U-M Privacy Statement

Last Revision Date — July 26, 2021

The University of Michigan (U-M) recognizes and values the privacy of the university community members and its guests. This value is reflected in Regent’s Bylaw Sec. 14.07. Privacy and Access to Information, which states in part:

“In collecting, utilizing, and releasing information about individuals associated with the university, the university will strive to protect individual privacy, to use information only for the purpose for which it was collected, and to inform individuals of the personal information about them that is being collected, used, or released.”


In principle, the U-M strives to:

  • Collect, store and use the minimum amount of personal information that is necessary for its legitimate business purposes, and to comply with applicable legal obligations.
  • Take reasonable steps to ensure the personal information we manage is accurate and up-to-date.
  • Limit who has access to the personal information in our possession to only those who need it for a legitimate, specific purpose.
  • Protect personal information through appropriate physical and technical security measures tailored to the sensitivity of the personal data we hold.
  • Communicate with our students, faculty, employees, suppliers, partners and others about how we use personal information in our day-to-day operations.
  • Provide opportunities to control your personal information, as permitted by applicable United States and other laws.
  • Consider privacy principles in the design of our projects or activities that involve the use of personal data.


The U-M Privacy Statement is generally applicable to activities conducted by the University of Michigan that involve the processing of personal information. It is meant to provide you a broad overview of our activities that require the processing of personal information and our approach to protecting privacy. U-M Schools, Departments, Units, Clubs and other groups may have Privacy Statements related to their specific collection and processing of personal information practices.


We define personal information as any information that relates to an identified or identifiable individual. We generally collect personal information in the following circumstances:

  • When you directly provide it to us;
  • Through automated processes (for example, through use of learning management tools, or interaction with our websites); or
  • From other organizations for legitimate, specific purposes (for example, transcripts for admissions purposes).

While it is difficult to provide a detailed picture of all the personal information we collect and use at the institutional level, you can find more detailed information in specific privacy statements provided by the Schools, Departments, Units or groups with which you interact. In general, however, we collect and use the following categories of information at an institutional level:

  • About our prospective students: personal and family information related to the application and financial aid process, including supporting documentation, identification and contact information; including information data related to ethnic origin, if the prospective student wants to disclose such data.
  • About our students: the information submitted as prospective students, information related to their academic record, their academic performance, video images on campus.
  • About our faculty and staff: identification, contact information, biographic information, information related to remuneration, to benefits, to family members, information related to performance at work.
  • About visiting scholars and exchange students: identification, contact information, biographic information, possibly data related to health.
  • About subjects to our research projects: as needed, identification and contact information, together with all information that is produced and observed in relation to the subject as part of the research project.
  • About our alumni: identification and contact information, donor information.
  • About website visitors: the internet domain from which a visitor accesses the website, the IP address assigned to the visitor’s computer, the type of browser the visitor is using, the data and time of visit.
  • About patients treated through Michigan Medicine: identification and contact information, data related to health and billing.


We only process your personal information for legitimate and specific purposes and to facilitate the various operations of the University.

While it is difficult to provide a detailed picture of all the personal information we process at the institutional level, you can find more detailed information in specific privacy statements provided by the Schools, Departments, Units or groups with which you interact. In general, however, we process the following categories of information at an institutional level:

  • Personal information of our undergraduate and graduate students and prospective students to facilitate admission and to provide higher education services.
  • Personal information of our permanent or temporary faculty members and staff to manage their employment.
  • Personal information of visiting scholars and of exchange students to facilitate their visit to our campus. Personal information of subscribers to our online courses to provide them those courses and track their attendance and involvement in the course.
  • Personal information of persons who register to participate to conferences, symposia and other events we organize;
  • Personal information of our alumni to keep them engaged in our community.
  • Personal information of patients for the purposes of delivering healthcare.
  • Personal information of individuals who agree to participate to our research projects.
  • Personal information of visitors to our general website or to our other affiliated websites;
  • Video images recorded by our video security system for the purposes of ensuring physical security and to protect our property.

We may occasionally process other personal information for various legitimate and specific purposes. When these situations occur, we will endeavor to inform you of such occasional processing activities.


The U-M does not sell your information to third parties, and does not share it with third parties for purposes other than supporting the legitimate interests and operations of the University.

