Skip to Content

Privacy Policy

University of Denver Online Privacy Notice

[Updated 7/18/2024]

The University of Denver (“DU”) is committed to protecting individuals’ privacy rights while also balancing its legal, policy, and administrative duties in the management of DU data.

This Privacy Notice applies to the information DU collects when you visit the main website (ocm.xgcr.net) and other websites that we own and/or control and that refer or link to to this Privacy Notice (together, the “Sites”).

This Privacy Notice outlines what types of information DU collects, how this information is processed, as well as the choices that are available to you regarding the use of the information you provide.

Unless otherwise indicated on a specific Site, DU is the data controller for all information collected on the Sites. Contact information for DU is listed at the end of this Privacy Notice.

DU intends for this Privacy Notice to be a general statement of its privacy policy and may be subject to more specific privacy notices that pertain to personal information solely related to a specific department or function.

  • Privacy Principles

    We follow the following principles in order to protect your privacy:

    • We do not collect any more personal data about you than is necessary;
    • We only use your personal data for the purposes we specify in this Privacy Notice, unless you agree otherwise;
    • We do not keep your personal data if it is no longer needed; and
    • Other than as we specify in this Privacy Notice, we do not share your personal data with third parties. 
  • Collection of Information

    When you access or use the Sites, we may collect and process the following types of information from you:

    • Personal Data” is any information that we can reasonably use to identify you.  
    • Sensitive Personal Data” includes special categories of Personal Data (e.g., racial or ethnic origin, citizenship, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health, and data concerning a natural person’s sex life or sexual orientation) for which applicable law provides enhanced protections.

    The table below describes the Personal  Data and Sensitive Personal Data that we collect, why we collect it, and our legal basis for processing it.

    Purpose of ProcessingCategories of Personal DataLegal Basis
    As part of the graduate and undergraduate admissions process, we collect applicant Personal Data to evaluate applications. We also may obtain Personal Data from third parties, such as other schools, references, family members, and education partners (e.g., The Common Application, Inc., Law School Admissions Council, The College Board, etc.) as part of an application package.Name, address,
    contact details, race/ethnicity,
    demographic information, educational history, testing history, and other relevant information as part of the application package.

    Legitimate Interest: Personal Data collected through the graduate or undergraduate application is necessary to evaluate candidates for admissions and for our internal statistical and analytics purposes.

    Consent: Processing of Sensitive Personal Data for purposes stated above

    To evaluate and determine whether financial aid opportunities are available to an applicantName, address, contact details, demographic information, salary history, tax forms and other relevant information to evaluate financial aid eligibility and opportunities.

    Legitimate Interest: Personal Data collected through the financial aid application is necessary to evaluate whether the applicant is eligible to receive financial aid and for our internal statistical and analytics purposes.

    Consent: Processing of Sensitive Personal Data for purposes stated above

    To support course registrationName, DU Unique ID, contact informationLegitimate Interest: Personal Data collected for matriculated students, staff, faculty and members of the public, as appropriate for the course, to register in courses or classes
    To process requests for housing and dining servicesName, DU Unique ID, contact informationLegitimate Interest: Personal Data collected to facilitate housing requests and for available meal plans
    To provide online/hybrid training, online/hybrid academic courses, and other online/hybrid educational programsName, DU unique ID, contact information, demographic information, platform usage and interaction, student-provided data and contentLegitimate Interest: To facilitate provision, administration, instruction, and quality improvement of platform use, courses, learning, and teaching/instruction to matriculated students, staff, faculty, and members of the public, as appropriate for the course
    To enroll interested individuals in research opportunitiesName, contact informationLegitimate Interest: Upon request from the individual, inform registrants about research opportunities
    To enroll in wellness programsName, DU Unique ID

    Legitimate Interest: For eligible individuals interested in participating in a variety of wellness programs, courses, activities, facilitate enrollment and communications about the programs

