Columbia University Privacy Notice
Effective: January 2023
This Privacy Notice describes how Columbia University (“Columbia, “we”, or “us”) collects, uses, stores, transfers, and otherwise processes personal information in connection with Columbia websites and applications that link to this policy (the “Sites”), Columbia Global Centers sites overseas, and in connection with remote participation in Columbia’s academic or other Columbia programs (“remote access”) (collectively, the “Services”). This Privacy Notice also sets out your rights in relation to this personal information.
Where applicable, the data controller is Columbia University (including Columbia College, Columbia Law School, Columbia Global Centers, School of International and Public Affairs, and Centers for International Programs, LLC), located at 615 W 131st St #5, New York, NY, New York, NY 10027, USA.
For information about how we process personal information of faculty, staff, and other employees and contractors of Columbia, please refer to our Employee Privacy Notice here.
In connection with your use of the Services, Columbia collects personal information about you from a variety of sources, including information we collect from you directly (e.g. when you contact us or sign up for an account), information we generate about you in the course of our relationship with you (e.g., data collected from cookies and other similar technologies, which is described in our cookie notice here), and information we collect about you from other sources, such as public databases (where permitted by law). Personal information is information about you through which you can be identified (including where you can be identified by combining the information with other information).
Note that we may be required by law to collect certain personal information about you, or as a consequence of our contractual relationship with you. Failure to provide this personal information may prevent or delay the fulfilment of these obligations.
1.1 Personal information we collect directly from you
We collect some personal information directly from you. Personal information that is collected directly from you may include the following:
- Personal details (e.g., first and last name, date of birth)
- Contact details (e.g., phone number, email address, city & country of residence, mailing address)
- Account details (e.g., username and password)
- Identification numbers (e.g., Social Security number or other government-issued identification number when permitted by local law, UNI)
- Photographs for use in identification
- Your emergency contact details (e.g., names of your emergency contacts and their contact information)
- Transaction details (e.g., when you pay tuition or make a purchase)
- Health- and safety-related information we collect (e.g., confirmation that you meet health and safety guidelines to use the Columbia facilities overseas, which we may request that you certify via mobile application, when permitted by local law; your UNI; date and time you use the facilities)
- Account details (e.g., user names, passwords, security questions and answers)
- Communications (e.g., when you contact us with questions, comments, or requests; when you participate in class or communicate with faculty; participate in polls or surveys or in message boards or forums,)
- Information about your participation in remote access programs (e.g., participation dates; student-generated content such as assignments and related academic materials submitted to instructors; course or faculty feedback you provide; responses to quizzes, exams, and surveys; grades, examination records, participation / attendance records; supervision, teaching, or tutorial activities)
1.2 Personal information we automatically collect about you
In addition, the following categories of personal information may be automatically collected or generated about you, such as when you visit our Sites, participate in remote access programs or use a health assessment app
- Technical information collected from your computer or mobile device (e.g., your IP address, device identifiers, browser type, operating system)
- Information about your usage of our Services (e.g., the pages you visit when using the Services, the search terms you enter on the Services, how often you use the Services, and the pages you access before and after accessing the Services);
- Information which we generate as a result of your use of the Services (e.g., our understanding of your interests as a result of your use of the Services and whether you are a regular or occasional user of the Services)
- Information we generate as a result of your use of such tools, Sites, or apps (e.g., our understanding of your preferences)
1.3 Personal information we obtain from other sources
Columbia may also obtain personal information about you from third parties, such as funding and sponsorship partners, educational institutions, examination boards, overseas agents, online advertising agencies, fraud prevention agencies or publicly available information. These types of personal information include but are not limited to:
- Personal details (e.g., first and last name)
- Contact details (e.g., phone number, email address, city & country of residence, mailing address)
- Details about advertising preferences (e.g., products, purchased, interaction with advertisements online)
1.4 Sensitive information we collect and use
Some of the categories of personal information that we collect are considered special categories of personal data under other local law, and these types of information are considered particularly sensitive. Specifically, we may process the following sensitive information:
- Health- and safety-related information we collect when you use Columbia facilities overseas, as permitted by local law (e.g., confirmation that you meet health and safety guidelines to use the facilities, which we may request that you certify via mobile application, when permitted by local law; your UNI; date and time you use the facilities) identification numbers, where considered sensitive under local law.
- Personal data revealing political opinions or religious or philosophical beliefs in connection with programming, surveys, or polls.
2.1 How we use personal information
Columbia uses your personal information in connection with the Services:
- Provide and operate the Services.
- With respect to Columbia facilities overseas, to provide you a location to work, socialize, study, and network if you are an alum or student overseas (and not on campus in the U.S.)
- Provide remote access to Columbia Services and programming.
- Improve our Services, including improving our programs, learning tools, and related content.
- Identify and authenticate users of our Services, including systems and tools.
- Program planning and development.
- Keep our records accurate and up-to-date.
- Communicate with you, such as responding to your requests or providing you updates about the school and academic programs, remote access programs, and other Services.
