This Students’ and Program Applicants’ Privacy Notice (“Notice”) outlines and describes how personal data or information of students and program applicants is collected, managed, and processed by Emeritus. Emeritus is committed to handling the personal data of its students and program applicants with fairness and transparency, and in a lawful manner. This Notice covers the minimum controls and obligations that Emeritus is committed towards for ensuring that the personal data of our students and program applicants is collected, used, retained, and disclosed in a secure, lawful, transparent, and compliant manner.

This Notice applies to enrolled students or program applicants of the educational course/s offered by Emeritus (collectively “you”, “your”) and is designed to inform you of the personal data that we collect, our purposes of processing that data and your rights in connection with it.

This Notice applies to all our courses and educational services, including whenever we collect and process your personal data in that context for the purposes identified below. Please note however that there may be cases from time to time where we need to update this Notice, for example to reflect changing legal requirements or processing activities, and in the event, we make any material changes to this Notice then we will let you know.

This Notice does not apply to personal data belonging to other categories of individuals like our marketing leads, vendors, employees, job applicants, or clients engaged with or by Emeritus. See our Prospective Students’ Privacy Notice, and our Employees’, Consultants’ and Employment Candidates’ Privacy Notice and Emeritus Privacy Notices for more information.However, as more than one of the above notices may apply to you depending upon the context in which your personal data is collected and processed (e.g., an employee may also be a student), be sure to carefully read each applicable notice that we provide to you so that you are fully informed.

In some cases, local laws and regulations that apply to the processing of your personal data may be more restrictive than this Notice. Those more restrictive requirements will apply in that case. Emeritus will provide you with additional privacy notices or information where applicable law(s) so require.Residents of the Unites States (U.S.) should see our U.S. Privacy Notice which supplements this and our other privacy notices for them. In addition, this Notice may be supplemented from time to time with more specific privacy information or notices, for example when you use a particular Emeritus app or portal.

The personal data that we collect, and process may vary depending upon the course/program you select, the requirements of the university partner offering that course, and obligations arising under applicable laws. The personal data that we collect from you is stored within the electronic records/database stored on servers (including cloud servers) located in Singapore, Japan, U.S., India or in another country (including third countries that are not covered by an adequacy decision of the European Commission), as well as within physical records/database.

Emeritus collects the personal data only to the extent it requires it for a particular purpose(s), and it may collect the following types of personal data from you:

Emeritus does not handle your credit or debit card number for processing of payment. Such data is collected and processed by third-party payment gateway service providers on our behalf as per our agreements with them and any other rules and regulations applicable to them.

Sensitive personal data:

Sensitive personal data or special categories of personal data (“SPD”) are personal data which are particularly sensitive in nature and merit specific protection as the context of their processing could create greater risks to the fundamental rights and freedoms of the individuals. SPD, if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. The examples of SPD may vary depending upon the context and the laws of the respective countries from where the SPD originates and may include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, sex life or sexual orientation, or data concerning health.

Emeritus does not require collecting or processing any sensitive personal data or special categories of personal data for delivering the course(s). If any SPD forms part of any national or government-issued ID that you have submitted with Emeritus, you are advised to inform Emeritus of that fact to allow us to take steps towards lawful processing of such SPD.

Should we require SPD for delivering the courses or for any other related purpose(s), we will obtain your explicit consent towards such collection and processing in terms of this Notice at the point where the SPD will be disclosed by you.

Where the applicable law(s) provide other legal bases for processing SPD (as an exception to obtaining explicit consent), we may rely upon such legal basis as may be available to us in a particular situation. In the event you voluntarily disclose/share/upload/post/make public your SPD on our website, or any other public forum owned or controlled by us, you understand that the said SPD may be processed by us in accordance with the applicable law(s) and this Notice.

Personal data of others provided by you:
In certain situations,you may provide to us the personal data of others (for example, your friends, colleagues, family members, etc.) such as in the context of providing emergency contact details, or personal references towards your application, or as a referral towards our programs and courses, etc.

Persona data collected directly from you for course registration, enrollment, and onboarding:

Emeritus collects your personal data that werequire in order to register you for an account and subsequently to enrol and onboard you to the course(s) of your choice, directly from you at the time of registration on the course application page on our website. You may either provide the required personal data by creating a fresh account on our website, or authorize third party platforms like Google, Facebook, or LinkedIn to share with us the data available with them. The remaining personal data attributes (that have not been updated on your chosen third-party platform) shall be additionally collected from you.