    Contract: If there is a contract for participation in wellness programs, Personal Data is processed pursuant to that contract

    To process employment applicationsName, DU Unique ID (if available), demographic information, resumesLegitimate Interest: For individuals interested in employment opportunities, processing applications
    To process visa applicationsName, demographic information, financial information, passport numberLegal Requirements
    To request and receive donations, and assess donor and prospective donor giving activitiesName, contact information, demographic and biographic information, education records, employment information, affiliation to DU, giving history, payment informationLegitimate Interest: To collect and process donations/gifts and donor and prospective donor information
    To receive brochures or other informationName, contact informationLegitimate Interest: To send brochures or other requested information
    To purchase tickets to eventsName, DU Unique ID (if available), contact informationContract: To process ticket payment for a variety of events
    For event registrationName, DU Unique ID (if available), contact informationLegitimate Interest: To process registration for sports, cultural, educational and other university events
    To purchase parking passes and permitsName, DU Unique ID, contact informationContract: To facilitate payments for parking passes and permits
    To submit requests for services (e.g., IT, help desk, help line, etc.)Name, DU Unique ID, contact information

    Legitimate Interest: To process service requests from students, staff and faculty

    Contract: If there is a contract that governs your use of such services, Personal Data is processed pursuant to that contract

    Website account registrationName, contact information, alumni statusLegitimate Interest: For websites that require registration for access, to facilitate the registration
    Travel sitesName, DU Unique ID, contact information, passport number, loyalty membership information, emergency contacts

    Legitimate Interest: To facilitate travel arrangements and coordination for students and affiliated travelers through DU programs

    Contract: If there is a contract that governs your use of travel sites, Personal Data is processed pursuant to that contract

    Accessing websites and mobile applicationsIP address, browser type and device type, log files, internet service provider, pages visited (including referring/exit pages), operating system, date/time stamp and/or clickstream data; Cookies; Mobile device sensor information.Legitimate Interest: To respond to user requests, providing users with relevant information, and conducting analytics

     

     

  • Legal Basis for Processing

    Legal Basis for Processing

    Our legal basis for collecting and using the personal data described in this Privacy Notice will depend on the personal data concerned and the specific purposes for which we collect it. We collect and use your information for a variety of purposes, including those that (a) are in our legitimate interests (for example, providing educational offerings, evaluating your academic performance, conducting admissions research, managing internal administrative tasks, conducting analytics to improve websites or program offerings, and requesting gifts or donations), (b) are necessary in order to enter into or perform a contract with you (for example, providing educational programs, processing your application for admission, processing your payments or donations, registering you for courses or events, and managing employment or other work relationships), (c) you consent to, or (d) are necessary to comply with our legal obligations (for example, financial aid reporting, tax filing, and reporting of adverse events to regulatory agencies).

    If you wish to learn more about specific legal grounds we rely on to process your information for any particular purpose (including any legitimate interests we have to process this information), please contact us.

  • Recipients of Personal Data

    Recipients of Personal Data

    We do not rent or sell your personal data to third parties, and will disclose it only in the following ways:

    • To our third party service providers, as reasonably necessary for the uses described in this Privacy Notice. We ask our service providers to limit their use of personal data, and require them to agree to protect your personal data under written agreements;
    • To other institutions with which we run joint programs;
    • With any potential acquirer, successor or assignee as part of a reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business or assets;
    • As required or permitted by applicable law, if we believe that such disclosure is (a) reasonably necessary to comply with legal process and law enforcement instructions and orders, such as a search warrant, subpoena, statute, judicial proceeding, or other legal process served on us, (b) helpful to prevent, investigate, or identify possible wrongdoing in connection with our Services, (c) helpful to protect our rights, reputation, property, or that of our students, visitors, users, corporate affiliates, or the public, or (d) to enforce compliance with our agreements with you; and
    • As otherwise authorized by you.
  • Personal Data Obtained from Third Parties

    Personal Data Obtained from Third Parties

    We may obtain certain Personal Data about you from third party sources, which we may use for the purposes and in the ways described in “Collection of Information” and “Purposes for Processing Personal Data” above. In some cases, we may obtain your consent for additional uses.

