Privacy at Northeastern 

This general Privacy Policy describes how Northeastern collects and handles Personal Information through your use of our Sites and Apps and in support of our Operations. It also describes your privacy rights and choices and our privacy practices when processing personal information for these purposes.

This general Privacy Policy does not apply to personal data information subject to the university’s Privacy Policy for Students, Applicants, and Alumni or the Policy on Privacy for Employees, Job Applicants, Contractors, and Others Working with the University. These policies are available on the University Policies portal.

University-based or sponsored research: Likewise, additional and/or different practices may apply to personal information collected from participants in University-based or sponsored research studies or surveys that may be governed by a protocol approved by the Northeastern Institutional Review Board. When you participate in such research studies, you will be provided with an informed consent form which may describe the additional and/or different data practices and policies that will apply to the study and which may supersede the practices set out in this Privacy Policy.

For more information about this Privacy Policy and your rights under applicable law, please contact us at privacy@northeastern.edu.

Sharing and disclosure outside Northeastern

We may share your Personal Information in the following circumstances:

• Vendors and service providers: To assist us in meeting business operations needs and to perform certain services and functions your Personal Information may be shared with third-party providers of hosting, email communication and support services, analytics, marketing, advertising, administrative and technical services (including Amazon Web Services and Google in the United States), providers of degree verification services and electronic transcript for delivery. Following our instructions, these parties may access, process, or store Personal Information in the course of performing their duties for us. They are contractually prohibited from using or sharing your Personal Information for any purpose other than providing their services to us.
• Legal requirements: If required to do so by law pursuant to valid legal process, applicable regulation or in the good faith belief that such action is necessary to (i) comply with a legal obligation, (ii) protect and defend our rights or property, and/or those of you or others, (iii) act in urgent circumstances to protect the personal safety of you or others, or the public, or (iv) protect us against legal liability.

Sharing and disclosure within Northeastern

Your Personal Information may be shared with other departments and operational units at the University for the purposes specified in Section III above.

Cookies

Our Site uses ‘cookies,’ which are text files placed on your device when you visit a Site and help us understand how you use our Sites. Some cookies remain on your computer after you leave the Site (these are called ‘persistent’ cookies). Others are deleted automatically when you close your browser, and others simply expire (these are called ‘session’ cookies). For more details on cookies, please visit All About Cookies.

Sharing cookies and technical information with third parties

We have relationships with authorized third-party providers whose services and websites are accessed through our Sites. We may automatically send one or more of your cookies to the third-party site or service to enable you to access third-party services without reentering your Northeastern user ID and password, or other required information, each time.

Your privacy choices

Our cookie preference management tool (available via the “cookie preferences” link in our Site footer) allows you to control what Functional and Advertising cookies are placed on your browser.  In other words, you can block all cookies that are not required for website operation.  Because Required cookies are required for the functioning of our Site, they are not able to be blocked.

Depending on the jurisdiction in which you reside, you may be presented with a banner at the bottom of the University’s Sites when you arrive that asks for your consent for the placement of cookies that are not Required.  This is true in the United Kingdom, the European Union, and certain other jurisdictions.  In such cases, if you do not affirmatively consent, then only Required cookies will be placed on your browser.  In all cases, you can manage your cookie preferences by clicking on the link to “cookie preferences” located in the footer of our Site.

In addition, on most web browsers, you will find a “help” section on the toolbar. Please refer to that section for information on how to receive a notification when you are receiving a new cookie and how to turn cookies off. Please see the links below for guidance on how to modify your web browser’s settings on the most popular browsers:

• Internet Explorer
• Mozilla Firefox
• Google Chrome
• Apple Safari

We take reasonable administrative and technical steps to protect the Personal Information from loss, misuse and unauthorized access, disclosure, alteration, or destruction and, where feasible, systems that solicit or display personally identifiable information are protected by authentication and authorization controls and web-based experiences involving personal information are generally secured by SSL (Secure Sockets Layer protocol) with 128-bit encryption. However, no method of transmission over the internet is 100% secure. Therefore, while we strive to protect your data, we cannot guarantee its absolute security.

We will keep your Personal Information pursuant to our retention schedules which authorize retention for as long as reasonably necessary for the purposes described in this Privacy Policy, while we have a legitimate business need to do so, or as required by law (e.g., for tax, legal, accounting, or other purposes), whichever is the longer.

If you have elected to receive marketing communications from us, we retain information about your marketing preferences until you opt out of receiving these communications and in accordance with our policies.

To determine the appropriate retention period for your Personal Information, we will consider the amount, nature, and sensitivity of the Personal Information, the potential risk of harm from unauthorized use or disclosure of your Personal Information, the purposes for which we use your Personal Information and whether we can achieve those purposes through other means, and the applicable legal requirements. In some circumstances, we may anonymize your Personal Information so that it can no longer be associated with you, in which case it is no longer Personal Information.

The Northeastern entity that collects your personal information (referred to under some laws as the “data controller”) is responsible for the processing of your personal information in accordance with this policy. The Northeastern entities include Northeastern University, registered at 360 Huntington Avenue, Boston MA 02115 USA, Northeastern University – London, KRI at Northeastern University, LLC, 141 South Bedford Street, Burlington MA 01803 USA, and NU Institute Dublin, registered at Suite 3, One Earlsfort Centre, Lower Hatch Street, Dublin 2, D02 X288. Northeastern University – London is registered as a data controller with the UK Information Commissioner’s Office, registration number Z3136922.

