U.S. STATE PRIVACY NOTICE
Effective Date: July 21, 2023
This U.S. State Privacy Notice (this “Notice”) applies to “Consumers” as defined under privacy laws in California, Colorado, Connecticut, Utah and Virginia, including the California Consumer Privacy Act (California Civil Code § 1798.100 et seq.), as amended (including, without limitation, by the California Privacy Rights Act (the “CCPA”), the Colorado Privacy Act (Colorado Revised Statute Title 6 Article 1 Part 13 § 6-1-1301 et seq.) (“CPA”), Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring (Public Act No. 22-15), the Utah Consumer Privacy Act (Utah Code Ann. § 13-61-101 et seq.) and the Virginia Consumer Data Privacy Act (collectively, “U.S. Privacy Laws”). This Notice is a supplement to our other privacy policies or notices, including our joint Nitro and Scholly Privacy Policy (the “Privacy Policy”). In the event of a conflict between any other policy, statement, or notice and this Notice, this Notice will prevail as to Consumers and their rights under the applicable state privacy law. Capitalized terms used but not defined herein will have the meanings given to them in the Privacy Policy.
This Notice is designed to provide you with notice of our data practices over the prior 12 months as required under some U.S. Privacy Laws, including through the Services and anywhere this Notice is posted. We reserve the right to amend this Notice at our discretion and at any time. When we make changes to this Notice, we will post an updated version on the Service and update the Effective Date (which will be the date that this Notice was last updated).
Section A of this Notice covers our collection, use, and disclosure of Consumers’ personal information or personal data (referred to herein as “personal information”) as defined under the U.S. Privacy Laws. Section B of this Notice describes your rights under U.S. Privacy Laws and explains how to exercise those rights. Section C describes your rights under other state laws (which are different from the rights discussed in Section B), and Section D provides information on how to contact us in relation to our privacy practices.
This Notice does not apply to data that is collected in a human resources context. For example, if you are a California resident and an employee, former employee, or applicant of SLM NitroCollege LLC or one of its affiliated or related entities, or if we have collected data from or about you otherwise in a HR context, please visit here for our California Employee Privacy Notice.
Notably, this Notice does not apply to data that is not treated as personal information under U.S. Privacy Laws or to the extent the data is subject to an exemption under U.S. Privacy Laws, such as data regulated by the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the California Financial Information Privacy Act, or the Driver’s Privacy Protection Act of 1994. This Notice also does not apply to information collected by third-party content, websites, applications, platform, code (e.g., plug-ins, application programming interfaces, and software development kits), and certain cookies and other tracking technologies.
A. COLLECTION, USE, AND DISCLOSURE OF PERSONAL INFORMATION
Generally, we collect, retain, use, and disclose your personal information in order to provide you products and services and to operate our business, as described below in more detail (“Processing Purposes”). This may include disclosing or otherwise making personal information available to our vendors that perform services for us (including “service providers” and “processors,” as those terms are defined under U.S. Privacy Laws (collectively, “Vendors”). Some of the Processing Purposes, as we discuss below, implicate a “sale,” “sharing”, and or “targeted advertising,” as those terms are defined by U.S Privacy Laws. For more details on the meaning of sale, sharing, and targeted advertising, and how to opt-out of them, please visit the “Right to Opt Out of Sales/Sharing/Targeted Advertising” section below.
Processing Purposes:
Generally, we collect, use, and disclose your personal information in connection with the operation of our business, including for the following Processing Purposes:
- a. Providing our products and services – to provide you with information or services or to perform activities that you have requested or information you agreed to receive or to provide you with special offers or materials on behalf of us or our Third-Party Partners (as defined below) that may be of interest to you.
- b. Facilitating your relationship with our Third-Party Partners – to provide services and facilitate services provided by third-parties, we may disclose your personal information to certain trusted third parties so that they can provide you with services you have requested or that you may be otherwise interested in (collectively, “Third-Party Partners”). These Third-Party Partners may include scholarship providers, financial services providers, and companies in the consumer service industry.
- c. Customizing your experience, offers, and content – to enhance your experience on our Service and the products and services we offer, you may be delivered curated content on our sites including marketing for our own products or service offerings or that of our Third-Party Partners.
