Digital Privacy Statement

This Digital Privacy Statement is promulgated pursuant to the governing authority of AUS, including:

(a) The University’s constitutional and governance instruments, including its Charter, Bylaws, and any formally adopted governing resolutions or foundational authorities;

(b) The delegated authority of the Governing Board, as exercised directly or through duly authorized executive officers of the University;

(c) The Institutional Policy Framework, which establishes the formal architecture for governance, regulatory compliance, and policy promulgation across all academic, administrative, operational, digital, and international domains;

(d) Formally adopted governance directives issued pursuant to the Institutional Policy Framework, to the extent such directives inform institutional standards of precision, enforceability, structural coherence, and long-term regulatory sustainability; and

(e) Applicable federal, state, and international laws and regulations governing data protection, privacy, information security, educational records, digital communications, and institutional compliance obligations.

This Digital Privacy Statement is issued as an authorized institutional instrument within the University’s formal governance hierarchy and shall be interpreted consistently with the sources of authority identified herein.

Nothing in this Digital Privacy Statement shall be construed to supersede, modify, or diminish the force of any applicable federal, state, local, or international law or regulation.

In the event of any conflict between this Digital Privacy Statement and mandatory governing law, such law shall control to the extent of the conflict, and all remaining provisions of this Statement shall remain in full force and effect.

This Digital Privacy Statement is a formally adopted Policy Statement of The American University of Science (“AUS” or “the University”). It provides a public-facing disclosure of AUS standards and practices concerning the collection, processing, retention, use, and safeguarding of information in connection with AUS-operated websites, digital platforms, and related electronic systems.

This instrument is declarative and transparency-oriented. It states the University’s institutional position and disclosure commitments for digital environments and is intended to provide clear notice to individuals interacting with covered platforms. It does not, by itself, establish investigative procedures, disciplinary processes, grievance mechanisms, or adjudicatory standards, which—where applicable—are governed by separate, formally adopted institutional policies and procedures.

This Policy Statement applies to the digital data collection and processing activities described herein and does not constitute a comprehensive privacy code governing all categories of University-held information.

This Digital Privacy Statement is a Policy Statement issued as an institutional disclosure and statement of position. It is not intended to create private contractual rights or guaranteed outcomes beyond those required by applicable law.

Nothing in this Policy Statement shall be construed to modify, amend, supersede, or incorporate by reference any of the following instruments unless expressly stated in a written instrument approved through the University’s formal governance process:

(a) Enrollment agreements;

(b) Employment contracts or appointment letters;

(c) Collective bargaining agreements; or

(d) The Student Privacy and Digital Information Protection Policy and its associated procedural manuals.

This Policy Statement shall be interpreted consistently with its disclosure purpose, the University’s governance framework, and applicable law.

AUS formally declares that the University collects, processes, retains, and safeguards personal information in furtherance of its academic mission, regulatory obligations, operational integrity, and institutional governance responsibilities.

Such processing is undertaken for legitimate institutional purposes, including but not limited to the administration of academic programs, institutional operations, compliance obligations, and security functions, and shall occur in accordance with applicable law and formally adopted institutional policies and governance instruments.

This Digital Privacy Statement is adopted to:

(a) Provide clear and structured transparency regarding the University’s data collection, processing, retention, and safeguarding practices;

(b) Distinguish information collected from website visitors and digital platform users from student education records governed by separate institutional and statutory frameworks;

(c) Clarify the lawful bases upon which personal information is processed; and

(d) Align public-facing disclosures with the University’s formal governance architecture, regulatory obligations, and institutional policy framework.

This Section provides interpretive context and does not expand institutional duties beyond those expressly established by applicable law or formally adopted policy.

This Digital Privacy Statement applies to the following individuals and categories of users to the extent they interact with platforms identified in Section 4.02:

(a) Website visitors accessing publicly available University web properties;

(b) Prospective students and applicants engaging with admissions or inquiry systems;

(c) Alumni interacting with University-operated digital services;

(d) Donors and contributors utilizing institutional giving platforms; and

(e) Other digital service users accessing or utilizing University-operated online portals, communication systems, or analytics-supported interfaces.

