Privacy
This privacy notice is for the Cardiff University website only (www.cardiff.ac.uk, blogs.cardiff.ac.uk, sites.cardiff.ac.uk and campaigns.cardiff.ac.uk).
For information about data protection in general and privacy notices for enquirers, students and staff, please see our Data Protection pages.
The personal data we collect
The Cardiff University website collects personal data from you in two ways:
- data you provide yourself
- data collected automatically.
The personal information collected is not sold to third parties.
Data you provide yourself
Our website includes several different types of online forms, as explained below. The data gathered through online forms will only be used for the purpose described on collection unless you also consent to other defined uses.
Enquiries
When you make an enquiry about studying with us or the support we offer, the data you provide is sent to Gecko Engage and is stored on their servers within the EU, in Dublin and London. Your data will then be managed in line with Cardiff University’s data protection policy. To request your data or ask for it to be deleted, contact enquiry@cardiff.ac.uk.
When you submit an enquiry to our Student Support and Wellbeing teams, the data you provide is sent to Engage2Serve and is stored on their servers within the EU, in Dublin and London. Your data will then be managed in line with Cardiff University’s data protection policy. To request your data or ask for it to be deleted, contact studentconnect@cardiff.ac.uk.
Online forms
When you complete an online form on www.cardiff.ac.uk, blogs.cardiff.ac.uk or sites.cardiff.ac.uk, the personal data you provide is sent to Cardiff University.
The information you submit via www.cardiff.ac.uk is hosted in the UK by Squiz, the company that provides our hosting services. Squiz operates as our data processor, processing personal data on our behalf. Your data is deleted within 60 days.
The information may then be passed to trusted partners under contract to help us do what you requested (such as sending you a printed prospectus).
On campaigns.cardiff.ac.uk, the data you provide may be sent to Instapage and held in accordance with the Instapage privacy policy before being passed to Cardiff University. This data is held outside the EU and stored indefinitely unless it is deleted. To request your data or ask for it to be deleted, contact web@cardiff.ac.uk
When you complete an online form, if you consent to receive email marketing from us, your email address and other necessary personal data will be shared under contract with Campaign Monitor who provide us with marketing services and held in accordance with the Campaign Monitor privacy policy. This data may be stored outside of the EU. It is kept for as long as you choose to remain subscribed. You can unsubscribe at any time from the link provided in each email. To request your data or ask for it to be deleted, contact web@cardiff.ac.uk
When you use our website to make an online payment, you will be sent to the Secure Trading website to enter your payment details. Data such as your name, address and card details is held in accordance with the Secure Trading privacy policy. This data may be held outside of the EU and stored for 10 years. To request your data or ask for it to be deleted, contact web@cardiff.ac.uk
When you register to chat with a student ambassador, the data you provide is sent to Unibuddy and held in accordance with the Unibuddy privacy policy before being shared with Cardiff University. You can delete your data by going to the Unibuddy account settings. To request the data shared with Cardiff University, or ask for it to be deleted, contact web@cardiff.ac.uk
Open day booking forms
Our open day booking forms are hosted on Gecko Engage and your data is stored on their servers within the EU, in Dublin and London. It will then be managed in line with Cardiff University’s data protection policy. To request your data or ask for it to be deleted, contact enquiry@cardiff.ac.uk.
Your data may also be provided to NHS Test, Trace, Protect service, if requested under COVID-19 requirements.
Bookings for specific open day sessions may be hosted on Eventbrite. If you book specific sessions, your data will be sent to Eventbrite and held in accordance with the Eventbrite privacy policy before being sent to Cardiff University. It may be held outside of the EU but when this occurs Eventbrite takes steps to safeguard data through Standard Contractual Clauses. The data is stored for as long as you use the Eventbrite service. To request or delete your Eventbrite data, contact privacy@eventbrite.com
Usability testing and associated prize draws
We are always seeking to improve our websites, and occasionally ask for voluntary responses to surveys or way-finding experiments. These are hosted on a 3rd party website, Optimal Workshop. Your data is processed in line with Optimal Workshop’s terms of service. Your feedback is anonymous but you can choose to enter your email address to be entered into a prize draw if one is advertised. We will not use your email address for any other purposes. All other data collected relates to website usability rather than you as an individual.
Cardiff University are the data controllers for your email address and other data collected via Optimal Workshop, and Optimal Workshop are the data processor. We will handle your data in line with our data protection policy. You can also ask us to delete your data from Optimal Workshop, which will take place within 30 days of Cardiff University requesting deletion.
Feedback
When you report a problem or provide us with feedback about our website, personal data such as your email address will be sent to Zendesk. Zendesk uses data centres in three main regions — the United States, Asia Pacific, and the European Union. In accordance with Zendesk’s privacy policy your data may be stored in any of those regions. This data will be stored indefinitely unless it is deleted. To request your data or ask for it to be deleted, contact web@cardiff.ac.uk.
