Data Collection and Security Policies
About this Document
Modern Campus respects our customers’, and their website visitors’ right to privacy. This document describes how the Instinct™ by Modern Campus feature, when enabled in the Omni CMS product, collects data about your website visitors and how that data is used to deliver personalized content on web pages. It also covers the capabilities that enable institutions of higher education using the Instinct™ product to comply with the rights and choices that website visitors have regarding their personal information.
There is a tremendous amount of detail about how we track user information laid out in later sections of this document. We designed Instinct™ by Modern Campus such that it does not capture critical personally identifiable information (PII). Each regulatory standard defines PII slightly differently. This document defines critical PII as,
- Driving License Number,
- Social Security Number (SSN),
- Social Insurance Number (SIN), and
- Passport Number.
We only capture PII that is needed to drive personalized experiences. We offer several layers of prevention against importing critical PII, including programmatic recognition and user controls (see Data collection via CSV file). This document will enable you to ensure you are disclosing what is necessary to meet the guidelines that are relevant to your institution.
Two common guidelines that many Modern Campus customers look to meet are the GDPR and CCPA. Instinct™ by Modern Campus only collects one piece of information that is considered to be PII under these guidelines – the user’s IP address.
We also comply with modern browser’s ‘do not track’ capabilities and can provide a means for school’s to enable opt-in capabilities if they do not have them already established for their websites.
Instinct™ by Modern Campus Overview
The Instinct™ feature offers two services that can be used separately or together:
- Tracking of unidentified visitors and/or,
- Tracking of identified visitors.
With Instinct™, Modern Campus does not track your website visitor without your consent. You are in complete control of what is tracked. We have several controls that enable you to apply tracking as broadly or granularly as you see fit.
Instinct™ must be enabled at the account and site level for any of the features to be available to users. Additionally, you determine which pages have the tracking code embedded, and you determine the rules for when that information is used and for what purpose. You can track at the site, directory, and single page levels.
The user can opt out of tracking via do-not-track requests, a feature on most modern browsers. Do-not-track requests can be found by navigating to the Privacy and Security section of your browsers’ settings.
Overview of Unidentified Visitor Tracking
Unidentified visitor tracking enables schools to include dynamic content on web pages based on information collected about the user. The feature enables you to:
- Track visitor interactions with your site:
- the frequency of a person’s visits to your website
- the duration of the website visit
- the pages or calendar events visited while on your website
- the source URL from which the visitor navigated to your website
- the visitor’s IP address
- the visitor’s geolocation during the visit (to the metro region)
- the visitor’s browser, operating system, device type, and device resolution
- Create dynamic and personalized content variations to display to website visitors:
- Dynamic blocks
- Page forwarding
- Define rules for when each version of the dynamic content will be displayed to a user. Rules are defined by:
- The number of repeat visits to your website
- The pages or calendar events visited on your website in the past
- The location of the website visitor (granular to the metro region)
- Segments (categories of visitor traits)
- View visit analytics to understand visitor behavior
Overview of Identified Visitor Tracking
You can also choose to import data from your student information system (SIS) or customer relationship management (CRM) process or system to Instinct™. This will identify website visitors by linking them to the prospect and student information from your existing campus systems.
Modern Campus uses Matomo, an open-source project, to help power data tracking and analytics related to the personalization feature. We are hosting our own instance of the Matomo services in our dedicated Amazon Web Services (AWS) hosting environment. Matomo staff do not have access to our environment or any of the data in it.
Matomo uses a combination of first-party cookies and other techniques to ‘fingerprint’ a website visitor. The default expiration for Matomo cookies is 13 months. Even if a user clears their cookies, Matomo can still tell who they are based on this fingerprint.
Matomo enables you to track against all your domains, unlike other tracking technologies. However, we do not enable tracking on any domains other than those owned by our customers. We are not tracking user behavior outside of your website interactions.
Modern Campus is using industry standard data security controls to ensure the integrity of the data and to protect the privacy of website visitors, including but not limited to encrypting the data at rest.