We use a variety of third-party services to help fulfill the University’s business. We strive to be diligent with confidentiality, privacy and security standards that we require from all our service providers, and we strive to require that they only use your personal information for the purposes of providing those services.


The U-M recognizes the importance of maintaining the security of the information it collects and maintains, and we endeavor to protect information from unauthorized access and damage. The U-M strives to ensure reasonable security measures are in place, including physical, administrative, and technical safeguards to protect your personal information.


This privacy notice may be updated from time to time. We will post the date our notice was last updated at the top of this privacy notice.


If you have any questions about our practices around the use of personal information, contact our Privacy Office at privacy@umich.edu.

University of Michigan
500 S State St
Ann Arbor, Michigan, 48109.


COPPA imposes legal and regulatory requirements on certain operators of websites or online services directed to children under 13 years of age, and on certain operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. The Federal Trade Commission, United States’ consumer protection agency, enforces COPPA, which spells out what operators of websites and online services that are subject to COPPA must do to protect the privacy and safety of children under the age of 13 online when COPPA applies. The University of Michigan, and the vendors with whom we work, sometimes collect data from children under the age of 13, or share such information with one another. The sharing and collection of such information is done in accordance with all applicable law, including COPPA to the extent it applies under the circumstances.


If you are located in the EU, then our processing of your personal information may fall under Regulation 2016/679 (the General Data Protection Regulation, or the “GDPR”).

In addition to the privacy information provided above, there is additional information specific to the EU legal framework below. Please also see our GDPR resources webpage for more information.


Our processing activities of your personal information will rely on different lawful grounds depending on the circumstances. Generally speaking, we typically rely on the following lawful bases in order to process your personal information under the GDPR:

  • Necessity to enter or for the performance of a contract (ex: for online applications you submit; for the information provided when enrolling; for the payment information we process for tuition);
  • Necessity for our legitimate interests or those of third parties (our legitimate interest to maintain a community for alumni);
  • Consent (for the research projects you may participate in; for processing of special categories of personal data).


The U-M is committed to facilitating the exercise of the rights granted to you by EU data protection law in a timely manner.

In the context of our processing activities that are subject to the GDPR, you have the following rights regarding your personal information:

  • Access, correction and other requests – You have the right to obtain confirmation of whether we process your personal data, as well as the right to obtain information about the personal data we process about you. You also have a right to obtain a copy of this data. Additionally, and under certain circumstances, you may have the right to obtain erasure, correction, restriction and portability of your personal data.
  • Right to object – You have the right to object to receiving marketing materials from us by following the opt-out instructions in our marketing emails, as well as the right to object to any processing of your personal data based on your specific situation. In the latter case, we will assess your request and provide a reply in a timely manner, according to our legal obligations.
  • Right to withdrawal consent – For all the processing operations that are based on your consent, you have the right to withdraw your consent at any time, and we will stop those processing operations as allowable by law.

Please note that when you make requests based on these rights, if we are not certain of your identity, we may need to ask you for further personal information to be used only for the purposes of replying to your request.


We strive to keep personal data in our records only as long as necessary for the purposes they were collected and processed. Retention periods vary and are established considering our legitimate interests and all applicable legal requirements.


When you interact with the U-M, your personal information is transferred to the United States. The United States is not currently among the countries outside the European Union that have been deemed by the European Commission to have an adequate level of legal protections for personal information. To ensure the lawful transfers of personal information from the EU, the U-M relies on the derogations laid out in Article 49 GDPR. In particular, we rely on your explicit consent for some of the transfers and on necessity for the performance of a contract or the implementation of pre-contractual measures taken at your request (for instance, for the transfer of personal data necessary for your application for admission). However, please be aware that we provide safeguards for the information transferred, as required by the GDPR itself and in accordance with this General Privacy Statement.


If you have any concerns or questions about how your personal data is used, please contact us at privacy@umich.edu. We will promptly respond to your request and do our best to address your concern. However, if you believe we have not been able to deal with your concern appropriately, you have a right to complain to your local data protection authority, as granted by Article 77 of the GDPR. You also have the right to submit a complaint in the Member State of your residence, place of work or of an alleged infringement of the GDPR.