On some parts of our website we use Hotjar to gather feedback. If you provide your email address it will be stored within the EU in accordance with the Hotjar privacy policy and kept for 365 days. With your consent, Hotjar will associate website activity data with your email address and also store data about your country, device and browser and language setting. To request this data, withdraw consent or ask for it to be deleted, contact web@cardiff.ac.uk
Data collected automatically
The data collected automatically by our website helps us understand which parts of it are most popular, where visitors are coming from and how they are using it. This allows us to make improvements in future.
Usage statistics
As you use our website, data about the pages visited is sent to Google Analytics so that we know how many people are using it. This includes the individual pages visited, an anonymised IP address, the device, browser and the website you came from. Google can also collect demographic and interests information from the DoubleClick cookie, if it's present on your device. Google relies on Standard Contractual Clauses for the transfer of advertising and measurement data outside of the European Economic Area, the UK or Switzerland.
The data is stored for a maximum of 14 months in accordance with Google's privacy policy. Google provide controls required by United Kingdom data protection law, so that you can exercise your rights to request access to, update, remove and restrict the processing of your information.
You also have the right to object to the processing of your information or export your information to another service. To request this data or ask for it to be deleted contact web@cardiff.ac.uk
We also partner with Microsoft Clarity to capture how you use and interact with our website through behavioural metrics, heatmaps, and session replay. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of website pages and online activity.
Whilst we are unable to identify individuals from the data collected through this partnership, if you have agreed to share such data with Microsoft through other services and products, it is possible they may correlate user behaviour information collected via these services/products with existing data they have associated with you.
This will be for the purposes of improving Microsoft’s fraud/security practices and for advertising purposes, Microsoft will not share this information with Cardiff University. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.
Advertising effectiveness
On parts of our website, we use code provided by Google, Facebook, Twitter, Snapchat, TikTok or LinkedIn to serve adverts based on someone’s past visit (retargeting) and to measure the effectiveness of our advertising campaigns. This code sends data to Google, Facebook, Twitter, Snapchat, TikTok or LinkedIn about the individual pages visited, actions completed on the page, IP address, device and browser.
This data may be held outside of the EU. Google, Facebook, Twitter, Snapchat and LinkedIn are certified compliant with the EU-US Privacy Shield. You can request this data or ask for it to be deleted via the Facebook Your Information, Google’s Ads Settings, Twitter privacy controls, Snapchat Support, TikTok privacy policy pages and LinkedIn account settings or visit Your Online Choices and switch off behavioural advertising from a large number of companies.
YouTube videos
On pages containing YouTube videos, data about the videos you watch will be sent to Google and stored in accordance with Google’s privacy policy. It may be used by Google to personalise advertising for you. You can opt out via Google’s Ads Settings and request or delete your data via your Google Account.
Interactive maps
The maps on the Cardiff University website use the Google Maps API in accordance with Google’s privacy policy. By using these maps you agree to be bound by the Google Maps/Google Earth additional terms of service.
When we use interactive maps that show your position, we will do so only with your consent. If you provide consent, the map will use the coordinates of your current location but this data will not be sent to us or stored.
Interactive charts
On pages of our website that include interactive charts, data including your IP address, browser and device is sent to ChartBlocks and held on Amazon Web Services storage for three years in accordance with the ChartBlocks privacy policy. Amazon’s terms include Standard Contractual Clauses to safeguard the transfer of data outside of the European Economic Area. To request this data or ask for it to be deleted, contact web@cardiff.ac.uk.
SoundCloud audio
Where we use embedded audio, information about the page you visited and what you listen to will be sent to SoundCloud and held in accordance with the SoundCloud privacy policy. You can request your data or ask for it to be deleted via the SoundCloud Help Center.
Email marketing
When you consent to receiving email from us and you click the links in an email we sent you information such as your IP address, the email software you are using and the links you clicked will be sent to Campaign Monitor and stored in accordance with the Campaign Monitor privacy policy. The data may be held outside of the EU. Collecting this data helps us understand what email content is most popular so that we can send more relevant emails to you in future. It is held for as long as you remain subscribed. You can unsubscribe at any time from the link provided in each email.
User behaviour
On some parts of our website we use Hotjar to record anonymous data about how specific pages are used (such as clicks or mouse movements). This does not collect or store any personal data.
Twitter feeds
On pages that have embedded Twitter content, we instruct Twitter not to record any information about you. You can opt-out of all Twitter tracking from the Twitter Personalisation settings page.
Approximate location
Our website detects the country you are in, based on your IP address. This allows us to personalise parts of our website for international visitors.
Spam prevention
We use Google ReCaptcha on some forms to detect and prevent attacks from spam bots. Google ReCaptcha sends data about form usage to Google in accordance with Google’s privacy policy. You can request or delete your data via your Google Account.
Server logs
Our web servers record requests for web pages (URLs) but no personal data is collected or stored.
Do not track
Our website does not currently support the “Do not track” browser setting.
Changes to this privacy notice
We reserve the right to change this information without notice.