Data that is Collected
Unidentified Visitor Tracking
When you enable personalization on your site, AND you add tracking code to a particular page or set of pages, we will collect the following information for website visitors:
- User IP address (leading 2 octets)
- Date and time of the page visit
- Title of the page being viewed (Page Title)
- URL of the page being viewed (Page URL)
- URL of the page that was viewed prior to the current page (Referrer URL)
- Calendar event visited
- Screen resolution being used
- Time in local user’s time zone
- Location of the user: country, region, and metro region
- Main Language of the browser being used (Accept-Language header)
- Browser plug-ins
- User Agent of the browser being used (User-Agent header)
- From the User-Agent, detect the browser, operating system, device used (desktop, tablet, mobile, TV, cars, console, etc.), brand and model.
Some information is also stored in first party cookies and collected by our Instinct™ feature:
- Random unique Visitor ID
- Time of the first visit for this user
- Time of the previous visit for this user
- Number of visits for this user
Identified Visitor Tracking
When you choose to import your campus data to our Instinct™ feature we store this data with third-party services that we have evaluated to our security standards (Table 1). Specifically, we store this data in Matomo MySQL or AWS Elasticsearch databases. Data is encrypted at rest and accessible only by Modern Campus. Data is not stored in the Omni CMS or microservice databases.
When you connect your campus data with Omni CMS, you decide what data to share. If shared, we handle your data in the following two ways.
Data collection via CSV file
- When you upload a CSV file containing your CRM/SIS data to Omni CMS, we store your data in a private AWS S3 bucket. This private bucket is a shared space accessed by a secret key.
- In Omni CMS, you provide the data mapping, including marking data as restricted. Restrict PII by removing it from your CSV file before import and/or by marking it as restricted during import.
- If your CSV file contains critical PII that we can identify programmatically, we will automatically restrict it and it will never be stored (Figure 2).
Figure 2. Critical PII identified programmatically by Omni CMS and restricted.
- We read your CSV file using your mapping and delete the CSV from the AWS S3 bucket.
Data collection via Instinct™ form
You can also post our Instinct™ form on your website to request information from your visitors. This form will request the following, non-critical PII:
- Date of Birth
- Email Address
- Contact Number
How we use the data collected
Data collected about a particular individual website visitor is used as follows:
- To determine which version of your dynamic content to display based, on your website, based on the rules you create to target particular segments
- To support or troubleshoot the personalization service
Modern Campus may aggregate data across users and our customers to define best practices and help customers to improve their website content, messaging, and structure. We may also aggregate data across our customers to analyze user behavior trends in service to improving our product and creating additional products and services. In the future we may use visitor data to provide predictive recommendations of content to other similar website visitors.
We will never sell your data to a third party and we will not use it to market Modern Campus products or services directly to your website visitors.
Third party services we use
When you use our Instinct™ feature, we may use third parties to deliver some product feature capabilities. Table 1 details the third party services we use that may collect personal data.
Purpose of processing
Data location and security
Personal data collected by the third party
To collect and analyze information about how website visitors interact with your site. The pages and activities that are tracked are defined solely by your institution. We may also use this data to recognize and stop any misuse
Amazon AWS, USA
To host our microservice, databases and Matomo instance, and to store your campus data.
Amazon AWS, USA
Table 1. Third Party Services and Data Collection
Retention of data
We will retain collected information for a minimum of two years, or if your account is active with the personalization service. We will also retain and use this information as necessary for the purposes set out in this document and to the extent necessary to comply with our legal obligations, resolve disputes, enforce our agreements, and protect our legal rights. We also collect and maintain aggregated, anonymized or pseudonymized information which we may retain indefinitely to protect the safety and security of our site, improve our services or comply with legal obligations.
Modern Campus has taken steps to safeguard the integrity of its data and prevent unauthorized information that is maintained it our computer systems. These measures are designed and intended to prevent the corruption of data, block unknown or unauthorized access to our systems and information, ensure the integrity of information that is transmitted to us, and to provide reasonable protection of private information that is in our possession.
While ensuring network security and consistent services for all users, we employee software programs to do such things as monitor network traffic, identify unauthorized access or access to nonpublic information, detect computer viruses and other software that might damage our computers or network, and monitor and tune the performance of our network.
We use industry-standard software tools to control access to specific applications and services and to protect data that is transmitted electronically to us.
Unauthorized attempts to deny service, upload information, change information, or to attempt to access a non-public site from this service are strictly prohibited and may be punishable by law.
We may update this document from time to time. If we do, we’ll let you know about any material changes, either by notifying you through the Modern Campus support site or by sending you an email.