U.S. STATE PRIVACY NOTICE

Effective Date: March 20, 2024

A. INTRODUCTION
This U.S. State Privacy Notice (this “Notice”), provided by SLM Education Services, LLC and its subsidiaries and affiliates, including any successor entities if we rebrand our business under a different name (collectively, “we,” “our,” or “us”), supplements our other privacy policies or notices, including the SLM Education Services, LLC Privacy Policy (the “Privacy Policy”). In the event of a conflict between any other policy, statement, or notice and this Notice, this Notice will prevail as to Consumers and their rights under applicable state privacy laws. Capitalized terms used but not defined herein will have the meanings given to them in the Privacy Policy. SLM Education Services, LLC may also be referenced as “Education Services”.

This Notice (this “Notice”) applies to “Consumers” as defined under privacy laws in California, Colorado, Connecticut, Utah and Virginia, including the California Consumer Privacy Act (California Civil Code § 1798.100 et seq.), as amended (including, without limitation, by the California Privacy Rights Act (the “CCPA”), the Colorado Privacy Act (Colorado Revised Statute Title 6 Article 1 Part 13 § 6-1-1301 et seq.) (“CPA”), Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring (Public Act No. 22-15), the Utah Consumer Privacy Act (Utah Code Ann. § 13-61-101 et seq.) and the Virginia Consumer Data Privacy Act (collectively, “U.S. Privacy Laws”).

This Notice applies to information we collect and process that are subject to U.S. Privacy Laws, including information regarding:

  • Our “Services”, which include our: (i) online services, platforms, websites or mobile applications (collectively, “Sites”); (ii) co-branded web pages, mobile applications or websites; (iii) advertising services; (iv) emails or newsletters we sponsor or send; (v) contests, sweepstakes, promotions, events, research and surveys that we sponsor or conduct; (vi) accounts on third-party social networking sites; and, (vii) other content, products and services that we make available to consumers, customers, subscribers, and/or users (collectively, “Users”).
  • Individuals who subscribe to receive news, information, and marketing communications from us.
  • Individuals who engage with us at conferences, expos, and other events in which we participate.
  • Users and other individuals that communicate or engage with us related to our Services.


“Services” also include any interactive features, widgets, plug-ins, applications, content, downloads and/or other online or offline services that we own and control (including those made available through a Site), and in each case wherever this Notice is posted.

Not Covered by This Notice

This Notice does not apply to data that is collected in a human resources context (e.g., from job applicants, employees or independent contractors). For example, if you are a California resident and an employee, former employee, or applicant of Sallie Mae, or if we have collected data from or about you otherwise in a human resources context, please visit here for our California Employee Privacy Notice. This Notice also does not apply to:

  • publicly-available personal information from government records;
  • health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 and certain state health privacy laws;
  • data that is subject to certain sector-specific privacy laws and so exempt under U.S. Privacy Laws; and
  • information collected by third-party websites, applications, platforms, and code on such websites, applications and platforms (e.g., plug-ins, application programming interfaces, and software development kits).

Aggregate and Non-identifiable Information

Notwithstanding anything else in this Notice, we may collect, use, share, disclose, and otherwise process aggregate, anonymous, and in some cases de-identified information for research, marketing, analytics, and other purposes. Where we use, disclose or process de-identified information, we will maintain and use this information in de-identified form and not to attempt to reidentify the information, except in accordance with applicable privacy laws.

B. COLLECTION, USE, AND DISCLOSURE OF PERSONAL INFORMATION

Generally, we collect, retain, use, and disclose your personal information in order to provide you products and Services and to operate our business, as described below in more detail (“Processing Purposes”). This may include disclosing or otherwise making personal information available to our vendors that perform services for us (including “service providers” and “processors,” as those terms are defined under U.S. Privacy Laws (collectively, “Vendors”). Some of the Processing Purposes, as we discuss below, implicate a “sale,” “sharing”, and or “targeted advertising,” as those terms are defined by U.S Privacy Laws. For more details on the meaning of sale, sharing, and targeted advertising, and how to opt-out of them, please visit the “Right to Opt Out of Sales/Sharing/Targeted Advertising” section below.

Processing Purposes:
Generally, we collect, use, and disclose your personal information in connection with the operation of our business, including for the following Processing Purposes:


  • a. Processing transactions and providing our products and Services – to process transactions, service accounts and provide you with information or Services or to perform activities that you have requested or information you agreed to receive or to provide you with special offers or materials on behalf of us or certain trusted third parties (collectively, “Third-Party Partners”) that may be of interest to you.

  • b. Support, Maintenance and Fulfillment – We use your information to provide and maintain the Services and Sites, and to process and fulfill your requests or applications.