- d. Register and administer accounts – to process your registration with the Service, verify your information is active and valid, and to manage your account.
- e. Customer service and communications – to respond to questions, comments, or requests that you have for us or for other customer service purposes; to contact you with regard to your use of the Service and, in our discretion, changes to the Service and/or Service’s policies; and to verify eligibility for certain services offered by us or our Third-Party Partners.
- f. Research, development, and analytics – to better understand how users access and use our Service, both on an aggregated and individualized basis, in order to improve our Service and respond to user desires and preferences, and for other research and analytical purposes.
- g. Ad measurement, attribution, and other ad administration – to assist us in determining relevant advertising and to determine the success of our advertising campaigns and to help us determine where to place our ads, including ads placed on other websites. These activities may be carried out by us, our Vendors, and/or our Third-Party Digital Businesses, as that term is defined below.
- h. Market research and customer satisfaction – to administer surveys and questionnaires, such as for market research or customer satisfaction purposes.
- i. Targeting advertisements – to provide you or your device with customized advertisements based on your interests.
- j. Safety, Security, and compliance with legal obligations – for prevention, detection, investigation, and mitigation of illegal activities, fraud, injury to others or violation of our Terms of Use or our Privacy Policy.
- k. Disclosed purposes – for purposes disclosed at the time you provide your personal information.
- l. Additional compatible purposes – for purposes that are compatible with the purpose of collecting your personal information and that are not prohibited by law.
The first column in the table below describes the categories of personal information we collect, as well as examples of data within such categories. The second column lists Processing Purposes applicable to each category of personal information. The third column states the categories of recipients that receive those specific categories of personal information and sensitive personal information as part of disclosures for business purposes, as well as disclosures which may be considered a sale or sharing under certain U.S. Privacy Laws.
| Category of Personal Information | Processing Purposes | Categories of Recipients |
|---|---|---|
| 1. Identifiers and contact information (such as name, phone number, address, email address, mobile identification number, IP address, cookie ID.) | a, b, c, d, e, f, g, h, I, j, k, and l. | Disclosures for business purposes:
Sale/Sharing Recipients: Third-Party Digital Businesses Third-Party Partners |
| 2. Personal Records (such as name, signature, address, telephone number, education, employment, employment history, bank account number, credit card number, debit card number.) | a, b, c, d, e, h, I, k, and l. | Disclosures for business purposes:
Software, communications, storage and other business Vendors
Sale/Sharing Recipients: Third-Party Partners |
| 3. Personal Characteristics or Traits (such as age, marital status, sex, sexual orientation, veteran or military status, racial or ethnic origin, religious or philosophical beliefs, union membership or genetics data.) | a, b, c, f, g, h, I, k, and l. | Disclosures for business purposes:
Software, communications, storage and other business Vendors Marketing Vendors Affiliates and related entities Sale/Sharing Recipients: Not Applicable |
| 4. Transaction / Commercial Information (such as products or services used, purchased, or considered; Third-party Partners’ or Third-Party Digital Businesses’ products or services considered; and other purchasing or consuming histories or tendencies provided by business and marketing Vendors.) | a, b, c, e, f, g, h, I, j, k, and l. | Disclosures for business purposes:
Software, communications, storage and other business Vendors
Sale/Sharing Recipients: Not Applicable |
| 5. Biometric Information (such as fingerprint.) | Not Applicable | Not Applicable |
| 6. Internet Usage Information (such as search, browsing history, and other interactions with the Service.) | a, b, c, f, g, h, I, j, k, and l. | Disclosures for business purposes:
Software, communications, storage and other business Vendors
Sale/Sharing Recipients: Third-Party Digital Businesses |
| 7. Location Data (such as where you enable location-based features on your Device, or we may infer your rough location (such as zip code) as part of the Services.) | a, b, c, d, e, f, g, h, I, j, k, and l. | Disclosures for business purposes:
Software, communications, storage and other business Vendors
Sale/Sharing Recipients: Third-Party Digital Businesses Third-Party Partners |
| 8. Audiovisual and Similar Information (such as customer service call recordings.) | a, d, e, f, j, k, and l. | Disclosures for business purposes:
Software, communications, storage and other business Vendors