- Marketing. We may use your personal information to build a profile about you and place you into particular marketing segments in order to understand your preferences better and to appropriately personalize the marketing messages we send to you.
- Customizing your experience. When you use the Services, we may use your personal information to improve your experience of the Services, such as by providing interactive or personalized elements on the Services and providing you with content based on your interests.
- Comply with legal obligations and exercise or defend our rights or the rights of third parties. For example, we may use personal information to comply with legal obligations to which we are subject, including to respond to subpoenas, court orders, or other legal process; to cooperate with regulators and law enforcement as required by law; and to defend our rights or the rights of any third party in legal proceedings.
- Protect the security of our systems and property (and those of third parties).
We may also anonymize your personal information in such a way that you may not reasonably be re-identified, and we may use this anonymized information for any other purpose.
2.2 How we use sensitive information
Columbia uses sensitive personal information to:
- Manage health and safety considerations. To the extent we use information about your health as permitted by local law, we do so to comply with our health and safety obligations to maintain a safe environment for our students, alumni, faculty, and staff; and to comply with our contractual obligations to third parties providing space for Columbia facilities.
- Identify and authenticate you. To the extent identification numbers are considered sensitive, we use them to identify and authenticate users of our Columbia facilities overseas.
- Permit you to participate in programming. To the extent programming, surveys, or polls reveal personal data concerning political opinions or religious or philosophical beliefs in connection with such programming, surveys, or polls, as permitted by local law.
We rely on the following legal bases to process your personal information:
- To comply with our contractual obligations to you.
- To comply with legal obligations to which we are subject.
- Where the processing is necessary to serve our legitimate interests, including our interests in the following:
- Providing our students, alumni, and other Columbia affiliates a location to work, socialize, study, and network;
- Providing the Services, including remote access learning / academic services;
- Protecting the health and safety of our students, alumni, employees and Columbia affiliates and the health and safety of other third parties;
- Improving our Services, including improving programs, websites, tools, and related content;
- Communicating with you;
- Program planning and development;
- Keeping our records accurate and up-to-date; and
- If you are a remote access learner, customizing your learning experience.
- To the extent required by applicable local laws, with your consent.
We may share your personal information with the following parties:
- Service providers and business partners. We may share your personal information with service providers and business partners who perform services or business operations for us for the purposes set out above. For example, we may engage service providers to provide learning management systems and video conferencing tools, optimize services, provide the health assessment app and related services, and support email and messaging services, among other purposes, to process secure payments, fulfil orders, serve online behavioral advertising, send newsletters and marketing messages, support email and messaging services, and analyze information and web traffic. These service providers and business partners may include advertising agencies and fraud prevention agencies which will use your personal information only in the ways described in this policy.
- Where required by law. We may share your personal information with law enforcement agencies, courts, other government authorities or other third parties where we believe it is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights or the rights of any third party. For example, we may share information where required by law for contact tracing purposes.
Because we operate internationally, the recipients referred to above may be located outside the jurisdiction in which you are located. Please see the section on “International transfer of your data” below for more information.
We implement physical, technical, and organizational security measures designed to safeguard the personal information we process in the context of the Services. These measures are aimed at providing on-going integrity and confidentiality for your personal information.
We retain your personal information for as long as we have a relationship with you at which point we will delete your information from our systems. When deciding how long to keep your personal information after our relationship with you has ended, we take into account our legal obligations and our business retention policies. We may also retain records to investigate or defend against potential legal claims.
Your personal information may be transferred to, stored, and processed in a country (such as the United States) that is not regarded as ensuring an adequate level of protection for personal information under the laws of your home country.
We have put in place appropriate safeguards (such as contractual commitments) in accordance with applicable legal requirements to ensure that your personal information is adequately protected. For more information on the appropriate safeguards in place, please contact us as described below.
Where applicable under local law, you may have the following rights with respect to your personal information:
- To access the information that we have about you
- To request that we rectify or erase your information
- To request that we restrict the way we use your information
- To object to the way we use your information, if we are processing your personal information on the basis of our legitimate interests
- To ask us to transfer your information to someone else
- To lodge a complaint with the appropriate data protection authority
- To withdraw consent at any time, if we are processing your personal information on the basis of consent
- In China, to request that we cancel or de-register your account registered for the purpose of remote access
- In France, to define guidelines regarding the fate of your personal data after your death
If you wish to exercise these rights, or to notify us of a change in your details, or if you have any questions on the content of this Privacy Notice, please contact as described below.
If you have questions or concerns regarding the way in which your personal information has been used, please contact [email protected]
We are committed to working with you to obtain a fair resolution of any complaint or concern about your privacy. If, however, you believe that we have not been able to assist with your complaint or concern, you may have the right to make a complaint to the appropriate data protection authority.
We may modify or update this privacy notice from time to time. If we make any revisions that materially change the ways in which we process your personal information, we will notify you of these changes before applying them to that personal information.