Legal Document

Privacy Policy

Section 01

Introduction

This Privacy Policy (“Policy”) describes how North American University (“NAU,” “University,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information when you visit www.na.edu (the “Site”), apply for admission, enroll as a student, work or study at NAU, receive services from us, or otherwise interact with the University.

By using the Site or providing us with your personal information, you acknowledge that you have read and understood this Policy. If you do not agree, please do not use the Site or provide information to us.

This Policy should be read together with NAU’s FERPA Notification, Consumer Information Disclosures, Title IX Policy, and Acceptable Use Policy, each available at www.na.edu/about-nau/nau-policies/.

Section 02

Who We Are (Data Controller)

For purposes of applicable data protection laws (including the EU General Data Protection Regulation (“GDPR”), the UK GDPR, and the Texas Data Privacy and Security Act (“TDPSA”)), the data controller is:

North American University
11929 W Airport Boulevard
Houston, Texas 77477, United States
Phone: (832) 230-5555
Email: records@na.edu

Institution type: Private non-profit institution of higher education
Accreditation: Accrediting Commission of Career Schools and Colleges (ACCSC), recognized by the U.S. Department of Education

Section 03

Scope of This Policy

This Policy applies to personal information collected:

• Through the Site and its subdomains
• Through online admissions applications, student portals, learning management systems, and email
• In connection with on-campus services, events, housing, library, financial aid, and student activities
• From third parties (e.g., the Common App, education agents, recommenders, employers, test administrators)

Some academic or administrative activities are also subject to specific notices (e.g., FERPA Notification, HIPAA Notice of Privacy Practices for Student Health Services where applicable, and employee-specific notices). Where a specific notice conflicts with this Policy, the specific notice governs for that activity.

Section 04

Information We Collect

4.1 Information You Provide

4.2 Information Collected Automatically

When you use the Site, we and our service providers automatically collect:

• Device & log data: IP address, browser type and version, operating system, device identifiers, referring/exit pages, clickstream, and session timestamps
• Usage data: Pages viewed, features used, search queries on the Site, and interaction events
• Cookies and similar technologies: Session cookies, authentication tokens, analytics identifiers, and preference cookies (see Section 10)

4.3 Information From Third Parties

We may receive information about you from:

• Third-party application services (e.g., Common App, CollegeNET)
• Testing agencies (ETS, College Board, ACT, Duolingo English Test)
• Prior and transfer institutions (transcripts, verification)
• Sponsors, government agencies, and scholarship providers
• Education agents and recruitment partners (for international applicants)
• Employers or references (for admissions/employment)
• Public records and publicly available sources (where permitted by law)

4.4 Sensitive Personal Information

Where permitted by law, we may collect sensitive personal information (e.g., Social Security Number, immigration status, race/ethnicity for IPEDS reporting, health and disability information, religious affiliation only where voluntarily provided for an identified purpose). We process sensitive data only for the specific purpose disclosed at collection, and we apply enhanced safeguards.

4.5 What We Do Not Collect

We do not knowingly collect biometric identifiers beyond what is required for campus access control (if any), and we do not purchase or acquire data from data brokers for marketing purposes. We do not use your personal information to train third-party generative AI models.

Section 05

How We Use Your Information

We use personal information to:

1. Provide educational services — admissions review, enrollment, registration, academic advising, instruction, grading, transcript issuance, and degree conferral
2. Administer student life — housing, library, student organizations, athletics, campus events, ID cards, and alumni relations
3. Process financial transactions — tuition billing, financial aid, scholarships, refunds, payroll, and vendor payments
4. Communicate with you — academic, administrative, emergency, and (with consent where required) marketing or alumni communications
5. Comply with law — FERPA, Title IV, Title IX, Clery Act, IPEDS, SEVIS/DHS reporting, IRS 1098-T, state authorization reporting, ADA, and other applicable federal, state, and international laws
6. Protect the University community — campus safety, emergency notifications (e.g., Missing Student Notification Policy), fraud prevention, IT security, and investigation of suspected policy violations
7. Improve our services — analytics on Site usage, program outcomes, student success research, and institutional effectiveness (conducted in de-identified or aggregate form where feasible)
8. Conduct institutional research and accreditation reporting — ACCSC, THECB, U.S. Department of Education, and other regulators
9. Recruit and enroll prospective students — respond to inquiries, send program information, and invite you to events

We do not sell your personal information, and we do not share it with third parties for their own marketing purposes.

Section 06

Legal Basis for Processing (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, we process your personal data under the following legal bases:

Section 07

FERPA — Student Education Records

The Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g, and its implementing regulations (34 C.F.R. Part 99) protect the privacy of student education records. Once a student is enrolled at NAU (regardless of age), FERPA rights transfer to the student (“eligible student”).