    Service Providers: We use service providers, such as application facilitators (for example, the Common Application and the College Board) and payment processors and analytics providers (for example, Qualtrics), to perform services on our behalf. Some of these service providers have access to personal data about you that we may not otherwise have (for example, when you sign up directly with that provider) and may share some or all these data with us.

    Single Sign-On: Some of our online services or research activities may allow you to register and login to those services through a third-party platform. When you login to our service through a third-party platform, you allow us to access and collect any personal data from your third-party platform account permitted under the settings and privacy statement of that platform.

    Supplemental Personal Data: We may receive additional personal data from third-party sources, such as public or private databases (for example, compilations of email or postal addresses), or companies or institutions that may sponsor or facilitate your participation in one of our programs, which we may also append to existing personal data.

  • Transfers to Third Countries Outside the EEA

    Transfers to Third Countries Outside the EEA

    DU is an educational institution located in the United States of America (“USA”). In order to provide you with the Services and otherwise fulfill our obligations to you, it is necessary for your personal data will be transferred to, and processed in, the USA. Data protection laws differ among jurisdiction, and the USA may not provide the same level of protection for personal data as your jurisdiction of residence. We will take appropriate steps to ensure that your personal data is afforded the same level of protection as described in this Privacy Notice.

  • Cookies

    Cookies

    We use cookies in connection with your use of the Sites. A cookie is a small data file that is placed on your device when you visit a website. Cookies are widely used in order to make websites work or to work more efficiently, as well as to provide reporting information. A cookie may have unique identifiers and reside, among other places, on your device, in emails we send to you, and on the Site.

    Some cookies are necessary for the website to function properly They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging-in, or filling-in forms. You can set your browser to block or alert you about these cookies, but some parts of the site may not work if you block these cookies.

    Our website also uses cookies during your on-line session for certain legitimate business interests, which may include delivering content specific to your interests, collecting the domain name of the server from which you are visiting, and providing us with information about the site’s performance. Cookies allow us to avoid showing you the same ad or other message repeatedly. Our cookies enable us to relate your use of the site to information that you have specifically and knowingly provided to our website. If you do not allow these cookies, the site may be less user-friendly.

    Some of our pages or subsites may use “targeting” cookies. These cookies may be used by us and our advertising partners to build a profile of your interests and show you relevant ads on other sites. They work by uniquely identifying your browser and device. If you do not allow these cookies, you will not experience our targeted advertising across different websites.

    You can control and/or delete cookies as you wish - for details, including how to prevent your browser from accepting cookies, or how to disable cookies.

  • Security

    Security

    The security of your personal data is important to us. We have adopted generally accepted industry standards in connection with our data collection, storage, and processing practices and security measures to protect against unauthorized access, alteration, disclosure, or destruction of your personal data, username, password, transaction information, and data stored on the Sites. No method of transmission over the Internet, or method of electronic storage, is 100% secure, however. Therefore, while we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.

  • Children

    Children

    We do not direct services to, and we do not knowingly collect or solicit personal data directly from, children under the age of 16.

    We do not have actual knowledge that we sell or share the Personal Data of consumers under 16 years of age. We do not and will not sell or share the Personal Data of consumers we actually know are less than 16 years of age, unless we receive affirmative authorization (the “right to opt-in”) from either the consumer who is between 13 and 16 years of age, or the parent or guardian of a consumer less than 13 years of age.

  • Data Retention

    Data Retention

    We will retain your personal data only for so long as is necessary for the purpose for which it was collected, or as otherwise required or permitted by law. Further information about DU’s data retention policies is available.

  • Colorado Residents - Your Privacy Choices

    Are you a resident of the State of Colorado?