  • c. Vendors and Providers – We may engage vendors, agents, service providers, and affiliated entities to provide services to us or to Users on our behalf, such as support for the internal operations of our Sites and Services (e.g., operations and technical support processing), as well as related offline product support services, data storage, and other services. In providing their services, they may access, receive, maintain, or otherwise process personal information on our behalf.

  • d. Facilitating your relationship with our Third-Party Partners – to provide Services and facilitate marketing of products and services provided by third parties, we may disclose your personal information to Third-Party Partners so that they can market products and services that we believe you may be interested in. These Third-Party Partners may include scholarship providers, financial services providers, and companies in the consumer service industry.

  • e. Customizing your experience, offers, and content – to enhance your experience on our Sites and the products and Services we offer, you may be delivered curated content on our Sites, including marketing for our own products or Services, our affiliates’ products or service offerings, or those of our Third-Party Partners.

  • f. Registering and administering accounts – to process your registration with the Sites, verify your information is active and valid, and to manage your account.

  • g. Customer service and communications – to respond to questions, comments, or requests that you have for us or for other customer service purposes; to contact you with regard to your use of the Sites and, in our discretion, changes to the Sites and/or Sites’ policies; and to verify eligibility for certain services offered by us or our Third-Party Partners. We use your information to communicate with you, including sending you service information such as confirmations, invoices, notices, updates, security alerts, User surveys, and support and administrative messages.

  • h. Research, development, and analytics – for beta testing our Services or to better understand how Users access and use our Sites, both on an aggregated and individualized basis, in order to improve our Sites and respond to User desires and preferences, and for other research and analytical purposes. We use your information to measure performance and analyze key metrics relevant to our business and Services.

  • i. Ad measurement, attribution, and other ad administration – to assist us in determining relevant advertising and to determine the success of our advertising campaigns and to help us determine where to place our ads, including ads placed on other websites. These activities may be carried out by us, our vendors that perform services for us, including “service providers” and “processors,” as those terms are defined under applicable privacy laws (collectively, “Vendors”), and/or tech companies that offer digital advertising services (collectively, “Third-Party Digital Businesses”).

  • j. Market research and customer satisfaction – to administer surveys and questionnaires, such as for market research or customer satisfaction purposes.

  • k. Personalization –to personalize your experience on the Services, including suggesting and offering you relevant content and recommendations.

  • l. Advertising services – We use your information to show you ads (including personalized ads) through the Services, and on third-party websites, mobile apps, platforms and devices. We use your information to measure and understand the reach, viewership, and effectiveness of advertising, and to provide advertising analytics and reporting. We also help advertisers and advertising partners reach the desired audience and understand, measure and improve their ad campaigns. We use your information to reach you with more relevant ads and to evaluate, measure, and improve the effectiveness of our ad campaigns; to send you newsletters, offers, or other information we think may interest you; to contact you about our Services or information we think may interest you; and to administer promotions and contests.

  • m. Marketing and Promotions – We use your information for marketing purposes, including to send you alerts, notifications, emails and text messages, about products, events, promotions and offers from us or our partners, and to measure and understand the effectiveness of our marketing.

  • n. Safety, security, and compliance with legal obligations – for identity verification, prevention, detection, investigation, and mitigation of illegal or unauthorized activities, fraud, injury to us, our Users or others, or violation of our Terms of Use, our Privacy Policy, or this Privacy Notice (including click fraud), as well as to fulfill contractual, legal and regulatory requirements.

  • o. Disclosed purposes– for purposes disclosed at the time you provide your personal information.

  • p. Additional compatible purposes – for purposes that are compatible with the purpose of collecting your personal information and that are not prohibited by law, including for our legitimate business interests such as in protecting, maintaining, and improving the Services; developing new features and services; and marketing and promoting our Services (including by profiling and marketing to Users).

  • q. Improvement of products and Services – to understand and analyze our user base and how you use the Services, to improve and enhance the Services (including building correlations for use in our advertising services in order to better serve our advertisers and business partners), and to develop new products, services, features and functionalities.

  • r. Auditing, reporting, corporate governance, and internal operations –for financial, tax, and accounting audits; audits and assessments of our operations, privacy, security and financial controls, risk, and compliance with legal obligations; our general business, accounting, record keeping, and legal functions; to maintain appropriate business records; to enforce company policies and procedures; and related to any actual or contemplated merger, acquisition, asset sale or transfer, financing, bankruptcy, or restructuring of all or part of our business.