Sale/Sharing Recipients: Not Applicable |
| 9. Professional or Employment Information (such as your title, affiliated organization, professional expertise and experience, and education related information.) | a, b, c, f, g, h, I, k, and l. | Disclosures for business purposes:
Software, communications, storage and other business Vendors
Sale/Sharing Recipients: Third-Party Partners |
| 10. Non-public Education Records (such as education institution transcripts you may upload yourself into your scholarship search account.) | a, b, c, f, g, h, I, k, and l. | Disclosures for business purposes:
Software, communications, storage and other business Vendors Marketing Vendors Affiliates and related entities Sale/Sharing Recipients: Not Applicable |
| 11. Inferences from Personal Information Collected | a, b, c, f, g, h, I, k, and l. | Disclosures for business purposes:
Software, communications, storage and other business Vendors
Sale/Sharing Recipients: Not Applicable |
| Sensitive Personal Information | ||
| Account information and password (we may store your account log-in in combination with a password in our systems.) | a, d, e, f, g, h, I, j, k, and l. | Disclosures for business purposes:
Software, communications, storage and other business Vendors
Sale/Sharing Recipients: Not Applicable |
| Precise Geolocation Data | Not Applicable | Not Applicable |
| Sensitive Personal Characteristics (such as race, ethnicity, and religious affiliation that you voluntarily provide when you utilize our education products and services.) | a, b, c, f, k, and l. | Disclosures for business purposes:
Software, communications, storage and other business Vendors
Sale/Sharing Recipients: Third-Party Partners |
| Children’s Data | Not Applicable | Not Applicable |
| Personal Information collected and analyzed concerning a Consumer’s health | Not Applicable | Not Applicable |
| Communications Content (contents of email and other communications that you make through or on the Service not directed at us.) | Not Applicable | Not Applicable |
We also may disclose each category of personal information and sensitive personal information in the table to the following categories of recipients in a manner that does not constitute a sale or sharing of such information:
- to you or to other parties at your direction or through your intentional action;
- to the government or private parties to comply with applicable law or legal process;
- in connection with a corporate transaction, such as a divestiture, merger, consolidation, or asset sale, in which case we will transfer such information to the buyer or successor entity in any such corporate transaction; and
- in addition, our Vendors and the other recipients listed in the above table may, subject to contractual restrictions imposed by us and/or legal obligations, also use and disclose your personal information. For example, our Vendors and the other categories of recipients listed in the table above may engage subcontractors to enable them to perform services for us or process for our business purposes.
PROCESSING PURPOSES IMPLICATING SALE, SHARING, TARGETED ADVERTISING, AND PROFILING
When you provide us personal information for the following Processing Purposes, we may use and disclose such personal information for such purposes in a way that may constitute selling and/or sharing, as well as processing of your personal information for purposes of targeted advertising, as those terms are defined by U.S. Privacy Laws.
- providing our products and services;
- facilitating your relationship with our Third-Party Partners; and
- for purposes disclosed at the time you provide your personal information
Processing Purposes that may implicate selling and/or processing of your personal information for targeted advertising include the following:
- targeting advertisements;
- facilitating your relationship with our Third-Party Partners;
- ad measurement, attribution, and other ad administration; and
- for purposes disclosed at the time you provide your personal information;
SOURCES OF PERSONAL INFORMATION
As described in our Privacy Policy, we collect personal information directly from you or from your device, Third-Party Digital Businesses, Third-Party Partners, Vendors, our affiliates and related entities, other individuals (e.g., your friends, your family (such as your parents) and others that use the Service and submit content concerning you or about you) and other third parties.
SESSION REPLAY TECHNOLOGY
We use session recording and replay technology to observe your mouse movements, scrolling, and clicks on our websites. We use these tracking tools for support and analytics purposes, and to better understand how people engage with our websites. This information is often collected and processed by our service providers who we have engaged to analyze this information on our behalf. When you visit our websites, you are asked to consent to our collection, use, and disclosure of this information using session replay technology. If you do not consent, this information will not be collected. For more information about our data practices, please see our Privacy Policy.