    If so, and if you share Personal Data with us, you have Your Privacy Choices listed below, which you may exercise by logging into your account or contacting us.

    You can also opt-out of marketing communications by (i) clicking on the “unsubscribe” link provided in each email/SMS you might receive; or (ii) changing preferences via your account or by contacting us.

    For cookies and similar technologies, you can manage your preferences and find more information in our Cookies notice.

    Your Privacy Choices

    Right of access: You may request details of your Personal Data that we hold.

    Right of correction: We will comply with your request to edit and update inaccurate Personal Data promptly.

    Right to deletion: At your request, we will delete your Personal Data promptly if

    • it is no longer necessary to retain your Personal Data;
    • you withdraw the consent which formed the basis of your Personal Data processing;
    • you object to the processing of your Personal Data and there are no overriding legitimate grounds for such processing;
    • the Personal Data was processed illegally; or
    • the Personal Data must be deleted for us to comply with our legal obligations.

    We will inform any third parties we might have shared your Personal Data with of your deletion request.

    We will decline your request for deletion if processing of your Personal Data is necessary:

    • to comply with our legal obligations;
    • in pursuit of legal action;
    • to detect and monitor fraud; or
    • for the performance of a task in the public interest.

    Right to data portability: At your request, we will provide you free of charge with your Personal Data, and to the extent technically feasible,  in a structured, commonly used and machine readable format.

    Right not to be subject to decisions based solely on automated processing: You will not be subject to decisions with a legal or similarly significant effect (including profiling) that are based solely on the automated processing of your Personal Data unless you have given us your explicit consent or where they are necessary for a contract with us.

    Right to withdraw consent: You have the right to withdraw any consent you may have previously given us at any time. If you withdraw your consent, this will not affect the lawfulness of our collecting, using and sharing of your Personal Data up to the point in time that you withdraw your consent. Even if you withdraw your consent, we may still use your information that has been fully anonymized and does not personally identify you.

    Right to opt-out of Personal Data sharing: Pursuant to applicable law, you have the right to opt-out of us sharing your Personal Data at any time (the “right to opt-out”). As used herein, “share” refers to sharing for purposes of cross-context behavioral advertising or targeted advertising as contemplated under Colorado law.  However, "sharing" excludes text messaging originator opt-in data and consent - this information will not be shared with any third parties.

    Consumers who opt-in to Personal Data sharing may opt-out of future sharing at any time.

    To exercise the right to opt-out, you (or your authorized agent) may submit a request to us by visiting the following Internet Web page link: Do Not Share My Personal Data

    You may also exercise the right to opt-out using an opt-out preference signal in a format commonly used and recognized by businesses, such as through an HTTP header field. When we receive an opt-out preference signal, we will treat it as a valid request to opt-out of the sale or sharing for that browser or device sending the signal, and, if known, for the consumer.

    Global Privacy Control.

    Some browsers and browser extensions support the universal opt-out mechanism - Global Privacy Control (“GPC”) -  that can send a signal to the websites you visit indicating your choice to opt-out from certain types of data processing, including data "sales" as defined under certain laws. In certain territories, including the State of Colorado, when we detect such a signal, we will make reasonable efforts to respect your choices indicated by a GPC setting as required by applicable law.

    Once you make an opt-out request, we will wait at least twelve (12) months before asking you to reauthorize Personal Data sharing. However, you may change your mind and opt-in for Personal Data sharing at any time by visiting our Preference Page.

    Exercising Your Colorado Privacy Rights.

    You do not need to create an account with us to exercise your opt-out rights. We will only use Personal Data provided in an opt-out request to review and comply with the request.

    To submit a request to exercise the Colorado Privacy rights described herein, you may:

    • Contact Us (to submit a webform request)
    • Email us at privacy@xgcr.net
    • Mail us at the following postal Address: 
      • Privacy Office
      • University of Denver
      • Administrative Office Building
      • 2601 E. Colorado Ave.
      • Denver CO 80210
    • Manage your Account: Click “Profile” in your account and then click “Permanently Delete My Account”.

