with others. Do not share your personal data or the personal data of others through the sharing features. You are the Controller of personal information you share through the sharing features of the Services.

HANDLING OF PERSONAL DATA

Security of Personal Data

CMU is committed to protecting the security of your personal data. Depending on the circumstances, we may hold your information in hard copy and/or electronic form. For each medium, we use technologies and procedures to protect personal data. We review our strategies and update as necessary to meet our needs, changes in technology, and regulatory requirements.

These measures include, but are not limited to, technical and organizational security policies and procedures, security controls and employee training.

We may suspend your use of all or part of the Services without notice if we suspect or detect any breach of security, any abuse, or any illegal or questionable activity. If you believe that information you provided to us is no longer secure, please notify us immediately using the contact information provided below.

If we become aware of a breach that affects the security of your personal data, we will provide you with notice as required by applicable law. To the extent permitted by applicable law, CMU will provide any such notice that CMU must provide to you at your account’s email address. By using the Services, you agree to accept notice electronically.

Storage and Transfer of Personal Data

Personal data collected by CMU may be stored and processed in your region, in the United States or in any other country where CMU, its affiliates or contractors maintain facilities, including outside the European Union. We take steps to ensure that the data we collect under this Privacy Policy is processed pursuant to the terms thereof and the requirements of applicable law wherever the data is located.

CMU also collaborates with third parties such as cloud hosting services and suppliers located around the world to serve the needs of our business, workforce, and users. In some cases, we may need to disclose or transfer your personal data within CMU or to third parties in areas outside of your home country. When we do so, we take steps to ensure that personal data is processed, secured, and transferred according to applicable law.

If you would like to know more about our data transfer practices, please contact our Information Security Office at GDPR-info@andrew.cmu.edu.

Retention of Personal Data

We only keep personal data in our records for as long as necessary for the purpose for which such data is processed. The retention period depends on the context in which we process data:

Location Data: Your browser location (if allowed) is only retained for the time necessary to center our map tool. Our third party map tile provider, Mapbox, may collect your browser location information when providing the required map tiles. They delete this location information after 24 hours. More details can be found in their privacy policy. Your IoTA Mobile App location data is only retained for the time necessary to identify and notify you of IRRs and IoT Resources around you. For research purposes and to prevent fraud and abuse, we do however keep logs of the times when your IoTA Mobile App accesses IRRs near you. Given the radius within which each IRR can be discovered, this information is indicative of your location. Different IRRs can have different discovery radiuses.

Profile Data: Email ID, username and password associated with your IoT PI and IoTA accounts will be retained as long as your account is active on our infrastructure. If you choose to withdraw your consent from participating in our research (refer to the following section), this account information will be permanently deleted from our databases and your account will no longer be usable as a result.

Technical Data: Metadata collected as a result of your interactions with the IoT PI will be retained for a minimum of three years after the conclusion of the research project in accordance with US Federal regulations (45 CFR 46).

Unique identifiers Used to Keep Track of User-Specific Privacy Decisions: These identifiers are retained for as long as your account is active on our infrastructure

Your Privacy Decisions: Privacy decisions that you make using the IoT PI will be retained for a minimum of three years after the conclusion of the research project in accordance with US Federal regulations (45 CFR 46). If you withdraw consent from our research (refer to the following section) within this period, your privacy decisions will be retained in a de-identified format.

The IoT Resource Listings and IoT Resource   Templates you create will be retained for a minimum of three years after the conclusion of the research project in accordance with US Federal regulations (45 CFR 46). If you withdraw your consent prior to the conclusion of the research project, you also have the option of transferring ownership of any of the IoT Resource Listings or IoT Resource Templates you created to another user, subject to that user's agreement. Once such transfer has taken place the new owner becomes the Controller of the Content included in the corresponding IoT Resource Listing or IoT Resource Template

Identity Data: Name, country or countries, and organization of users who request the creation of an IoT Resource Registry (IRR) will be retained as long as the users maintain an account with the IoT Privacy Infrastructure.

YOUR RIGHTS REGARDING YOUR PERSONAL DATA

CMU respects your right to access and control your personal data. You have choices about the data we collect. When you are asked to provide personal data that is not necessary for the purposes of providing you with the Services, you may decline. However, if you choose not to provide data that is necessary to provide the Services, you may not have access to certain features of the Services.