This Section defines the categories of individuals whose information may be collected through the platforms governed by this Statement.

This Digital Privacy Statement applies to information collected through the following platforms operated by or on behalf of the University:

(i) The official AUS website and its associated domains;

(ii) All top-level institutional web pages and publicly accessible digital properties maintained under University authority;

(iii) University-operated digital platforms, including learning management systems, administrative systems, and official communication interfaces;

(iv) Online portals supporting admissions, enrollment, student services, alumni engagement, employment, and related institutional functions; and

(v) Institutionally authorized analytics, monitoring, and performance systems integrated into or supporting the foregoing platforms.

This list defines the operational reach of this Statement with respect to digital environments administered by the University.

This Digital Privacy Statement supplements, but does not replace, modify, or supersede the following governing instruments of the University:

(i) The Student Privacy and Digital Information Protection Policy and its associated appendices and procedural manuals;

(ii) The Distance Education Privacy Manual and related instructional governance directives;

(iii) Research data governance policies, including policies governing human subjects research, sponsored research compliance, and research data management; and

(iv) Employee data governance, personnel privacy, and information security policies applicable to faculty, staff, and administrators.

Where subject matter falls within the scope of any instrument listed above, such instrument shall control to the extent of its specific applicability.

This Digital Privacy Statement applies prospectively from its Effective Date and remains in force until amended or rescinded through formally documented institutional process.

Personal information collected under this Digital Privacy Statement may be processed by the University on one or more of the following lawful bases, as applicable:

(a) Legitimate institutional interests, including the administration of academic programs, operational management, security, compliance oversight, and institutional assessment;

(b) Contractual necessity, where processing is required to enter into, perform, or administer agreements with applicants, students, employees, vendors, or other authorized parties;

(c) Legal obligation, where processing is required to comply with applicable federal, state, local, or international laws and regulatory requirements; and

(d) Consent, where required by law or where the individual has voluntarily provided authorization for specific processing activities.

Individuals are under no statutory obligation to provide personal information to the University unless such information is required to complete a specific institutional process, fulfill a legal requirement, or perform a contractual obligation. Failure to provide required information may limit the University’s ability to process requests or provide certain services.

For purposes of applicable data protection law, including where relevant the General Data Protection Regulation (GDPR) or equivalent international frameworks, AUS acts as the data controller for the processing activities described in this Statement. The controller’s designated contact office and address are set forth in Section 9.05 of this Statement.

Personal information collected pursuant to this Digital Privacy Statement may be disclosed by the University where necessary and appropriate for legitimate institutional purposes, including the following circumstances:

(a) To authorized AUS personnel whose official duties require access to such information;

(b) To contracted service providers and vendors engaged to perform services on behalf of the University, subject to contractual restrictions governing confidentiality, data protection, and permissible use;

(c) To governmental authorities, regulatory bodies, accrediting agencies, or oversight entities, where disclosure is required or permitted by applicable law or institutional compliance obligations;

(d) Pursuant to lawful subpoena, court order, or other legally valid governmental request; and

(e) Where necessary to detect, prevent, investigate, or address fraud, security incidents, technical vulnerabilities, or threats to the safety, rights, or property of the University or others.

Where applicable under state consumer privacy laws, the University does not sell or share personal information as such terms are defined under applicable law for cross-context behavioral advertising purposes.

Disclosure under this Article shall be limited to what is reasonably necessary to achieve the lawful and legitimate purpose for which the disclosure is made.

Nothing in this Article shall be construed to restrict disclosures otherwise required or permitted by applicable law.

Behavioral Advertising and Tracking

AUS does not knowingly sell personal information and does not permit contracted service providers to use University-collected personal information for cross-context behavioral advertising except as permitted by applicable law and by written agreement.