  • s. Use of aggregated or de-identified information – use of aggregated or de-identified information (i.e., information that does not personally identify you directly), or statistical information about you, including demographics data and audience segments (e.g., sports fans, sitcom enthusiasts, cord cutters, etc.), for a variety of purposes, including sharing it with third parties for their own uses, for improving their products and services for us and others, and to make ads more relevant to your interests.

  • t. Fulfilling any other purpose for which you give your consent.

SOURCES OF PERSONAL INFORMATION

Please see Section 2 of our Privacy Policy for the sources of personal information that we may collect.

PERSONAL INFORMATION WE COLLECT AND SELLING/SHARING OF PERSONAL INFORMATION
The first column in the table below describes the categories of personal information we collect, as well as examples of data within such categories. The second column lists Processing Purposes applicable to each category of personal information. The third column states the categories of recipients that receive those specific categories of personal information and sensitive personal information as part of disclosures for business purposes, as well as disclosures which may be considered a sale or sharing under certain U.S. Privacy Laws.

Category of Personal Information Processing Purposes Categories of Recipients
1. Identifiers and contact information (such as name, user name, alias, phone number, address, email address, IP address, or cookie ID, BUID, device ID, third-party platform identifiers and other online or unique identifiers). a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p, q, r, s and t. Disclosures for business purposes:

  • Software, communications, storage and other business Vendors
  • Marketing Vendors
  • Affiliates and Related Entities

Sale/Sharing Recipients:

  • Third-Party Digital Businesses
  • Third-Party Partners
2. Personal Records
(such as account and profile information, and customer records that contain personal information, such as name, address, telephone number, employment, employment history, year in school, education).
a, b, c, d, e, f, g, j, k, l, m, n, o, p, q, r, s and t. Disclosures for business purposes:

  • Software, communications, storage and other business Vendors
  • Marketing Vendors
  • Affiliates and related entities

Sale/Sharing Recipients:

  • Third-Party Partners
  • Third-Party Digital Businesses
3. Personal Characteristics or Traits
(such as age, marital status, sex, sexual orientation, veteran or military status, racial or ethnic origin, religious or philosophical beliefs, union membership or genetics data.)

a, b, c, d, e, h, i, j, k, l, m, n, o, p, q, r, s and t.
Disclosures for business purposes:

  • Software, communications, storage and other business Vendors
  • Marketing Vendors
  • Affiliates and related entities

Sale/Sharing Recipients:

  • Third-Party Partners
  • Third-Party Digital Businesses
4. Transaction / Commercial Information

(such as products or Services used, purchased, or considered; Third-party Partners’ or Third-Party Digital Businesses’ products or services considered; and other purchasing or consuming histories or tendencies provided by business and marketing Vendors.)
a, b, c, d, e, h, i, j, k, l, m, n, o, p, q, r, s and t. Disclosures for business purposes:

  • Software, communications, storage and other business Vendors
  • Marketing Vendors
  • Payment processing vendors
  • Affiliates and related entities

Sale/Sharing Recipients:

  • Third-Party Partners
  • Third-Party Digital Businesses
5. Biometric Information
(such as fingerprints, voice, and facial recognition.)
a, b, c, d, f, g and n.
Disclosures for business purposes:

  • Software, communications, storage and other business Vendors
  • Marketing Vendors
  • Affiliates and related entities

Sale/Sharing Recipients:

  • Not Applicable
6. Usage Data

(such as browsing history, clickstream data, search history, access logs, information regarding your interactions with Sites and Services and our marketing emails, newsletters, and online ads, and other usage data related to your use of the Services, such as language and preferences, statistics, click paths, preferences and friends, as well as your comments, posts, and interactions in any forums and communities).
a, b, c, d, e, h, i, j, k, l, m, n, o, p, q, r, s and t.
Disclosures for business purposes:

  • Software, communications, storage and other business Vendors
  • Marketing Vendors
  • Affiliates and Related Entities

Sale/Sharing Recipients:

  • Third-Party Digital Businesses
  • Third-Party Partners
7. Geolocation Data

(such as when you enable location-based features on your device, when we may infer your rough location (such as zip code) as part of the Sites, and location information about a particular individual or device, such as device location information for mobile Users).
a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p, q, r, s and t.
Disclosures for business purposes:

  • Software, communications, storage and other business Vendors
  • Marketing Vendors
  • Affiliates and Related Entities

Sale/Sharing Recipients:

  • Third-Party Digital Businesses
  • Third-Party Partners
8. Audiovisual and Similar Information
(such as audio, electronic, visual, or similar information, photographs and images (e.g., that you provide us or post to your profile), call recordings (e.g., of customer support calls), and User photos submitted (such as profile images)).
a, b, c, f, g, h, l, m, n, o, p, q, r, s and t. Disclosures for business purposes:

  • Software, communications, storage and other business Vendors
  • Affiliates and Related Entities

Sale/Sharing Recipients:

  • Not Applicable
9. Professional or Employment Information

(such as your title, affiliated organization, professional expertise and experience, and education related information.)
a, b, c, d, e, h, i, j, k, l, m, n, o, p, q, r, s and t. Disclosures for business purposes:

  • Software, communications, storage and other business Vendors
  • Marketing Vendors
  • Affiliates and Related Entities

Sale/Sharing Recipients:

  • Third-Party Digital Businesses
  • Third-Party Partners
10. Non-public Education Records

(such as education institution transcripts you may upload yourself into your scholarship search account.)
a, b, c, d, e, h, i, j, k, l, m, n, o, p, q, r, s and t. Disclosures for business purposes:

  • Software, communications, storage and other business Vendors
  • Marketing Vendors
  • Affiliates and Related Entities

Sale/Sharing Recipients:

  • Third-Party Partners
11. Inferences from Personal Information Collected

(such as information we collect about you that we combine and use to derive other information and inferences about you. This includes inferences drawn from other personal information that we collect to create a profile based on your account and activities, that reflect your preferences, characteristics, behavior, attitude, and abilities related to the Services and Sites).
a, b, c, d, e, h, i, k, l, m, o, p, q, r, s and t.
Disclosures for business purposes:

  • Software, communications, storage and other business Vendors
  • Marketing Vendors
  • Affiliates and related entities

Sale/Sharing Recipients:

  • Third-Party Partners
  • Third-Party Digital Businesses
Sensitive Personal Information
Account information and password

(we may store your account log-in in combination with a password in our systems.)
a, b, c, f, g, h, j, n, o, p, q, r, s and t. Disclosures for business purposes:

  • Software, communications, storage and other business Vendors
  • Affiliates and related entities

Sale/Sharing Recipients:

  • Not Applicable
Government-Issued Identification Numbers

(such as a social security, driver’s license, state identification card, or passport number).
a, b, c, f, h, n, o, p, r, s and t. Disclosures for business purposes:

  • Marketing Vendors
  • Software, communications, storage and other business Vendors
  • Affiliates and related entities

Sale/Sharing Recipients:

  • Not Applicable
Precise Geolocation Data a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p, q, r, s and t. Disclosures for business purposes:

  • Software, communications, storage and other business Vendors
  • Marketing Vendors
  • Affiliates and related entities

Sale/Sharing Recipients:

  • Third-Party Partners
  • Third-Party Digital Businesses
Sensitive Personal Characteristics

(such as race, ethnicity, and religious affiliation that you voluntarily provide when you utilize Services offered by our Education Services business).
a, b, c, d, e, g, h, k, l, m, o, p, q, r, s and t. Disclosures for business purposes:

  • Software, communications, storage and other business Vendors
  • Marketing Vendors
  • Affiliates and related entities

Sale/Sharing Recipients:

  • Third-Party Partners
  • Third-Party Digital Businesses
Personal Information collected and analyzed concerning a Consumer’s health a, b, c, d, f, g, n, o, p, q, r, s and t. Disclosures for business purposes:

  • Software, communications, storage and other business Vendors
  • Marketing Vendors
  • Affiliates and related entities

Sale/Sharing Recipients:

  • Not Applicable

 

We also may disclose each category of personal information and sensitive personal information in the table to the following categories of recipients in a manner that does not constitute a sale or sharing of such information:

  • to you or to other parties at your direction or through your intentional action;
  • to the government or private parties to comply with applicable law or legal process;
  • in connection with a corporate transaction, such as a divestiture, merger, consolidation, or asset sale, in which case we will transfer such information to the buyer or successor entity in any such corporate transaction; and
  • in addition, our Vendors and the other recipients listed in the above table may, subject to contractual restrictions imposed by us and/or legal obligations, also use and disclose your personal information. For example, our Vendors and the other categories of recipients listed in the table above may engage subcontractors to enable them to perform services for us or process for our business purposes.