It is your responsibility and obligation to ensure that all personal data submitted to us is accurate, correct, complete, and up to date at the time of submission. Failure on your part to do so may result in our inability to provide you with courses and educational services that you have applied for. Please keep us informed of any changes to your personal data.

Personal data collected during the course delivery:

Some or all the attributes listed under ‘User generated data’ category of personal data will be generated during the process of delivering the course(s) till its completion. We may store and maintain this data in our student records (about you) or in any other relevant database. This data can be generated when you interact with us, such as in one or more of the following ways:

• When you submit an assignment or appear for examination and/or assessments in connection with your course(s).
• When you register for seminars or webinars related to your course(s).
• When you respond to surveys and feedback questionnaire(s) generated by us.

Personal data provided by others:

Our corporate clients (the B2B/enterprise clients who engage us for delivering one or more courses to their sponsored candidates), our university partners, and even individuals (like, our present or past students, prospective students, etc.) may also refer students to us for enrolment to different course(s). In order to identify and in some cases to register and onboard the students referred to us by our clients, or university partners, or other individuals, we may initially receive some personal data from the following categories from them:

• Identification/Identity data
• Contact details
• Educational and employment data

If you have been referred to us by our corporate clients, or our university partners, or by another individual,you may still be required to register yourself through our course application page for completing the enrolment and onboarding process. You may be asked to again provide the personal data initially provided to us by your referrer, along with the additional information (personal data) required for the course registration.

Personal data that others provide about you may also include data provided by the third-party platforms like Google, Facebook, or LinkedIn, who have been authorized by you to share such data available with them with us, for the purpose of registering your account, and enrolling and onboarding you to the course(s) of your choice.

Personal data of others provided by you:

In certain situations, such as in the context of providing emergency contact details or personal references towards your application or as a referral, you may provide to us the personal data of others (for example, your friends, colleagues, family members, etc.). In such a situation, it becomes your responsibility to inform the individual concerned about the processing of their personal data for the relevant purposes and to confirm to us that you have been authorized to submit such details with us for processing for our legitimate interests.

Personal data collected via tracking technologies:

When you visit our website or use our service, we and third parties may use cookies and other tracking technologies to collect personal data from you.  This may include tracking your activities across time and third-party sites or services. For more information about this processing and your choices regarding it, see our Cookie Notice.

Purpose(s) of processing:

Emeritus uses students’ and program applicants’ personal data for the purposes related to screening, enrollment, onboarding, delivery, assessment, administration and management, and completion of courses.

Lawful (legal) basis for processing:

Privacy law of certain jurisdictions require that one of the available lawful bases of processing, as prescribed by such privacy law, must be relied upon (satisfied) by Emeritus before processing your personal data for each of the purposes listed earlier. The lawful basis that Emeritus relies upon for a particular processing activity may differ from the lawful basis relied upon for another processing activity i.e., different lawful bases may be relied upon to lawfully conduct different processing activities.

All or some of the following lawful bases of processing may be available under the privacy law of a particular jurisdiction (country):

1. Consent: You have given consent (explicit/express or deemed/implied, depending upon the privacy law applicable) to the processing of your personal data for one or more specific purposes.
2. Performance of a contract: Processing of your personal data is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract.
3. Compliance with legal obligation: Processing is necessary for compliance with a legal obligation to which Emeritus is subject.
4. Protection of vital interests: Processing is necessary in order to protect your vital interests or of another natural person.
5. Public interest: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
6. Legitimate interest: Processing is necessary for the purposes of the legitimate interests pursued by Emeritus or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms under applicable data protection laws.

Processing of sensitive personal data or special categories of personal data (‘SPD’) has been covered earlier under the section ‘What are the categories/types of personal data we collect about you?’.

The most common processing activities under each purpose that we use (process) your personal data for, along with the respective legal basis for our processing activities, are listed below:

Where Emeritus wishes to use your personal data for a new purpose that has not been included in the table above, Emeritus will process your personal data, for such new purpose, as per the provisions of the applicable privacy law(s). Where required, Emerituswill notify you of the new purpose in accordance with the applicable law(s) and obtain your consent (or rely on any another lawful basis available with us) before processing your personal data for the new purpose.