DATA RETENTION
Because there are so many different types of personal information in certain categories, and so many purposes and use cases for different data, we are unable to provide retention ranges based on categories of personal information in a way that would be meaningful and transparent to you. Actual retention periods for all personal information will depend upon how long we have a legitimate purpose for the retention consistent with the collection purposes and applicable law. For instance, we may maintain business records for so long as relevant to our business, and may have a legal obligation to hold personal information for so long as potentially relevant to prospective or actual litigation or government investigation. We apply the same criteria for determining if we have a legitimate purpose for retaining your personal information that you ask us to delete. For more information on deletion requests, see the “Right to Delete” section below.
B. CONSUMER RIGHTS REQUESTS
As described in further detail below, subject to meeting the requirements for a Verified Consumer Request (defined below), we provide Consumers – which are, for clarity, residents of California, Colorado, Connecticut, Utah and Virginia – the privacy rights described in this section. If you are not a resident of California, Colorado, Connecticut, Utah or Virginia, you are not entitled to exercise these rights.
MAKING A REQUEST AND SCOPE OF REQUESTS
As permitted by the U.S. Privacy Laws, any request you submit to us is subject to an identity verification process as described below in the“Verifying Your Request” section below. We will not fulfill your request unless you have provided sufficient information for us to reasonably verify you are the Consumer about whom we collected personal information. Any request that has satisfied such verification process is referred to herein as a “Verified Consumer Request.”
To make a request, other than a Do Not Sell/Share/Target request, please submit your request to us by one of the methods below. For instructions on how to submit a Do Not Sell/Share/Target request, please go to the “Right to Opt Out of Sales/Sharing/Targeted Advertising” section below.
- Call us at 1-833-618-0661
- Visit our webform
Some information we maintain about Consumers that is technically considered personal information may nonetheless not be sufficiently associated with information that you provide when making your request. For example, if you provide your name and email address when making a request, we may be unable to associate that information with certain data collection on the Service, such as clickstream data tied only to a pseudonymous browser ID. Where we are unable to associate such information with the information you provide, we will be unable to include such information in response to requests.
We will make commercially reasonable efforts to identify personal information that we collect, process, store, disclose, and otherwise use and to respond to your privacy requests. We will typically not charge a fee to fully respond to your requests; provided, however, that we may charge a reasonable fee, or refuse to act upon a request, if your request is excessive, repetitive, unfounded, or overly burdensome. If we determine that the request warrants a fee, or that we may refuse it, we will give you notice explaining why we made that decision. You will be provided a cost estimate and the opportunity to accept such fees before we will charge you for responding to your request.
VERIFYING YOUR REQUEST
When you make a request, we will verify that you are the person you say you are, or, if you are seeking information on behalf of another person, that you are authorized to make the request on their behalf (see our “Authorizing an Agent” section immediately below). In addition, we will compare the information you have provided to ensure that we maintain personal information about you in our systems. As an initial matter, we ask that you provide us with full name, mailing address, email address and telephone number. Depending on the nature of the request and whether we have the email address you have provided in our systems, we may request further information from you in order to verify that you are the Consumer making the request. We will review the information provided as part of your request and may ask you to provide additional information via e-mail or other means to complete the verification process. We will not fulfill your Right to Know, Right to Delete, or Right to Correct request unless you have provided sufficient information for us to reasonably verify you are the Consumer that is the subject of the request. The same verification process does not apply to opt-outs of sale or sharing, or limitation of sensitive personal information requests, but we may apply authentication measures if we suspect fraud (such as verifying access to the email provided when making the request).
The verification standards we are required to apply for each type of request vary. We verify your categories requests and certain deletion and correction requests (e.g., those that are less sensitive in nature) to a reasonable degree of certainty, which may include matching at least two data points provided by you with data points maintained by us, which we have determined to be reliable for the purpose of verifying you. For certain deletion and correction requests (such as those that relate to personal information that is more sensitive in nature) and for specific pieces requests, we apply a verification standard of reasonably high degree of certainty. This standard includes matching at least three data points provided by you with data points maintained by us, which we have determined to be reliable for the purpose of verifying you, and may include obtaining a signed declaration from you, under penalty of perjury, that you are the individual whose personal information is the subject of the request.
If we cannot verify you in respect of certain requests, such as if you do not provide the requested information, we will still take certain action as required by certain U.S. Privacy Laws. For example, if you are a California resident:
- If we cannot verify your deletion request, we will refer you to this Notice for a general description of our data practices.