PROCESSING PURPOSES IMPLICATING SALE, SHARING, TARGETED ADVERTISING, AND PROFILING

When we process personal information for the following Processing Purposes, we may use and disclose such personal information for such purposes in a way that may constitute selling and/or sharing, as well as processing of your personal information for purposes of targeted advertising, as those terms are defined by U.S. Privacy Laws:

  • facilitating your relationship with our Third-Party Partners; and
  • for purposes disclosed at the time you provide your personal information

Processing Purposes that may implicate selling and/or processing of your personal information for targeted advertising include the following:

  • targeting advertisements;
  • facilitating your relationship with our Third-Party Partners;
  • ad measurement, attribution, and other ad administration; and
  • for purposes disclosed at the time you provide your personal information;

PERSONAL INFORMATION OF CHILDREN AND MINORS

We do not sell or share the personal information of Consumers we know to be less than 16 years of age, unless we receive affirmative authorization from a Consumer who is between 13 and 16 years of age. We do not knowingly solicit, sell, share, or collect any personal information from anyone under the age of 13. If we learn that we have inadvertently collected personal information from a child under age 13, we will delete that personal information promptly. Consumers who consent to personal information sales or sharing may opt-out of future sales or sharing at any time. If you believe that we might have any personal information from a child under 13, please contact us at 833-556-6367 to opt-out of future sales or sharing or to inform us if your minor child is under the age of 13.

DATA RETENTION

Because there are so many different types of personal information in certain categories, and so many purposes and use cases for different data, we are unable to provide retention ranges based on categories of personal information in a way that would be meaningful and transparent to you. Actual retention periods for all personal information will depend upon how long we have a legitimate purpose for the retention consistent with the collection purposes and applicable law. For instance, we may maintain business records for so long as relevant to our business and may have a legal obligation to hold personal information for so long as potentially relevant to prospective or actual litigation or government investigation. We apply the same criteria for determining if we have a legitimate purpose for retaining your personal information that you ask us to delete. For more information on deletion requests, see the “Right to Delete” section below.

C. CONSUMER RIGHTS REQUESTS

As described in further detail below, subject to meeting the requirements for a Verified Consumer Request (defined below), we provide residents of California, Colorado, Connecticut, Utah and Virginia the privacy rights described in this section. If you are not a resident of California, Colorado, Connecticut, Utah or Virginia, you are not entitled to exercise these rights.

MAKING A PRIVACY RIGHTS REQUEST AND SCOPE OF REQUESTS

As permitted by the U.S. Privacy Laws, any request you submit to us is subject to an identity verification process as described in the “Verifying Your Request” section below. We will not fulfill your request unless you have provided sufficient information for us to reasonably verify you are the Consumer about whom we collected personal information. Any request that has satisfied such verification process is referred to herein as a “Verified Consumer Request.”


To request to exercise your Right to Know/Access, Right to Delete or Right to Correct, please submit your request to us by one of the methods below:


To make a request to exercise your Right to Opt Out or Right to Limit Sensitive Personal Information Processing, please submit your request to us by one of the methods below:

Please see “Right to Opt Out of Sales/Sharing/Targeted Advertising” to find out more about how to opt out of sales, sharing and targeted advertising involving personal information collected by cookies on our Sites.

Some information we maintain about Consumers that is technically considered personal information may nonetheless not be sufficiently associated with information that you provide when making your request. For example, if you provide your name and email address when making a request, we may be unable to associate that information with certain data collection on the Sites, such as clickstream data tied only to a pseudonymous browser ID. Where we are unable to associate such information with the information you provide, we will be unable to include such information in response to requests. We will make commercially-reasonable efforts to identify personal information that we collect, process, store, disclose, and otherwise use and to respond to your privacy requests. We will typically not charge a fee to fully respond to your requests; provided, however, that we may charge a reasonable fee, or refuse to act upon a request, if your request is excessive, repetitive, unfounded, or overly burdensome. If we determine that the request warrants a fee, or that we may refuse it, we will give you notice explaining why we made that decision. You will be provided a cost estimate and the opportunity to accept such fees before we will charge you for responding to your request.

VERIFYING YOUR REQUEST


When you make a request, we will verify that you are the person you say you are, or, if you are seeking information on behalf of another person, that you are authorized to make the request on their behalf (see our “Authorizing an Agent” section immediately below). In addition, we will compare the information you have provided to ensure that we maintain personal information about you in our systems. As an initial matter, we ask that you provide us with:

  • full name;
  • mailing address;
  • email address; and
  • telephone number.

Depending on the nature of the request and whether we have the email address you have provided in our systems, we may request further information from you in order to verify that you are the Consumer making the request. We will review the information provided as part of your request and may ask you to provide additional information via e-mail or other means to complete the verification process. We will not fulfill your Right to Know, Right to Delete, or Right to Correct request unless you have provided sufficient information for us to reasonably verify you are the Consumer that is the subject of the request. The same verification process does not apply to Do Not Sell/Share/Target requests, or limitation of sensitive personal information requests, but we may apply authentication measures if we suspect fraud (such as verifying access to the email provided when making the request).