Legitimate interest as the lawful (legal) basis for processing – additional information:
You have the right to object at any time, on grounds relating to your situation, to processing of your personal data carried out for our legitimate interests or of a third party.

Please refer to the section ‘What are your rights with respect to your personal data?’ for more details.

Performance of a contract as the lawful (legal) basis for processing – additional information:
Please note that if you fail to provide certain information when requested then we may be unable to take steps towardsentering into a contract with you at your request, or where we have an existing agreement with you to perform our contractual obligations under that agreement.

Consent as the lawful (legal) basis for processing – additional information:
Where the collection and use of your personal data is based on your consent, you are entitled to withdraw that consent at any time by contacting us (please refer to the ‘Contact Us’ section of this Notice), or by clicking the ‘unsubscribe’ link in our marketing emails. Please note that your withdrawal of consent could have an adverse impact on our ability to engage with you and would not affect the lawfulness of processing that has already occurred based on your consent.

Disclosure within the Emeritus group of companies (affiliates):
Emeritus is a global company, and we may share your personal data or provide such access to other companies within the Emeritus group as affiliate service providers, or as data controllers for the performance of contract with you and for providing you with the services (educational course/s) that you have enrolled for. This Notice also applies to the processing activities of our affiliates on your personal data in such contexts and is provided for and on behalf of those affiliates where they also act as controllers of your personal data, including those listed under Annexure-1 of this Notice.

Disclosure to third party service providers:
Emeritus may share your personal data with the following third-party service providers. These third-party service providers will require access to yourpersonal data to perform certain limited functions for Emeritus however, they may not generallyuse, for their own purposes,yourpersonal data that they process:

• Technology service providers like network and IT security, internet services, video communications,customer support and communication,telecom services for running the business operation and protecting it from external and internal threats.
• Service providers for business continuity management and contingency planning in the event of business disruptions.
• Platforms (service providers) for hosting the videos and course materialfor the course(s) that you have enrolled for.
• Platforms(service providers) that are designed for public communications where you submit/postyour comments, coursework, or other information or contentfor viewing byother members of an Emeritus class of which you are a member. Thesepostings may be available to the students who later enroll in the same classes as yours, within the context of the forums, the courseware, or otherwise.
• Platforms (service providers) for creating and hosting discussion forums and study groups.
• Platforms (service providers) for hosting interactive webinars that can be attended live or later (on-demand).
• Platforms (service providers) for creating and hosting your profile that is viewable by other students within and outside your cohort and assisting you to network and establish connection with them.
• Third-party assessors hosting and conducting admission/entrance tests.
• Educational training tools and simulators.
• Service providers providing the following services:
  • Test proctoring
  • Mentoring
  • Business analytics
  • Marketing research
  • Focus groups, surveys, and data analysis
  • Cloud services and data storage
  • Credit facilities and payment processing
  • Couriers
  • Vendors providing verification services towards your contact information like email ID and phone number
• Social media platforms (for example, Facebook, LinkedIn) for assisting us with our social media marketing initiatives.
• Recruitment consultants/service providers to assist you with your career development and job search initiatives.
• Third-party service providers for establishing and implementing whistleblower program by setting-up and independently managing hotline and web-portal for collecting whistleblower reports (anonymous or identified).

We take reasonable steps, such as obtaining contractual commitments from our third-party service providers, to limit and protect the use of your personal data by our service providers.

Disclosure to other third parties:
Emeritus my share your personal data with the following (non-agent) third parties (list not exhaustive):

• Professional advisors and consultants including law firms, tax consultants, business/management consultants, auditors etc. for running the operations efficiently and in a compliant manner.
• Regulators, government bodies, supervisory authorities, and law enforcement agenciesin order to comply with applicable laws, rules and regulations including those related to audit and assessment of educational programs, licensing and approvals, and revenue and taxation.
• Prospective (and actual) sellers or buyers and their advisers in connection with any financing, merger, acquisitionor saleof any of our business or assets.
• Third-party business partners (including our university partners) that offer courses, programs, or services similar to those you have enrolled for or that may otherwise be of interest to you. We shall rely upon your consent (separately obtained as and when required), or any other lawful basis available at the time, before sharing your personal data for the stated purpose.
• Providers of ancillary/supplementary programs, courses, trainings, and certifications related to the course/program you have enrolled for.
• At your selection (you can control and change the setting between public and private at any time), your ePortfolio will be made public for everyone in your cohort to see. Once made public, Emeritus may use your ePortfolio as a sample with future cohorts or in its marketing materials for its legitimate interest.