- If we cannot verify your specific pieces request, we will treat it as a categories request.
AUTHORIZING AN AGENT
You may designate an authorized agent to submit a request on your behalf by submitting a request in the manners described above. If you are an authorized agent who would like to make a request, the U.S. Privacy Laws requires that we ensure that a request made by an agent is a Verified Consumer Request, as applicable, and allows us to request further information to ensure that the Consumer has authorized the agent to make the request on their behalf. Generally, we will request that an agent provide proof that the Consumer gave the agent signed permission to submit the request, and, as permitted under the U.S. Privacy Laws, we also may require the Consumer to either verify their own identity or directly confirm with us that they provided the agent permission to submit the request.
YOUR CONSUMER PRIVACY RIGHTS
RIGHT TO LIMIT SENSITIVE PERSONAL INFORMATION PROCESSING
Certain personal information qualifies as sensitive data or sensitive personal information under the U.S. Privacy Laws, which we refer to in this Notice as “sensitive personal information”. You may, depending on your state of residency, have the right to direct us to limit our use and disclosure of sensitive personal information if we use or disclose it beyond certain internal business purposes. Where applicable, we will treat such request as a revocation of any consent that you may have provided to your processing of sensitive personal information.
RIGHT TO KNOW/ACCESS
You have the right to request that we provide you certain information to you about our collection, use and disclosure of your personal information related to categories of personal information. You can request that we confirm whether we are processing your personal information, and disclose to you: (1) the categories of personal information we collected about you; (2) the categories of sources for the personal information; (3) our business or commercial purpose for collecting or selling that personal information ; (4) a list of the categories of personal information disclosed for a business purpose in the prior 12 months and, for each category of personal information, the categories of recipients; and (5) a list of the categories of personal information sold or shared about you in the prior 12 months and, for each, the categories of recipients.
You also have the right to request a transportable copy of the specific personal information we collected about you. Please note that personal information is retained by us for various time periods, so there may be certain information that we have collected about you that we have not retained (and thus, it would not be able to be included in our response to you). Based on your state of residence, we may apply a limit on the number of “right to know” requests you make over a particular time period, as permitted under U.S. Privacy Laws.
RIGHT TO DELETE
You have the right to request that we delete any of your personal information that we have collected and retained, subject to certain exceptions which we will explain if they apply. After your deletion request is determined to be a Verified Consumer Request, and subject to permitted retention exceptions, we will carry out one or more of the following: (i) permanently erase your personal information on our existing systems with the exception of archived or back-up systems, (ii) deidentify your personal information, or (iii) aggregate your personal information with other information. In our response to your request to delete, we will tell you the method for deleting your personal information. Where legal exceptions will apply to your request for deletion, we will tell you which one(s) and will limit retention to the permitted purpose(s). Note that in some states, such as California, the right to delete only applies to personal information that we have collected directly from you.
RIGHT TO CORRECT
You have the right to request that we correct inaccuracies that you find in your personal information that we maintain. Your request to correct is subject to our verification process (discussed above) and the response standards in the applicable U.S. Privacy Laws.
RIGHT TO OPT OUT OF SALES/SHARING/TARGETED ADVERTISING
Under the various U.S. Privacy Laws, Consumers have the right to opt-out of certain processing activities. California and certain other states have opt-outs specific to targeted advertising activities – which California’s law refers to as “cross-context behavioral advertising”, and others simply as “targeted advertising” – which involve the use of personal information from different businesses or services to target advertisements to you. California provides Consumers the right to opt-out of “sharing,” which includes providing or making available personal information to third parties for such targeted advertising activities, while other states provide Consumers the right to opt-out from processing personal information for targeted advertising more broadly. There are broad and differing concepts of the “sale” of personal information under the various U.S. State Privacy Laws, all of which at a minimum require providing or otherwise making available personal information to a third party.