7.1 Your FERPA Rights

As an eligible student, you have the right to:

• Inspect and review your education records within 45 days of a written request to the Registrar
• Request amendment of records believed to be inaccurate or misleading
• Consent to disclosures of personally identifiable information (PII) from your education records, except where FERPA permits disclosure without consent
• File a complaint with the U.S. Department of Education, Student Privacy Policy Office, 400 Maryland Avenue SW, Washington, DC 20202, regarding alleged failures to comply with FERPA

7.2 Disclosures Permitted Without Consent

Consistent with 34 C.F.R. § 99.31, NAU may disclose education records without consent to:

• School officials (including University employees, contractors, consultants, volunteers, or other parties to whom the University has outsourced institutional services) with a legitimate educational interest
• Officials of another school where the student seeks or intends to enroll
• Authorized federal, state, and local authorities for audit, evaluation, or enforcement of federal- or state-supported education programs
• Parties in connection with financial aid
• Organizations conducting studies for, or on behalf of, the University
• Accrediting organizations (e.g., ACCSC)
• Parents of a dependent student as defined by the IRS
• Parties in compliance with a judicial order or lawfully issued subpoena (with reasonable effort to notify the student in advance where permitted)
• Appropriate parties in a health or safety emergency involving imminent danger to the student or others
• To comply with SEVIS and immigration reporting obligations for international students

The full FERPA Notification is available at: www.na.edu/documents/about/FERPA Notification.pdf

Section 08

Directory Information

Under FERPA, NAU may disclose the following categories of directory information without a student’s prior written consent:

• Name
• Address (campus and permanent)
• NAU email address
• Telephone number
• Date and place of birth
• Photograph
• Major field of study
• Dates of attendance and enrollment status (full-time/part-time)
• Degrees, honors, and awards received
• Most recent previous educational institution attended
• Participation in officially recognized activities and sports
• Weight and height of members of athletic teams

Your Right to Opt Out

A student may request that NAU withhold directory information by submitting a written request to the Registrar’s Office (registrar@na.edu) within the timeframe published each academic year. An opt-out remains in effect until revoked in writing by the student. Note that an opt-out may limit NAU’s ability to confirm degrees or enrollment to future employers or other third parties.

Section 09

How We Share Information

We share personal information only as described below, and only with parties that are subject to confidentiality obligations and appropriate data protection terms:

We do not sell personal information, and we do not “share” it for cross-context behavioral advertising as defined by the CCPA/CPRA.

Section 10

Cookies & Online Tracking

The Site uses cookies and similar technologies, including:

• Strictly necessary cookies — required for authentication, session management, and security
• Functional cookies — remember preferences and language
• Analytics cookies — Google Analytics and similar tools to understand aggregate Site usage
• Marketing cookies — limited use for NAU admissions campaigns; set only where permitted by your consent

You can manage cookies through our consent banner (where presented) and your browser settings. Blocking strictly necessary cookies may impair Site functionality. NAU honors Global Privacy Control (GPC) signals as a valid opt-out of “sale” or “sharing” for users in jurisdictions that recognize GPC.

Section 11

Data Retention

We retain personal information only for as long as necessary for the purposes described in this Policy, to comply with legal, accounting, audit, and accreditation obligations, or to resolve disputes.

When retention periods expire and no legal obligation requires continued retention, records are securely deleted, destroyed, or anonymized.

Section 12

Information Security

NAU implements administrative, technical, and physical safeguards designed to protect personal information, including:

• TLS/HTTPS encryption for data in transit
• Encrypted storage of credentials (salted hash; we do not store plain-text passwords)
• Role-based access controls and least-privilege principles
• Multi-factor authentication for University systems
• Network segmentation, firewalls, and endpoint protection
• Security awareness training for faculty and staff
• Vendor due diligence and contractual data protection terms
• Compliance with the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule for financial aid information
• Incident response and breach notification procedures consistent with the Texas Identity Theft Enforcement and Protection Act (Tex. Bus. & Com. Code § 521) and FERPA

No system is 100% secure. If you believe your account has been compromised or you have discovered a vulnerability, contact it@na.edu (or records@na.edu) immediately.

Breach Notification

In the event of a data breach affecting your rights, NAU will notify affected individuals and the applicable supervisory authorities within the timeframes required by law (including 60 days under Texas law, 72 hours to authorities under GDPR where applicable, and notice to the U.S. Department of Education where federal data is involved).

Section 13

Your Rights Under GDPR (EEA/UK/Switzerland)

If you are located in the EEA, UK, or Switzerland, you have the following rights:

To exercise these rights, email records@na.edu with the subject line “GDPR Request.” We will respond within 30 days (extendable by 60 days for complex requests, with notice).