We aim to keep all personal data that we hold, as Controller, accurate, complete and up-to-date. While we will use our best efforts to do so, we encourage you to tell us if you change your contact details. If you believe that the information we hold about you is incorrect, incomplete or out-of-date, please contact GDPR-info@andrew.cmu.edu . Please bear also in mind that you are Controller of Your Content (e.g., IoT Resource Listings, IoT Resource Templates, IoT Resource Registries) and are responsible for the accuracy and completeness of that Content.

Access to personal data:  In some jurisdictions, you have the right to request access to your personal data. In these cases, we will comply, subject to any relevant legal requirements and exemptions, including identity verification procedures. Before providing data to you, we will ask for proof of identity and sufficient information about your interaction with us so that we can locate any relevant data. We may also charge you a fee for providing you with a copy of your data (except where this is not permissible under local law).

Correction and deletion: In some jurisdictions, you have the right to correct or amend your personal data if it is inaccurate or requires updating. You may also have the right to request deletion of your personal data. Please note that such a request could be refused because your personal data is required to provide you with the Services you requested

Portability:  If you are a resident of the European Union, you may have the right to ask for a copy of your personal data and/or ask for it to be ported to another provider of your choice. Please note that such a request could be limited to only the personal data you provided us with or that we hold at that given time and subject to any relevant legal requirements and exemptions, including identity verification procedures.

COOKIES & OTHER TECHNOLOGIES

This Cookies Policy explains how we use Cookies to collect information about the way you use the Services, and how you can control them.

How We Use Cookies

We use Cookies to track how you use the Services by compiling usage statistics.

While this information on its own may not constitute your “personal data”, we may combine the information we collect via Cookies with personal data that we have collected from you to learn more about how you use the Services to improve them.

Types of Cookies

We use session Cookies that expire once you log out or following a period of inactivity. To make it easier for you to understand why we need them, the Cookies we use on the Services can be grouped into the following categories:

  • Strictly Necessary: These Cookies are necessary for the Services to work properly. They include any essential authentication and authorization Cookies for the Services.
  • Functionality: These Cookies enable technical performance and allow us to “remember” the choices you make while browsing the Services, including any preferences you set. They also include sign-in and authentication Cookies and IDs that enable you to return without additional sign-in.
  • Performance/Analytical: These Cookies allow us to collect certain information about how you navigate the Services. They help us understand which areas you use and what we can do to improve them.

.

Here is a representative list of the Cookies we use.

Provider

Cookie Name

Category

Duration

Purpose

CMU

iot_privacy_infrastructure_session

Strictly Necessary/Functionality/ Performance/Analytical

2 hours after inactivity or when user logs out

These cookies are used to recognize users once they have been authenticated. They are also used to track user activities on the IoT PI. This information is used to understand how people interact with the IoT PI and to help improve our Services.

CMU

XSRF-TOKEN

Strictly Necessary

2 hours after inactivity or when user logs out

This cookie is used to protect against cross-site request forgery (CSRF) attacks.

CMU

iotpi_cookie_consent

Strictly Necessary

a year

This cookie is used to record a user’s consent to our use of cookies

How to Control and Delete Cookies

Cookies can be controlled, blocked or restricted through your web browser settings. Information on how to do this can be found within the Help section of your browser. All Cookies are browser specific. Therefore, if you use multiple browsers or devices to access websites, you will need to manage your cookie preferences across these environments.

If you are using a mobile device to access the Services, you will need to refer to your instruction manual or other help/settings resource to find out how you can control Cookies on your device.

Please note: If you restrict, disable or block any or all Cookies from your web browser or mobile or other device, the Services may not operate properly, and you may not have access to the Services. CMU shall not be liable for any impossibility to use the Services or degraded functioning thereof, where such are caused by your settings and choices regarding Cookies.

To learn more about Cookies, visit https://www.allaboutCookies.org .

Do Not Track

Some web browsers (including Safari, Internet Explorer, Firefox and Chrome) incorporate a “Do Not Track” (“DNT”) or similar feature that signals to websites that a user does not want to have his or her online activity and behavior tracked. If a website that responds to a particular DNT signal receives the DNT signal, the browser can block that website from collecting certain information about the browser’s user. Not all browsers offer a DNT option and DNT signals are not yet uniform. For this reason, many website operators, including CMU, do not respond to DNT signals.

