Privacy Policy

Introduction

International University of Erbil ("IUE", "University", "we", "us", or "our") is committed to protecting the privacy and security of personal information of our students, faculty, staff, and visitors. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our educational services.

As an educational institution, we comply with applicable privacy laws including the Family Educational Rights and Privacy Act (FERPA), Children's Online Privacy Protection Act (COPPA), and General Data Protection Regulation (GDPR) where applicable.

Effective Date: November 9, 2025

Information We Collect

Personal Information

We may collect the following types of personal information:

• Student Records: Name, student ID, date of birth, contact information, academic records, enrollment status, grades, attendance, disciplinary records
• Staff/Faculty Information: Name, employee ID, contact information, department, position, qualifications, employment history
• Account Information: Username, email address, password (encrypted), profile picture, role and permissions
• Communication Data: Messages, forum posts, announcements, feedback submissions
• Usage Data: IP address, browser type, device information, pages visited, time spent, clickstream data
• Educational Content: Submitted assignments, course materials, research data, quality assurance activities

Automatically Collected Information

When you access our systems, we automatically collect:

• Log files (IP address, browser type, referring/exit pages, date/time stamps)
• Cookies and similar tracking technologies for authentication and preferences
• Device identifiers and operating system information
• Session data and system performance metrics

How We Use Your Information

We use collected information for the following educational and administrative purposes:

• Educational Services: Deliver courses, manage enrollment, track academic progress, issue grades and transcripts
• Communication: Send important notices, announcements, newsletters, and respond to inquiries
• Account Management: Create and manage user accounts, authenticate users, enforce security policies
• Quality Assurance: Monitor educational quality, track faculty activities, generate reports and analytics
• System Administration: Maintain system security, prevent fraud, troubleshoot technical issues, improve services
• Legal Compliance: Comply with legal obligations, respond to lawful requests, protect rights and safety
• Research and Analytics: Conduct institutional research, analyze trends, improve educational outcomes (with aggregated/anonymized data)

Information Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share information in the following circumstances:

Within the Institution

• With authorized faculty and staff who have a legitimate educational interest (FERPA compliance)
• With department heads, academic advisors, and administrators for educational purposes
• With IT staff for system maintenance and security purposes

External Sharing

• With Your Consent: When you provide explicit consent for specific disclosures
• Service Providers: Third-party vendors who assist in operations (hosting, email services, analytics) under strict confidentiality agreements
• Legal Requirements: When required by law, court order, subpoena, or government request
• Emergency Situations: To protect health, safety, or legal rights of individuals
• Academic Partners: With partner universities, accreditation bodies, or educational organizations for legitimate purposes
• Parents/Guardians: As permitted by FERPA for dependent students or with student consent

Third-Party Services

We may use the following types of third-party services:

• Cloud hosting and infrastructure providers
• Email and communication platforms (Google Workspace for Education)
• Analytics and monitoring tools
• Payment processors (for tuition and fees)
• Learning management systems and educational tools

All third-party providers are contractually obligated to protect your data and use it only for specified purposes.

Data Security

We implement industry-standard security measures to protect your information:

• Encryption: TLS 1.2+ for data in transit, AES-256 for data at rest
• Access Controls: Role-based access control (RBAC), multi-factor authentication for sensitive systems
• Authentication: Secure password policies, bcrypt/Argon2 password hashing
• Network Security: Firewalls, intrusion detection systems, regular security audits
• Monitoring: Audit logging, anomaly detection, incident response procedures
• Employee Training: Regular security awareness training for all staff
• Vendor Management: Security assessments of third-party providers

While we strive to protect your information, no security system is impenetrable. We cannot guarantee absolute security but continuously work to enhance our security posture.

Data Retention

We retain personal information for as long as necessary to fulfill educational purposes and legal obligations:

• Student Records: Academic transcripts retained permanently; other educational records for 5-7 years after graduation or last attendance
• Employee Records: Employment records retained for 7 years after termination (or as required by law)
• Financial Records: Retained for 7 years for audit and tax purposes
• System Logs: Retained for 90 days to 1 year for security and troubleshooting
• Communication Records: Retained for 1-3 years unless part of official student/employee record

After the retention period, we securely delete or anonymize data unless required to retain it by law.

Your Rights and Choices

Depending on your jurisdiction, you may have the following rights:

FERPA Rights (Students)

• Right to inspect and review your educational records
• Right to request amendment of inaccurate records
• Right to consent to disclosures of personally identifiable information (with exceptions)
• Right to file a complaint with the U.S. Department of Education

General Privacy Rights

• Access: Request a copy of your personal information
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your data (subject to legal retention requirements)
• Portability: Receive your data in a structured, machine-readable format
• Restriction: Request restriction of processing in certain circumstances
• Objection: Object to processing for certain purposes (e.g., direct marketing)
• Withdraw Consent: Withdraw consent where processing is based on consent

How to Exercise Your Rights

To exercise any of these rights, please contact us using the information in the "Contact Us" section below. We will respond within 30 days.

Children's Privacy (COPPA Compliance)

Our services are designed for educational use and may be used by students under 13 years of age. We comply with the Children's Online Privacy Protection Act (COPPA):

• We collect only information necessary for educational purposes
• We obtain verifiable parental consent before collecting personal information from children under 13
• Parents may review, request deletion, or refuse further collection of their child's information
• We do not condition participation on disclosure of more information than reasonably necessary
• We do not share children's information with third parties except as necessary for educational purposes or as required by law

For questions about children's privacy or to exercise parental rights, contact our Data Protection Officer at the email below.

Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Maintain user sessions and authentication
• Remember user preferences and settings
• Analyze site usage and performance
• Provide personalized content and features

You can control cookies through your browser settings. Disabling cookies may affect functionality of our services.

Types of cookies we use:

• Essential Cookies: Required for authentication and core functionality
• Performance Cookies: Collect anonymous usage statistics
• Functional Cookies: Remember your preferences

International Data Transfers

International University of Erbil is located in Iraq. If you access our services from outside Iraq, your information may be transferred to, stored, and processed in Iraq or other countries where our service providers operate.

We ensure appropriate safeguards are in place for international transfers, including:

• Standard contractual clauses approved by relevant authorities
• Adequacy decisions where applicable
• Compliance with applicable data protection laws

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated policy on our website with a new "Effective Date"
• Sending email notifications to registered users
• Displaying prominent notices on our systems

Your continued use of our services after the effective date constitutes acceptance of the updated policy.

Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process personal data based on:

• Contractual Necessity: To provide educational services you've enrolled in
• Legal Obligation: To comply with applicable laws and regulations
• Legitimate Interests: For institutional operations, security, and improvements (where not overridden by your rights)
• Consent: Where you have provided explicit consent for specific purposes
• Public Interest: For educational and research purposes serving the public good