    When you use a request method above, we will request certain information for verification purposes, such as your name, address, and e-mail address. We will use this information to verify this is a permitted request, such as by matching your name and address with information in our records. Depending on the type of request, we may require a certain number of data points to allow for verification.

    Only you, or a person properly authorized to act on your behalf, may make a verifiable consumer request related to your Personal Data. You may also make a verifiable consumer request on behalf of your minor child.

    An authorized agent may make a request on your behalf using the request methods designated above. Additionally, if you use an authorized agent to submit a consumer request, we may require the authorized agent to provide proof that you gave the agent signed permission to submit the request. We may also require you to verify your own identity directly with us or directly confirm with us that you provided the authorized agent permission to submit the request.

    You may only make a consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

    • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Data or an authorized agent of such person.
    • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

    We cannot respond to your request or provide you with Personal Data if we cannot verify your identity or authority to make the request and confirm the Personal Data relates to you.

    Making a verifiable consumer request does not require you to create an account with us. However, we do consider requests made through your password protected account sufficiently verified when the request relates to Personal Data associated with that specific account.

    We will only use Personal Data provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

    Please note that, in certain circumstances, we will not be able to delete your Personal Data without also deleting your user account. we may be required to retain some of your Personal Data after you have requested deletion, to satisfy our legal or contractual obligations. we may also be permitted by applicable laws to retain some of your Personal Data to satisfy our business needs.

    Right to Appeal.

    We hope that we can satisfy queries you may have about the way we process your Personal Data. However, if you have unresolved concerns you also have the right to appeal our response to a privacy choice request by contacting us.  Further, if you appeal and your appeal is denied, you may the right to complain to the Colorado Attorney General.

    Response Timing and Format

    In accordance with applicable law, we endeavor to respond to consumer requests within forty-five (45) days of its receipt. If we require more time (up to 45 additional days), we will inform you of the reason and extension period in writing. If you have an account with us, we may deliver our written response to that account. If you do not have an account with us, we may deliver our written response by mail or electronically, at your option.

    The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Data that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

    We do not charge a fee to process or respond to your consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

    Non-Discrimination.

    We will not discriminate against you for exercising any of your rights.

    Note: For the purposes of this section, Personal Data does not include publicly available information from government records, lawfully obtained, truthful information that is a matter of public concern, deidentified or aggregated consumer information or information specifically excluded from the scope of applicable data protection laws, such as health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Family Education Rights and Privacy Act (“FERPA”), clinical trial data or other biomedical research study or Personal Data covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA), and the Driver’s Privacy Protection Act of 1994.

  • Located in the European Economic Area (EEA) - Your Data Subject Rights

    Do you live in the European Economic Area (EEA)?

    If so, and if you share Personal Data with us, you have the Data Subject Rights listed below, which you may exercise by logging into your account or contacting us.

    You can also opt-out of marketing communications by (i) clicking on the “unsubscribe” link provided in each email/SMS you might receive; or (ii) changing preferences via your account or by contacting us.

    For cookies and similar technologies, you can manage your preferences and find more information in our Cookies notice.

    Data Subject Rights

    You have certain rights with respect to your personal data, including the right to access, correct, update, or request deletion of your personal data. DU takes reasonable steps to ensure that your personal data is reliable for its intended use, accurate, complete, and up to date. If you want to contact us directly about accessing, correcting, updating, or deleting your personal data, or altering your personal data or marketing preferences, you can do so at any time by contacting us as provided in the Contact Us section. We will consider your request in accordance with applicable laws.

    You can object to processing of your personal data, ask us to restrict processing of your personal data, or request portability of your personal data. Again, you can exercise these rights by contacting us using the Contact Us section.

    You can complain to a data protection authority about our collection and use of your personal data. For more information, please contact your local data protection authority. Contact details for data protection authorities in the EEA and Switzerland  are available.