The University cannot control interest-based advertising practices carried out independently by third-party providers on non-University platforms.

Where University-operated platforms incorporate third-party services that may support interest-based advertising, users may exercise advertising choice mechanisms through industry opt-out tools such as those provided by the Network Advertising Initiative (NAI) or similar organizations, where applicable. Where required by applicable law, the University will honor recognized opt-out preference signals, such as the Global Privacy Control, to the extent such signals are legally operative and technically feasible for the relevant platform.

Where individuals access University-operated platforms from outside the United States, personal information may be transferred to, stored in, and processed within the United States or other jurisdictions in which the University or its authorized service providers maintain operations.

Data protection laws in the United States may differ from those of the individual’s country of residence and may not provide the same level of statutory protection as certain international regimes.

Where required by applicable law, the University shall implement appropriate safeguards for cross-border data transfers, which may include contractual protections, institutional data protection controls, or other legally recognized transfer mechanisms consistent with governing regulatory frameworks.

AUS implements risk-assessed and proportionate safeguards designed to protect personal information from unauthorized access, disclosure, alteration, misuse, or destruction. Such safeguards include, but are not limited to:

(a) Administrative safeguards, including governance controls, policy enforcement mechanisms, workforce training, and access authorization protocols;

(b) Technical safeguards, including system hardening, network security controls, and data protection technologies;

(c) Physical safeguards, including facility access controls and environmental protections;

(d) Role-based access controls, limiting information access to authorized personnel with legitimate institutional need;

(e) Encryption and secure transmission technologies, where appropriate and operationally feasible; and

(f) Monitoring, logging, and audit controls, designed to detect and respond to unauthorized or anomalous activity.

Notwithstanding these measures, no method of transmission over the Internet or method of electronic storage can be guaranteed to be completely secure. The University cannot ensure or warrant absolute security but undertakes reasonable and proportionate efforts consistent with applicable law and institutional standards.

Nothing in this Section shall be construed as a representation or warranty of uninterrupted or error-free operation of digital systems.

Personal information collected pursuant to this Digital Privacy Statement shall be retained by the University only for as long as reasonably necessary to fulfill legitimate institutional purposes, including but not limited to:

(a) Operational necessity and administration of academic and administrative functions;

(b) Compliance with accreditation standards, regulatory obligations, and statutory recordkeeping requirements;

(c) Archival, historical, or research purposes consistent with institutional mission and applicable law; and

(d) Establishment, exercise, or defense of legal claims.

Retention periods are governed by formally adopted institutional records management and retention policies. Upon expiration of the applicable retention period, information shall be securely deleted, de-identified, or otherwise disposed of in accordance with institutional procedures and applicable law.

The University reserves the right to suspend routine destruction schedules where required for litigation holds, regulatory investigations, accreditation review, or other legally significant matters. Technical logs and security event records may be retained for a limited period as necessary for security monitoring, incident response, and compliance obligations, consistent with the University’s records retention schedule.

Where applicable under governing law, individuals whose personal information is processed by the University may have the right to:

(a) Request access to personal data held by the University;

(b) Request correction of inaccurate or incomplete information;

(c) Request deletion of personal data, subject to legal, regulatory, accreditation, archival, or contractual limitations;

(d) Request restriction of processing under certain circumstances;

(e) Object to specific categories of processing where legally permitted; and

(f) Withdraw consent for processing activities where consent constitutes the lawful basis for such processing.

The exercise of these rights may be subject to verification of identity and evaluation of applicable legal exceptions. The University reserves the right to retain information where retention is required or permitted by law, accreditation standards, or legitimate institutional interests. Where applicable under governing law, individuals may also have the right to lodge a complaint with a competent supervisory authority in their jurisdiction. The exercise of such rights shall not prejudice any other legal remedies available under applicable law.

Where applicable under governing law, requests shall be processed within the timeframes prescribed by such law, subject to permissible extensions.