Section 14

Your Rights Under CCPA/CPRA (California)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”):

• Right to Know what personal information we collect, use, disclose, and (if applicable) sell or share
• Right to Delete personal information we collect about you
• Right to Correct inaccurate personal information
• Right to Opt Out of the “sale” or “sharing” of personal information — NAU does not sell or share personal information
• Right to Limit the use of sensitive personal information
• Right to Non-Discrimination for exercising your CCPA rights

Categories Collected in the Past 12 Months

Identifiers; education information; commercial information (tuition transactions); internet/network activity; geolocation (approximate, via IP); sensory data (photos, recorded class sessions where applicable); professional/employment information (for employees and applicants); inferences drawn from the foregoing; and sensitive personal information (SSN where legally required, precise account credentials, health information where voluntarily provided for accommodations).

To submit a California request, email records@na.edu with the subject line “California Privacy Request.” You may designate an authorized agent in writing. We will verify your identity before responding.

Shine the Light

California residents may request information about disclosures of personal information to third parties for those parties’ direct marketing purposes. NAU does not make such disclosures.

Section 15

Your Rights Under TDPSA (Texas)

As a Texas-based institution, NAU complies with the Texas Data Privacy and Security Act (Tex. Bus. & Com. Code ch. 541). Where the TDPSA applies to you as a Texas consumer, you have the right to:

• Confirm whether NAU is processing your personal data and access that data
• Correct inaccuracies
• Delete personal data
• Obtain a portable copy
• Opt out of targeted advertising, sale of personal data, and certain profiling — NAU does not engage in the sale of personal data or targeted advertising

Texas residents may submit requests to records@na.edu with the subject line “Texas Privacy Request.” If we deny a request, you may appeal by replying within 45 days. If the appeal is denied, you may contact the Texas Attorney General at texasattorneygeneral.gov/consumer-protection.

Sensitive data is processed only with your consent where required by the TDPSA.

Section 16

Global Privacy Rights

NAU serves students and applicants from around the world. We recognize and respect privacy rights under the following jurisdictions:

To exercise these rights, email records@na.edu with your full name, jurisdiction, and the specific right you wish to exercise. We will respond within the timeframe required by the applicable law (generally 30 days).

Section 17

Children’s Privacy

The Site and NAU’s programs are directed to prospective and current university-level students, generally 18 years of age or older. We do not knowingly collect personal information from children under 13 in a manner that would require compliance with the Children’s Online Privacy Protection Act (COPPA) without verifiable parental consent.

For applicants or dual-credit/early-college students under 18, we collect only information necessary for the program, with parental or guardian consent where required. If you believe a child has provided personal information to us in violation of this Policy, please contact records@na.edu and we will promptly delete it.

Section 18

International Data Transfers

NAU is located in the United States. If you access the Site or apply to NAU from outside the U.S., your personal information will be transferred to and processed in the United States, which may have different (and, in some cases, less protective) data protection laws than your country.

Safeguards we apply:

• EEA/UK/Switzerland: EU Standard Contractual Clauses (SCCs) under European Commission Decision 2021/914, and UK International Data Transfer Addendum where applicable, with our processors
• Brazil (LGPD): Contractual clauses, consent, or adequacy where applicable
• Canada (PIPEDA): Contractual protections ensuring comparable protection
• All other countries: Contractual clauses, your consent, or other legally recognized mechanisms

By submitting your information to NAU, you consent to such transfers to the extent consent is a valid legal basis in your jurisdiction.

Section 19

Third-Party Links

The Site may contain links to third-party websites, services, and resources (e.g., payment portals, learning platforms, library databases). We are not responsible for the privacy practices or content of those third parties. We encourage you to review the privacy policies of any third-party site you visit.

Section 20

Changes to This Policy

We may update this Policy from time to time. Material changes will be announced by posting the updated Policy on the Site and, where appropriate, by email to enrolled students and employees at least 14 days before the changes take effect. The “Effective date” above indicates the most recent version. Your continued use of the Site or NAU’s services after the effective date constitutes acceptance of the updated Policy.

Section 21

Contact & Privacy Inquiries

North American University — Office of the Registrar / Records Office
11929 W Airport Blvd
Houston, Texas 77477, USA

Response time: We aim to acknowledge privacy requests within 5 business days and respond fully within 30 days (or within the timeframe required by your applicable law).

If you are not satisfied with our response, you may also contact:

• U.S. Department of Education, Student Privacy Policy Office — for FERPA complaints (400 Maryland Avenue SW, Washington, DC 20202)
• Texas Attorney General, Consumer Protection Division — for TDPSA concerns
• Your local data protection supervisory authority — for GDPR/UK GDPR concerns