In addition to the above, Emeritus also shares your personal data, more specifically as stated, with the following third parties:

We share your personal data with the (non-agent) third parties primarily for the performance of contract between you and Emeritus but may also rely upon one of the other lawful bases, listed under the section ‘Lawful (legal) basis for processing’, that may be legally available to us. Where required by the applicable privacy law(s), we will seek your consent before sharing your personal data with the third parties.Third parties with whom your personal data has been shared may, in some cases, independently determine the purposes and uses of your personal data; in such cases, that third party recipient’s own privacy policy (notice) will govern their use of your personal data.

Disclosure without notification:
In some cases, or circumstances, we may disclose your personal information to third parties without notifying you. These circumstances could include:

• • Where Emeritus is required to do so as per applicable laws/rules/regulations, or by order of a court, tribunal, or any other regulatory authority, or other legal process or compulsion.
  • Where Emeritus,in good faith,believes that such disclosure is reasonably necessary to comply with a legal obligation, process, order, or request.
  • Where Emeritus is legally required to or believes in good faith that such disclosure is reasonably necessary to safeguard the rights, property or other interests of Emeritus, its employees, vendors, clients, customers of clients, third parties or the public as required and permitted by the applicable law(s).
  • Where provision of the information would be disproportionate or would result in the impossibility or serious impairment of achieving the objectives of processing.

Due to the global nature of our business which comprises of partnership with various universities across the globe with international student enrolments to the courses and programs offered, presence of several Emeritus group companies (affiliates) worldwide, vendors/service providers (processors) that are present in and operating out of different countries and facilitate and support our services, and other third parties (esp. those listed in the earlier section) established in an overseas location, your personal data may be shared, disclosed, or transferred to these parties in other countries where the privacy and data protection law(s) may differ from those in your country. The cross-border transfer may include transfer to third countries (including onward transfers) that are not covered by the adequacy decision of the European Commission (Secretary of State in case of UK).

The cross-border transfer of your personal data shall be done in compliance with the concerned provisions and requirements of the privacy law(s) applicable on your personal data that may inter-alia include:

• In the case of personal data within scope of the privacy law(s) of the European Economic Area (EEA) or United Kingdom (UK), your personal data may be transferred cross-border on one of the following bases:
  • When such transfer is being done to a country or a territory that is covered by an adequacy decision issued by the European Commission (Secretary of State in case of UK).
  • When such transfer (to a non-adequate third country) is necessary for the performance of contract between you and Emeritus.
  • When we have provided for appropriate safeguards in the form of Standard Contractual Clauses (SCCs), adopted by the European Commission (Information Commissioner in case of UK), signed with the recipient of your personal data in the non-adequate third country.
  • When we have obtained explicit consent from you after informing you of any possible risks of such transfer to a third country for you as an individual due to the absence of an adequacy decision and appropriate safeguards.

• In the case of personal data within scope of the privacy law(s) of countries other than the European Economic Area and United Kingdom, your personal data may be transferred cross-border on one of the following bases:
  • Emeritus has signed appropriate data transfer and/or processing agreement with the recipient of your personal data in the other country.
  • Under any other provisions and/or conditions enabling such transfer as provided by the privacy law(s) applicable on your personal data.

Emeritus will retain your personal data for as long as necessary for the purpose(s) for which it has been collected, in accordance with the applicable law(s), and as set out in our retention policy and/or schedule. The duration for which we retain your personal data may differ depending upon the purpose(s) it’s being processed for.

We will retain and use your personal data to the extent necessary to comply with our legal obligations, for example, to comply with statutory audits, resolve disputes, comply with orders or requests issued by competent court(s), and enforce our legal agreements and policies.

In some circumstances we may anonymize your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you.