    Similarly, if we have collected and processed your personal data with your consent, you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent.

    Privacy Requests and Authentication. We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. We may ask you to verify your identity in order to help us respond efficiently to your request. We will only use Personal Data provided in an opt-out request to review and comply with the request.

    To submit a request to exercise the Data Subject Rights described herein, you may:

    • Contact Us (to submit a webform request)
    • Email us at privacy@xgcr.net
    • Mail us at the following postal Address:       
      • Privacy Office
      • University of Denver
      • Administrative Office Building
      • 2601 E. Colorado Ave.
      • Denver CO 80210
    • Manage your Account: Click “Profile” in your account and then click “Permanently Delete My Account”.

    When you use a request method above, we will request certain information for verification purposes, such as your name, address, and e-mail address. We will use this information to verify this is a permitted request, such as by matching your name and address with information in our records. Depending on the type of request, we may require a certain number of data points to allow for verification.

    Only you, or a person properly authorized to act on your behalf, may make a verifiable consumer request related to your Personal Data. You may also make a verifiable consumer request on behalf of your minor child.

    An authorized agent may make a request on your behalf using the request methods designated above. Additionally, if you use an authorized agent to submit a consumer request, we may require the authorized agent to provide proof that you gave the agent signed permission to submit the request. We may also require you to verify your own identity directly with us or directly confirm with us that you provided the authorized agent permission to submit the request.

    The verifiable consumer request must:

    • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Data or an authorized agent of such person.
    • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

    We cannot respond to your request or provide you with Personal Data if we cannot verify your identity or authority to make the request and confirm the Personal Data relates to you.

    Making a verifiable consumer request does not require you to create an account with us. However, we do consider requests made through your password protected account sufficiently verified when the request relates to Personal Data associated with that specific account.

    We will only use Personal Data provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

    Please note that, in certain circumstances, we will not be able to delete your Personal Data without also deleting your user account. we may be required to retain some of your Personal Data after you have requested deletion, to satisfy our legal or contractual obligations. we may also be permitted by applicable laws to retain some of your Personal Data to satisfy our business needs.

  • Changes to this Privacy Notice

    Changes to this Privacy Notice

    We have the discretion to update this Privacy Notice at any time. When we do, we will revise the updated date at the top of this page. If we make material changes to this Privacy Notice, we will notify you here, by email, or by means of a notice on the Site prior to the change becoming effective. We encourage you to frequently check this page for any changes to stay informed about how we are helping to protect the personal data we collect. You acknowledge and agree that it is your responsibility to review this Privacy Notice periodically and become aware of modifications.

  • Contact Us

    Contact Us

    * If there are any questions or concerns about this Privacy Notice, please contact DU by:

    E-mail at privacy@xgcr.net

    Phone at 1-303-871-6711,

    Submitting a request via our webform, or

    Submit an inquiry through regular mail at:

    University of Denver Privacy Office
    Administrative Office Building
    2601 E. Colorado Ave.
    Denver CO 80210

    You may also contact DU’s European Representative, DP-Dock GmbH, by e-mail at unidenver@gdpr-rep.com, or through regular mail at:

    DP-Dock GmbH
    University of Denver
    Ballindamm 39
    20095 Hamburg

  • FERPA

    Family Educational Rights and Privacy

    The University is bound by the Family Educational Rights and Privacy Act (FERPA) regarding the release of student education records and, in the event of conflict with the University Policy, FERPA will govern. A guide to understanding FERPA is available in the office of the Registrar. The full text of the University's policy with regard to FERPA can be found at xgcr.net/registrar/privacy.

  • Health Records/Information

    Health Records/Information

    Users of the University Health and Counseling Center are protected under federal Health Insurance Portability and Accountability Act (HIPAA) regulations and state of Colorado laws regarding confidentiality of medical and mental health information/records. The University Health and Counseling Center's Notice of Privacy Practices can be found here