The verification standards we are required to apply for each type of request vary. We verify your Right to Know requests for categories of personal information collected and certain Right to Delete and Right to Correct requests (e.g., those that are less sensitive in nature) to a reasonable degree of certainty, which may include matching at least two data points you provide with data points we maintain, which we have determined to be reliable for the purpose of verifying you. For certain Right to Delete and Right to Correct requests (such as those that relate to personal information that is more sensitive in nature) and for Right to Know requests for specific personal information, we apply a verification standard of reasonably high degree of certainty. This standard includes matching at least three data points you provide with data points we maintain, which we have determined to be reliable for the purpose of verifying you, and may include obtaining a signed declaration from you, under penalty of perjury, that you are the individual whose personal information is the subject of the request.

If we cannot verify you in respect of certain requests, such as if you do not provide the requested information, we will still take certain action as required by certain U.S. Privacy Laws. For example, if you are a California resident:

  • If we cannot verify your deletion request, we will refer you to this Notice for a general description of our data practices.
  • If we cannot verify your specific pieces request, we will treat it as a categories request.

 

AUTHORIZING AN AGENT

You may designate an authorized agent to submit a request on your behalf by submitting a request in the manner described above. If you are an authorized agent who would like to make a request, the U.S. Privacy Laws requires that we ensure that a request made by an agent is a Verified Consumer Request, as applicable, and allows us to request further information to ensure that the Consumer has authorized the agent to make the request on their behalf. Generally, we will request that an agent provide proof that the Consumer gave the agent signed permission to submit the request, and, as permitted under the U.S. Privacy Laws, we also may require the Consumer to either verify their own identity or directly confirm with us that they provided the agent permission to submit the request.

Response Timing and Format

We will endeavor to respond to a verifiable consumer request within forty-five (45) days of receipt. If we are unable to process your request in such time, we will inform you of the delay in writing.

If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically. Any disclosures we provide will only cover the 12-month period preceding the receipt of your verifiable consumer request’s receipt, unless U.S. Privacy Laws require disclosures to cover a greater period. If we are unable to comply with all or a portion of your request, we will explain the reasons we cannot comply.

We reserve the right to charge a fee to process or respond to your verifiable consumer request if we determine that such request is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

 

YOUR CONSUMER PRIVACY RIGHTS
RIGHT TO LIMIT SENSITIVE PERSONAL INFORMATION PROCESSING

Certain personal information qualifies as sensitive data or sensitive personal information under the U.S. Privacy Laws, which we refer to in this Notice as “sensitive personal information”. You may, depending on your state of residency, have the right to direct us to limit our use and disclosure of sensitive personal information if we use or disclose it beyond certain internal business purposes. Where applicable, we will treat such request as a partial revocation of any consent that you may have provided to your processing of sensitive personal information.

RIGHT TO KNOW/ACCESS

You have the right to request that we provide you certain information to you about our collection, use and disclosure of your personal information related to categories of personal information. You can request that we confirm whether we are processing your personal information, and disclose to you:

  • the categories of personal information we collected about you;
  • the categories of sources for the personal information;
  • our business or commercial purpose for collecting or selling that personal information;
  • a list of the categories of personal information disclosed for a business purpose in the prior 12 months and, for each category of personal information, the categories of recipients; and
  • a list of the categories of personal information sold or shared about you in the prior 12 months and, for each, the categories of recipients.

You also have the right to request a transportable copy of the specific personal information we collected about you. Please note that personal information is retained by us for various time periods, so there may be certain information that we have collected about you that we have not retained (and thus, it would not be able to be included in our response to you). Based on your state of residence, we may apply a limit on the number of “right to know” requests you make over a particular time period, as permitted under U.S. Privacy Laws.

RIGHT TO DELETE

You have the right to request that we delete any of your personal information that we have collected and retained, subject to certain exceptions which we will explain if they apply. After your deletion request is determined to be a Verified Consumer Request, and subject to permitted retention exceptions, we will carry out one or more of the following: (i) permanently erase your personal information on our existing systems with the exception of archived or back-up systems, (ii) deidentify your personal information, or (iii) aggregate your personal information with other information. In our response to your request to delete, we will tell you the method for deleting your personal information. Where legal exceptions will apply to your request for deletion, we will tell you which one(s) and will limit retention to the permitted purpose(s). Note that in California and Utah, the right to delete only applies to personal information that we have collected directly from you.

RIGHT TO CORRECT

You have the right to request that we correct inaccuracies that you find in your personal information that we maintain. Your request to correct is subject to our verification process (discussed above) and the response standards in the applicable U.S. Privacy Laws.