Emeritus implements appropriate technical and organizational measures to ensure security of your personal data and to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. These measures are designed to prevent accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed by us.

We make every reasonable effort to ensure safety and security of your personal data in accordance with the applicable law(s) and industry standards while considering the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Despite all our efforts, risk of personal data breach persists as no method of internet transmission or storage guarantees complete security.In an unlikely event of a personal data breach,we will assess and investigate the event and take necessary actions, including those related to notification to the relevant supervisory authority and to the individuals impacted, in compliance with the applicable law(s) within the timelines prescribed.

You may check and update certain personal data within our systems either by logging to your password-protected account (in some cases) or by contacting us at privacy@emeritus.org. It is your responsibility to ensure that your personal data, that you have shared with us, is accurate, correct, complete, and up to date in our records.

Privacy laws in some jurisdictions, especially those in the European Economic Area (EEA) and the United Kingdom (UK),and in some U.S. states, provide individuals with certain rights in relation to the processing of their personal data (subject to conditions and exceptions provided in such laws). These rights are jurisdiction-specific and may not be available to all. For example, in case you are located in the European Union (EU) (or UK) or our affiliate that you interact with (that collects and processes your personal data) is located in the EU (or UK), all of the rights listed below may be available to you. Some or all these rights (and even some additional rights) may be available to you under the privacy law(s) of other jurisdictions as well but that depends upon the scope of privacy law(s) applicable on your personal data. U.S. data subjects should see our U.S. Privacy Notice for more details related to their rights.

• Right of access: to obtain from us a confirmation as to whether or not personal data concerning you are being processed.
• Right to rectification: to get your inaccurate personal data corrected or rectified, and incomplete personal data completed.
• Right to erasure: to have your data deleted (this is not an absolute right and is subject to exemptions available under the applicable privacy law).
• Right to restriction of processing: to obtain restriction of processing.
• Right to data portability: to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format and have it transmitted to another controller.
• Right to objecton grounds relating to yourparticular situation especially where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
• Right to object to automated decision making and profiling: to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you.

We will process your request to exercise the above rights in accordance with the law(s) applicable in relation to the rights exercised by you. As permitted by applicable law, we may refuse requests that are unreasonably repetitive, require disproportionate technical effort, risk the privacy of others, may compromise an ongoing investigation, or are impractical. We do not discriminate against you for exercising any of your rights in a manner that would violate applicable law.

As a policy, Emeritus allows you to access your personal data, verify and challenge the accuracy and completeness of your personal data, and have it corrected, amended, or deleted if inaccurate and, in limited circumstances, object to processing of your personal data even if the law in your jurisdiction does not accord you those rights, but we will apply our discretion in how we process such requests except as otherwise required by applicable law. We may require you to establish your identity and provide evidence to justify the amendment of your personal data held by us. You can exercise these rights by contacting us per the Contact Us section below, or in the case of U.S. data subjects as set forth in our U.S. Privacy Notice.

In addition, we enable you to exercise certain choices regarding cookies and certain other tracking technologies, as explained in our Cookie Notice.

To exercise a data subject right or make an inquiry about your personal data, please write to us at privacy@emeritus.org. We may need to verify and confirm your identity before we process and fulfil your request. This is another appropriate security measure to protect your personal data.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights) unless, and subject to applicable law, your request for access is clearly unfounded, excessive, or repetitive. Alternatively, we may refuse to comply with the request in such circumstances in accordance with the applicable laws.

Right to complain: You may have the right to lodge a complaint with your local data protection authority about our processing of your personal data. For more information, please contact your local data protection authority. We would, however, welcome the opportunity to discuss, address, and resolve your concerns before you reach out to your local data protection authority. So, please contact us in the first instance at privacy@emeritus.org.

This Privacy Policy Addendum supplements the Privacy Policy at emeritus.org and describes additional rights of residents of the State of California under the California Consumer Privacy Act of 2018, as amended (the “CCPA”).

California residents are entitled once a year, free of charge, to request and obtain certain information regarding our disclosure, if any, of certain categories of Personal Information (as defined under CCPA) to third parties for their direct marketing purposes in the preceding calendar year.