CHILDREN’S PRIVACY

IF YOU ARE UNDER THE AGE OF 18, DO NOT USE THE SERVICES.

The Services are intended to be used by individuals who are at least 18 years old. Consistent with the requirements of the U.S. Children’s Online Privacy Protection Act, if we learn that we received any information directly from a child under age 13 without his or her parent’s verified consent, we will use that information only to inform the child (or his or her parent or legal guardian) that he or she cannot use the Services.

California Minors:   If you are a California resident who is under age 18 and you are unable to remove publicly-available Content that you have submitted to us, you may request removal by contacting us at: iso-ir@andrew.cmu.edu.  When requesting removal, you must be specific about the information you want removed and provide us with specific information, such as the URL for each page where the information was entered, so that we can find it. We are not required to remove any Content or information that: (1) federal or state law requires us or a third party to maintain; (2) was not posted by you; (3) is anonymized so that you cannot be identified; (4) you don’t follow our instructions for removing or requesting removal; or (5) you received compensation or other consideration for providing the Content or information. Removal of your Content or information from the Services does not ensure complete or comprehensive removal of that content or information from our systems or the systems of our service providers. We are not required to delete the Content or information posted by you; our obligations under California law are satisfied so long as we anonymize the content or information or render it invisible to other users and the public.

THE GENERAL DATA PROTECTION REGULATION (“GDPR”)

If you are a resident of the European Union you  may be entitled to other rights under the GDPR. These rights are summarized below. We may require you to verify your identity before we respond to your requests to exercise your rights. If you are entitled to these rights, you may exercise these rights with respect to your personal data that we collect and store:

  • the right to withdraw your consent to data processing at any time (please note that this might prevent you from using certain aspects of the Services);
  • the right of access your personal data;
  • the right to request a copy of your personal data;
  • the right to correct any inaccuracies in your personal data;
  • the right to erase your personal data;
  • the right to data portability, meaning to request a transfer of your personal data from us to any other person or entity as chosen by you;
  • the right to request restriction of the processing of your personal data; and
  • the right to object to processing of your personal data.

You may exercise these rights free of charge. These rights will be exercisable subject to limitations as provided for by the GDPR. Any requests to exercise the above listed rights may be made to: GDPR-info@andrew.cmu.edu.

If you are a resident of the European Union , you may have the right to  lodge a complaint with a Data Protection Authority about how we process your personal data at the following website: https://edpb.europa.eu/about-edpb/board/members_en.

Processing EU Personal Data

In the event that your personal data is subject to the GDPR, we will only use your personal data for the original purpose for which we collected it, unless we reasonably consider that we need to use it for another purpose and that purpose is compatible with the original purpose. If we need to use your EU personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. We require third parties to only use your EU personal data for the specific purpose for which it was given to us and to protect the privacy of your personal data. If your personal data is no longer necessary for the legal or business purposes for which it is processed, we will generally destroy or anonymize that data.

International Transfers of Personal Data

Whenever we transfer your personal data out of the EU, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • European Commission Standard Contractual Clauses: We may use specific contracts approved by the European Commission which give personal data the same protection it has in the EU.

  • Privacy Shield. Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.

For additional information on the mechanisms used to protect your personal data, please contact us at GDPR-info@andrew.cmu.edu.

CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy based upon evolving Laws, regulations and industry standards, or as we may make changes to our Services. We will post changes to our Privacy Policy on this page and encourage you to review our Privacy Policy when you use the Services to stay informed. If we make changes that materially alter your privacy rights, CMU will provide additional notice, such as via email or through the Services. If you disagree with the changes to this Privacy Policy, you should discontinue your use of the Services. You may also request access and control of your personal data as outlined in the Your Rights Regarding Personal Data section of this Privacy Policy.

QUESTIONS OR COMPLAINTS HANDLING

We understand that you may have questions or concerns about this Privacy Policy or our privacy practices or may wish to file a complaint. In such case, please contact us in one of the following ways:

Email: GDPR-info@andrew.cmu.edu

Mail:

Carnegie Mellon University
Attention: Data Protection Officer
5000 Forbes Avenue
Pittsburgh, PA 15213

If you are not satisfied with our answer or how CMU manages your personal data, you may also have the right to make a complaint to a data protection regulator. If you are a resident of the European Union, a list of National Data Protection Authorities can be found here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.