Student education records maintained by the University are governed by the Family Educational Rights and Privacy Act (FERPA) and applicable implementing regulations.

Such records are further governed by the University’s Student Privacy and Digital Information Protection Policy and associated procedural instruments.

This Digital Privacy Statement does not modify, expand, limit, or reinterpret rights afforded under FERPA or institutional student privacy policy. Where education records are implicated, the governing statutory and institutional frameworks shall control.

University-operated websites and digital platforms may contain links to external websites or services not owned, operated, or controlled by AUS.

The University is not responsible for the privacy practices, security measures, content, or data handling procedures of such third-party websites. Individuals are encouraged to review the privacy statements and terms of use of any external site accessed through links provided on University platforms.

Inclusion of a link to an external site does not constitute endorsement, approval, or adoption of that site’s policies or practices by the University.

Children’s Information

University-operated public websites are not directed toward children under the age of 13. The University does not knowingly collect personal information from children under 13 through publicly accessible platforms except as permitted by applicable law.

Capitalized terms, if not defined in this Statement, shall have the meaning assigned in the Institutional Policy Framework and any formally adopted institutional glossary.

This Statement shall be interpreted to promote transparency, proportionality, data minimization, security-by-design, and compliance with applicable law, without expanding institutional obligations beyond those required by law or formally adopted policy.

Interpretive authority with respect to this Digital Privacy Statement rests exclusively with the University.

The University retains discretionary authority to interpret, clarify, and apply this Statement in a manner consistent with applicable law, governing instruments, and formally adopted institutional policies. Any such interpretation shall be exercised in good faith and within the bounds of institutional authority.

Implementation responsibility for the operational administration of this Statement, including oversight of website and platform privacy controls and intake of privacy-related inquiries, rests with the Department of Information Technology, in coordination with other units as required by law and institutional policy.

Where a matter is governed by a separately adopted institutional policy or procedure—including the Student Privacy and Digital Information Protection Policy, the Distance Education Privacy Manual, research data governance policies, and employee data governance instruments—such instrument controls to the extent of its specific applicability.

This Digital Privacy Statement forms part of the University’s governance architecture and shall be interpreted in accordance with the following order of precedence, where applicable:

(a) Applicable federal, state, local, and international law;

(b) The Institutional Charter and foundational governing instruments of the University;

(c) The Institutional Policy Framework;

(d) Formally adopted governance directives issued pursuant to the Institutional Policy Framework;

(e) The Student Privacy and Digital Information Protection Policy and its associated procedural instruments; and

(f) Other formally adopted governance instruments of the University.

In the event of any inconsistency, the higher-order authority shall control to the extent of the conflict.

This Statement shall be read and applied to harmonize with higher-order governing instruments and applicable law, and shall be construed to avoid conflict where reasonably possible.

This Digital Privacy Statement shall be reviewed at least annually, or more frequently as necessary, to ensure continued alignment with applicable law, accreditation requirements, technological developments, and institutional governance standards.

Amendment, modification, or rescission of this Digital Privacy Statement may occur only through formally documented institutional processes and with the approval of the appropriate governing authority as defined within the University’s governance framework.

Where material changes affect the substance of data processing practices, the University may provide notice through its official website or other appropriate communication channels.

If any provision of this Digital Privacy Statement is determined to be invalid, unlawful, or unenforceable by a court or competent authority, such determination shall not affect the validity or enforceability of the remaining provisions, which shall remain in full force and effect.

Actions taken under prior versions remain valid unless expressly invalidated.

Questions, concerns, or requests regarding this Digital Privacy Statement or the processing of personal information may be directed to the University through its designated contact office:

Department of Information Technology

The American University of Science

2155 Kalakaua Ave

Honolulu, HI 96815

United States

Email: IT@ausa.ac

Phone: +1 808-808-3379

Email is the preferred method of contact for privacy requests.

The University reserves the right to verify the identity of any individual submitting a request involving personal information and to require sufficient information to authenticate such request prior to response.