Notice to California Residents

This section describes how we handle the Personal Information of California residents (as defined in Section 17014 of Title 18 of the California Code of Regulations), and the rights they have under the CCPA”) to the extent that (1) we collect and process such information in the context of providing services and selling goods (hereinafter, Customer Related Personal Information); and (2) the obligations imposed by the California Consumer Privacy Act of 2018 (“CCPA”) apply to such data. This section also notifies California residents of our collection practices regarding such Personal Information and describes your rights under the CCPA.

Capitalized terms not defined in this section shall be as defined in CCPA or in the Privacy Policy, as applicable.

Notice at Collection

We collect the following categories of Customer Related Personal Information from you:

1. Identifiers: We collect identifiers such as real name, alias, postal address, unique personal identifiers, online identifier, Internet Protocol address (see “internet activity” below), email address, and account name.
2. Internet /electronic network activity: When you browse our sites or otherwise interact with us online, we may collect browsing history, search history, and other information regarding your interaction with our sites, application or advertisements.
3. Customer Records: We collect Personal Information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) such as name, signature, description, address, telephone number, bank account number, or other financial information. Some Personal Information included in this category may overlap with other categories.
4. Characteristics of protected classifications under California or federal law: In some circumstances, we may collect information that is considered protected under California or federal law such as age but only when that information is relevant for our business purposes. We abide by the legal requirements imposed under applicable law regarding such information.
5. Sensory data: In some circumstances, we collect audio information (e.g., records of calls made through our systems when call recording is activated), electronic and visual information (e.g. recordings from security cameras), or similar information.
6. Geolocation data: If you interact with us online, we may gain access to the approximate location of the device or equipment you are using. If you visit our facilities, we may keep record of the fact that you visited, the location visited, and the day/time.
7. Biometrical data: We do not independently collect biometric data such as DNA data, fingerprints, voice prints, retina scans, or face scans; however, we may collect data from which biometric data could be derived (such as voice recordings and pictures.)
8. Commercial Information: We collect commercial information, such as records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
9. Professional or employment related data: Because we collect and handle information related to our services, we may collect from you professional or employment information such as company name, designation, work experience, etc.
10. Inferences: We may draw inferences from other information we collect about you. For example, if you use our services, we may create a client profile reflecting our understanding of your personal preferences.

We use the Customer Related Personal Information collected for operational purposes or other business purposes as described in this Privacy Policy. Examples of how we may use Customer Related Personal Information include:

• For our internal efforts to operate and improve our business.
• For advertising and marketing purposes relating to our services and programs, including marketing on social media sites.
• For our general administrative purposes.
• For social-media engagement.
• For security purposes, as necessary to help us protect against, identify, or investigate fraud or other criminal activity.
• For other legal purposes, if we have a legal obligation, or need to pursue or defend against legal claims, for which we need to process your information.
• For communication purposes, to get in touch with you in connection with any of the reasons listed above.

We share Personal Information in the context of marketing and advertising in ways that may be considered selling under CCPA. You can opt-out out of the sharing as described in the California Rights section below. However, we do not authorize third parties to use your Personal Information for their own purposes unless you direct us to do so.

Collection and sharing practices in the last twelve (12) months

In the last twelve (12) months we have collected Customer Related Personal Information for all categories outlined in the Notice at Collection section above.

We collected such information from the sources described in our Privacy Notice. For example, we have collected Customer Related Personal Information:

• Directly from our customers (for example, information provided through the Site or other communications with us).
• From our business partners with whom you have consented to the sharing of your information.
• From consumers’ activity on the Site (for example, Site visit information collected directly or through third-party analytics providers).
• From a device’s GPS, Wi-Fi, Bluetooth, or IP address.
• From consumers’ activities on social media.
• From our interaction through social media.