RIGHT TO OPT OUT OF SALES/SHARING/TARGETED ADVERTISING

Under the various U.S. Privacy Laws, Consumers have the right to opt-out of certain processing activities. Certain states have opt-out rights specific to targeted advertising activities – which California’s law refers to as “cross-context behavioral advertising”, and others simply as “targeted advertising” – which involve the use of personal information from different businesses or services to target advertisements to you. California provides Consumers the right to opt-out of “sharing,” which includes providing or making available personal information to third parties for such targeted advertising activities, while other states provide Consumers the right to opt-out from processing personal information for targeted advertising more broadly. There are broad and differing concepts of the “sale” of personal information under the various U.S. State Privacy Laws, all of which at a minimum require providing or otherwise making available personal information to a third party.

Third-Party Digital Businesses, including social media platforms, analytics companies, data brokers, third-party advertisers, and Third-Party Digital Businesses may associate cookies, web beacons (also known as pixel tags) and other similar technology (“Tracking Technologies”) on our Sites that collect personal information when you use or access the Sites, or otherwise collect and process personal information that we make available about you, including digital activity information. Giving access to personal information on our Sites, or otherwise, to Third-Party Digital Businesses could be deemed a sale or sharing and could implicate targeted advertising under some state laws. Therefore, we will treat such personal information collected by Third-Party Digital Businesses (e.g., cookie ID, IP address, and other online IDs and internet or other electronic activity information) as such, and subject to the opt-out requests described above. In some instances, the personal information we make available about you is collected directly by such Third-Party Digital Businesses using Tracking Technologies on our Sites or our advertisements that are served on third-party sites (which we refer to as “Cookie PI”). However, certain personal information which we make available to Third Party Digital Businesses is information that we have previously collected directly from you or otherwise about you, such as your email address (which we refer to below as “Non-cookie PI”). For information regarding other categories of third parties to which we may sell or share your personal information, see the table above in the “Collection, Use and Disclosure of Personal Information” section above.

When you opt-out pursuant to the instructions below, it will have the effect of opting you out of sales, sharing, and targeted advertising, for the applicable state that you are submitting the request for. Instructions for opting out are below.

Please note that there are distinct instructions for opting out of Cookie PI and Non-cookie PI, which we explain further below.

Opting out: Please see “Making a Privacy Request” above to learn how to submit a request to opt-out of our processing of Non-cookie PI (e.g., your email address) for target advertising or to opt out of the sale or sharing of such data. If you would like to submit a request to opt-out of our processing of your cookie-related PI for targeted advertising or opt-out of the sale/sharing of such PI, you can exercise an opt-out request by visiting here. You must exercise your preferences on each of our websites you visit, from each browser you use, and on each device that you use. Since your browser opt-out is designated by a cookie, if you clear or block cookies, your preferences will no longer be effective, and you will need to enable them again via our consent management platform.

 

Global Privacy Control (“GPC”):

Certain U.S. Privacy Laws require businesses to process GPC signals, which are signals sent by a platform, technology, or mechanism, enabled by individuals on their devices or browsers, that communicate the individual’s choice to opt-out of the sale and sharing of personal information. To use the GPC, download an internet browser or a plugin to use on your current internet browser and follow the settings to enable the GPC. We have configured the settings of our consent management platform to receive and process GPC signals on our website, which is explained by our consent management platform here. We process the GPC with respect to sales and sharing that may occur in the context of collection of Cookie PI by Third-Party Digital Businesses using Tracking Technologies, discussed above, and apply it to the specific browser on which you enable the GPC. We currently do not, due to technical limitations, process the GPC for opt-outs of sales and sharing in other contexts (e.g., Non-cookie PI). We do not: charge a fee for use of our Services because you have enabled the GPC; change your experience with any product or Service if you use the GPC; or display a notification, pop-up, text, graphic, animation, sound, video, or any interstitial in response to the GPC.

 

Your Additional Cookie Choices

Third-Party Digital Businesses may use cookies and other Tracking Technologies to recognize your device and/or to collect and record information about your visits to the Sites, so that they can facilitate feature functionality, measure the effectiveness of ads, track page usage and paths followed during visits, and provide interest-based advertisements to you. These companies may provide this data to us. If you would like more information about this practice and to know your choices about certain kinds of online interest-based advertising, please visit National Advertising Initiative Consumer Opt Out, Digital Advertising Alliance Your AdChoices, or AdChoices for your mobile device We do not provide any assurances that these third-party tools, programs or statements are complete or accurate.

 

USE OF PERSONAL INFORMATION FOR PROFILING

We do not believe we use personal information that is subject to U.S. Privacy Laws to carry out “profiling” in furtherance of “decisions that produce legal or similarly significant effects,” as those terms are defined by U.S. Privacy Laws. If we change our practices, we will change this policy and provide you with the right to opt-out of such activities as required by the applicable U.S. Privacy Laws, subject to any applicable exceptions.