Accuracy

Northeastern makes reasonable efforts to maintain the accuracy of your Personal Information. As a general matter, you may update Personal information in the applicable Northeastern self-service applications into which you have submitted and have access to your Personal Information. For records not available via self-service, you may request a correction if there is an error or omission by submitting a request as described in the Other Rights section below. The university will correct the error or omission where required, and if it decides not to, will note that a correction request was requested but not made in the file.

Automated Decision-Making

In the event that the university uses your personal information to carry out wholly automated decision-making (including profiling) which produces legal or similarly significant effects concerning an individual, the university will inform you at the point where any such data is collected and request consent where required by law.

Other Rights

Depending on your country of residence (such as Canada or the UK) and subject to specific exceptions under applicable laws, you be entitled to exercise of one or more of the following rights:

• Access your personal information
• Take your personal information (i.e., the right of portability)
• Delete your personal information
• Object to or restrict use of your personal information
• Withdraw consent to processing of your personal information

The university will comply with requests in a timely manner consistent with applicable data protection law and to the extent appropriate given the purposes for which Northeastern collected and is using your Personal Information. The University will facilitate the same, where possible, with third parties with whom it may have shared your Personal Information.  In some cases, however, Northeastern may not agree to some or all of your request if:  it is not permitted or required under applicable law or contractual obligation; continued processing is necessary for the purpose for which it was collected; processing is for public health, research or statistical purposes; the request is not consistent with the University’s legal obligations or is necessary for the defense of legal claims; or it is necessary for the performance of a contract between an individual and Northeastern. In such cases, Northeastern will provide reasons for its refusal and the name of the person who can answer questions about the request. 

If there are general questions about accessing Personal Information or if you would like to exercise established rights under applicable law with respect to your Personal Information that is not stored in a self-service application, you may submit a request to privacy@northeastern.edu.

When submitting a request to exercise a right under this section, you must include:

• Your full name, email and physical address and function
• Sufficient details to enable Northeastern to identify the records (for example, the individual’s ID# or dates of employment)
• A description of request, in as much detail as possible, including the reason for the request

In order to process the request, the University will need original proof of identity, and if making the request on the behalf of another individual, evidence of authorization to do so. The University will process received requests promptly and within the timeframe required by applicable law.

Additional questions about your rights can be directed to privacy@northeastern.edu.

This Privacy Policy does not apply to any information you elect to post to any public areas of our Sites. This includes, but is not limited to, comments to Northeastern University blogs or forums. Comments posted to public areas may be viewed, accessed, and used by third parties subject to those third parties’ privacy practices and policies.

The Site and Apps may contain links to other websites not operated or controlled by us (“Third-Party Sites”), including social media websites and services. We are not responsible for the privacy policies or data practices of such sites. By providing these links we do not imply that we endorse or have reviewed these sites. Please read the privacy policies of these sites before you visit them to understand their privacy practices and policies.

Do-Not-Track is a public-private initiative that has developed a “flag” or signal that an internet user may activate in the user’s browser software to notify websites that the user does not wish to be “tracked” by third-parties as defined by the initiative. The online community has not agreed on what actions, if any, should be taken by the websites that receive the “do not track” signal, and therefore Do-Not-Track is not yet standardized. Our website does not alter its behavior or change its services when it receives a “do-not-track” flag or signal from your browser.

If you have any questions or complaints related to the handling of your Personal Information or you would like to exercise rights that you may have under applicable law (such as the right to access or remove your Personal Information stored in Northeastern University systems, you may exercise these rights by contacting the Northeastern Chief Privacy Officer via email at privacy@northeastern.edu or in writing to:

Chief Privacy Officer
Northeastern University
716 Columbus Avenue, Suite 301
Boston, MA 02115 USA

You may also contact the Northeastern University London Data Protection Officer, whose contact information is:

Data Protection Officer
Northeastern University – London
Devon House, 58 St. Katharine’s Way
London E1W 1LP
dpo@nulondon.ac.uk 

In order to process your complaint or request, you must include the following information:

• your name and role (applicant, student, or employee);
• contact information, including your email and postal addresses;
• the nature of the compliant or request (e.g., is it related to access, correction, deletion, restriction, portability, consent, automated decision making);
• the item(s) of information with respect to which you wish to exercise your rights);
• the reason for the complaint or request; and
• the names and correspondence with any University staff with whom you may have already engaged about the subject matter of the complaint or request.

Please note that there are some instances where the University may deny a request to access or remove information in accordance with applicable law. The University will generally respond to requests no later than sixty (60) days after receipt, unless a shorter time period is provided under applicable law. If a request is denied, we will send a written explanation explaining the reason for the denial and a notification of your right to file a written statement of disagreement. The University may also provide a right to have the denial reviewed. If the University is unable to act within the earlier of sixty (60) days or the time period provided under applicable law, we may extend that time by no more than an additional thirty (30) days. If we need to extend this time, we will notify you of the extension and the date by which we will complete action on your request.

Residents of Ireland and Canada who are not satisfied with the university’s response to a request or complaint under this Privacy Policy may have it reviewed by the data protection authority that is authorized to hear those concerns, which may include the Ireland Data Protection Commission, the Privacy Commissioner of British Columbia or Ontario or the Privacy Commissioner of Canada (as applicable).  Residents of the United Kingdom may contact the Information Commissioner’s Office via its complaint form or by calling 0303-123-1113.

Northeastern University does not knowingly solicit or collect Personal Information from users under the age of 13. If you believe we have inadvertently collected information about a child under 13 through our Sites or the Apps, please contact us at privacy@northeastern.edu and we will endeavor to delete the information.