We have shared Customer Related Personal Information for our operational purposes or other business purposes as described in our Privacy Notice. We also share Personal Information in the context of marketing and advertising in ways that may be considered selling or sharing under CCPA. The types of entities with which we have shared Customer Related Personal information include:

• Service providers
• Other members of our corporate group
• Governmental entities (where we are under a duty to disclose or as required to protect our rights or the rights of others).
• Business Partners and other third parties as necessary to provide services to our customers

Your rights under California law

If you are a California resident, you have the following rights under CCPA:

• Right to know/access information: You have the right to request that we disclose to you: (1) the specific pieces of Personal Information we have collected about you over the past 12 months; (2) the categories of Personal Information collected or shared over the past 12 months; (3) the purposes for which we collected or shared such Personal Information; (4) the categories of third parties to whom we have disclosed such Personal Information.
• Right to delete: You have the right to request in certain circumstances deletion of the Personal Information that we have received about you. As a general rule, we must delete the Personal Information at your request and require our vendors to do so as well. However, the law provides certain exceptions that allow us to retain the information even if you have requested that it be deleted. If we do not erase the information pursuant to one of those exceptions, we must inform you of that fact and of any rights you may have to appeal our decision.
• Right to Opt Out of Sale of Personal Information to Third Parties. You have the right to opt out of any sale of your Personal Information by Emeritus to Third Parties. We do not sell information to third parties.
• Right to Information Regarding Participation in Data Sharing for Financial Incentives. You have the right to be free from discrimination based on your exercise of your CCPA rights. We do not discriminate against anyone who chooses to exercise their CCPA rights.

California law also provides that California residents are entitled to know how we respond to “Do Not Track” settings. Like many other websites and online services, we do not currently alter our practices when we receive a “Do Not Track” signal.

How to exercise your Rights

You can make requests related to your California privacy rights by completing our Enquiry Form.

You may also make those requests by writing to us at privacy@emeritus.org

Please be aware that we do not accept or process requests through other means (e.g., via fax, chats, social media etc.).

When you make a request, we may ask you to provide verifying information, such as your name, email, or phone number. We will review the information provided and may request additional information via email or other means to ensure we are interacting with the correct individual. Please also be aware that making any such request does not ensure complete or comprehensive removal or deletion of personal information or content you may have posted, and there may be circumstances in which the law does not require or allow us to fulfill your request.

If we suspect fraudulent or malicious activity on or from the password-protected account, we may decline a request or request that you provide further verifying information.

You may only make a verifiable consumer request twice within a 12-month period. Making a verifiable consumer request does not require you to create an account with us.  We will only use Personal Information provided in a verifiable consumer request to verify your identity or authority to make the request.

Any questions, concerns, or complaints about the operation of this Notice can be addressed to the Data Protection Officer at privacy@emeritus.org. In addition, you may submit your concerns or complaints about our privacy practices to our Data Protection Officer at privacy@emeritus.org or at the following address:

Emeritus Institute of Management
78 Shenton Way,
#20-02 Singapore-079120

Whenever we receive a formal complaint, we attempt to contact the complainant individually and resolve his/her grievances and/or concerns truthfully and with utmost transparency.

In addition to contacting us, in certain countries you have the right to lodge a complaint with your local data protection authority if you so choose.

In case you are located in the European Union (EU) or United Kingdom (UK), you may contact our representative in the EU or UK:

Global Alumni

• by emailing: EURep@Emeritus.org
• by writing to Global Alumni at Calle Acanto, 11,28045, Madrid, Spain
• EIM Learning UK Ltd by emailing: UKRep@Emeritus.org
• by writing to EIM Learning UK Ltd at We work, 10 York Road, London, England, SE1 7ND

Personal data means any data related to an identified or identifiable living natural person, provided, however, that if an applicable law has a different definition of personal data (or a similar term referring to information relating to an individual), such definition shall be applied to the extent applicable.

Sensitive personal data (SPD) means Personal Data which is more significantly related to the notion of a reasonable expectation of privacy. However, data may be considered more or less sensitive depending on context or jurisdiction.

Process and Processing means (1) any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, accessing, consultation, interpretation, assessment, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction; and (2) any other action that may be taken with respect to Personal Data.

(Data) Controller means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.

(Data) Processor means a natural or legal person (other than an employee of the controller), public authority, agency or other body which processes personal data on behalf of the controller.

Adequacy decision means a formal decision made by the European Union (EU) which recognises that another country, territory, sector or international organisation provides an equivalent level of protection for personal data as the EU does.

Onward transfer means a transfer of personal data to a fourth party or beyond. For instance, the first party is the data subject (you), the second party is the controller (Emeritus), the third party is the processor, and the fourth party is a sub-contractor of the processor.

Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

University partners mean the universities on whose behalf we deliver and manage the respective educational courses.