APPEAL RIGHTS

Residents of Colorado, Connecticut and Virginia have the right to appeal a decision regarding a privacy request. You can exercise this right by responding to the email we send containing our response to your request and following the instructions in such email.

RIGHT TO NON-DISCRIMINATION

You have the right not to receive discriminatory treatment, in a manner prohibited by U.S. Privacy laws, for the exercise of your privacy rights.

Notice of Financial Incentive

We offer programs, benefits, and other offerings to consumers that involve our collection and use of Personal information that might be deemed a “financial incentive” or “price service difference” under U.S. Privacy Laws. These offerings may involve the collection of the following categories of Personal information from consumers like you that participate: identifiers; personal records; personal characteristics or traits; transaction/commercial information; and internet usage information. We are providing you this information so that you may make an informed decision on whether to participate in our programs. Examples of the programs that we offer include:

Sweepstakes, Promotions and Contests. From time-to-time, we also may offer you incentives such as sweepstakes, promotions and contests. In exchange for your participation in these programs, you may be offered a financial incentive, such as an opportunity to win prizes. As part of these limited-time programs, we may collect and use your personal information, such as identifiers; personal records; personal characteristics or traits; transaction/commercial information; and internet usage information. Participation in any such sweepstakes, promotions and contests are governed by our Privacy Policy, our Terms of Use, and any specific terms and conditions that apply to any such sweepstakes, promotions and contests. You may cancel or terminate your participation in these programs by following the instructions in the email or applicable rules governing the sweepstakes, promotions and contests, or by emailing us at: help@127.0.0.1.

Email/Text Message Alert Programs. We may offer consumers the opportunity to sign up to receive marking-related emails and text message notifications related to the Services. As part of these programs, you may receive a financial incentive from us, such as, special promotional offers or discounts regarding third-party products or services. In exchange for your participation in these programs, we may collect your personal information, such as your mobile phone number, name, and email address. No purchase is required to sign up for a free newsletter from us, although standard text messaging rates and fees (as determined by your cellular network provider) may apply. Participation in these programs is governed by our Privacy Policy, our Terms of Use, and any additional terms and conditions provided to you before you sign up to participate in the program. You may cancel or terminate your participation in these programs by following the instructions in the email or text message notifications that you receive from us.

D. OTHER CALIFORNIA NOTICES

Although our Services are intended for an audience over the age of majority, any California residents under the age of eighteen (18) who have registered to use our Services, and posted content on the Sites, can request removal by contacting us, detailing where the content is posted and attesting you posted it. We will then make reasonably good faith efforts to remove the post from prospective public view or anonymize it, so the minor cannot be individually identified to the extent required by applicable law. This removal process cannot ensure complete or comprehensive removal. For instance, third parties may have republished or archived content by search engines we do not control.

We may disclose “personal information,” as defined by California’s “Shine the Light” law, to third parties for such third parties own direct marketing purposes. California residents may opt-out of this sharing by contacting us at privacy@salliemae.com. You must put the statement “Shine the Light Request” in the body of your correspondence. In your request, please attest to the fact that you are a California resident and provide a current California address for your response. This right is different than, and in addition to, rights under U.S. Privacy Laws, and must be requested separately. However, a Do Not Sell/Share/Target opt-out is broader and will limit our disclosing to third parties for their own direct marketing purposes without the need for making a separate Shine the Light request. We will not accept Shine the Light requests by telephone or by fax and are not responsible for requests not labeled or sent properly, or that are incomplete.

 

E. CONTACT US

If you have any questions about our Privacy Policy, this Notice or practices described in it, you may contact us at:

  • Customer Privacy
  • SLM Education Services, LLC
  • P.O. Box 3010
  • Wilmington, DE 19804-4319
  • 833-556-6367
  • info@127.0.0.1

 

F. UPDATES

This Privacy Notice is current as of the Effective Date set forth above. We may change this Privacy Notice from time to time, so please be sure to check back periodically. Occasionally, we may update this Privacy Notice to allow us to accommodate new technologies, industry practices, legal, regulatory or operational requirements or for other purposes.

If we do, we will change the “last updated” date at the top of the Privacy Notice and the revised policy will be posted to this page so that you are aware of the information we collect, how we use it, and under what circumstances we may disclose it. Under certain circumstances (for example with certain material changes or where it is required by applicable privacy laws) we will provide notice to you of these changes and, where required by applicable law, we will obtain your consent. Notice may be by email to you, by posting a notice of such changes on our Services or Sites, or by other means consistent with applicable law. Your continued use of the Services or Sites after any such updates take effect will constitute acknowledgement and (as applicable) acceptance of those changes.