Third-party digital businesses, including social media platforms, analytics companies, data brokers, third-party advertisers, and other tech companies that offer digital advertising services (“Third-Party Digital Businesses”) may associate cookies, web beacons (also known as pixel tags) and other similar technology (“Tracking Technologies”) on our Service that collect personal information when you use or access the Service, or otherwise collect and process personal information that we make available about you, including digital activity information. Giving access to personal information on our Service, or otherwise, to Third-Party Digital Businesses could be deemed a sale or sharing and could implicate targeted advertising under some state laws. Therefore, we will treat such personal information collected by Third-Party Digital Businesses (e.g., cookie ID, IP address, and other online IDs and internet or other electronic activity information) as such, and subject to the opt-out requests described above. In some instances, the personal information we make available about you is collected directly by such Third-Party Digital Businesses using Tracking Technologies on our Service or our advertisements that are served on third-party sites (which we refer to as “cookie PI”). However, certain personal information which we make available to Third Party Digital Businesses is information that we have previously collected directly from you or otherwise about you, such as your email address (which we refer to below as “non-cookie PI”). For information regarding other categories of third parties to which we may sell or share your personal information, see the table above in the “Collection, Use and Disclosure of Personal Information” section above.
When you opt-out pursuant to the instructions below, it will have the effect of opting you out of sales, sharing, and targeted advertising, such that our opt-out process is intended to combine all of these state opt-outs into a single opt-out. Instructions for opting out are below. Please note that there are distinct instructions for opting out of cookie PI and non-cookie PI, which we explain further, below.
Opt-out for non-cookie PI: If you would like to submit a request to opt-out of our processing of your non-cookie PI (e.g., your email address) for targeted advertising, or opt-out of the sale or Sharing of such data, make an opt-out request here.
Opt-out for cookie PI: If you would like to submit a request to opt-out of our processing of your cookie-related PI for targeted advertising, or opt-out of the sale/sharing of such PI, you can exercise an opt-out request by visiting our interactive webform here and following the instructions. You must exercise your preferences on each of our websites you visit, from each browser you use, and on each device that you use. Since your browser opt-out is designated by a cookie, if you clear or block cookies, your preferences will no longer be effective, and you will need to enable them again via our cookie management tool.
Your Additional Cookies Choices
Third-Party Digital Businesses may use cookies and other Tracking Technologies to recognize your device and/or to collect and record information about your visits to the Service, so that they can facilitate feature functionality, measure the effectiveness of ads, track page usage and paths followed during visits, and provide interest-based advertisements to you. These companies may provide this data to us. If you would like more information about this practice and to know your choices about certain kinds of online interest-based advertising, please visit National Advertising Initiative Consumer Opt Out, Digital Advertising Alliance Your AdChoices, or AdChoices for your mobile device. We do not provide any assurances that these third-party tools, programs or statements are complete or accurate.
Some of the U.S. Privacy Laws also require us to state that we do not knowingly sell or share the personal information of Consumers under 16.
AUTOMATED DECISION MAKING AND PROFILING
We do not believe we carry out “profiling” in furtherance of “decisions that produce legal or similarly significant effects,” as those terms are defined by U.S. Privacy Laws. If we change our practices, we will change this policy and provide you with the right to opt-out of such activities as required by the applicable U.S. Privacy Laws, subject to any applicable exceptions.
APPEAL RIGHTS
Residents of certain states have the right to appeal a decision regarding a privacy request. You can exercise this right by responding to the email we send containing our response to your request and following the instructions in such email. As of the Effective Date, residents of Colorado, Connecticut, and Virginia have this right.
RIGHT TO NON-DISCRIMINATION; INCENTIVE/LOYALTY PROGRAMS
You have the right not to receive discriminatory treatment, in a manner prohibited by U.S. Privacy laws, for the exercise of your privacy rights.
C. OTHER CALIFORNIA NOTICES
Although our services are intended for an audience over the age of majority, any California residents under the age of eighteen (18) who have registered to use our services, and posted content on the Service, can request removal by contacting us, detailing where the content is posted and attesting you posted it. We will then make reasonably good faith efforts to remove the post from prospective public view or anonymize it, so the minor cannot be individually identified to the extent required by applicable law. This removal process cannot ensure complete or comprehensive removal. For instance, third parties may have republished or archived content by search engines we do not control.
D. CONTACT US
If you have any questions about our Privacy Policy, this Notice or practices described in it, you may contact us at:
Customer Privacy
SLM NitroCollege LLC
P.O. Box 3010
Wilmington, DE 19804-4319