Approver(s):
Authorizes Release:
Responsible Area:
Review Cycle:
Last Review:
Related Policies and Additional References:
St. Mary’s University (“St. Mary’s,” “we,” “us,” “our”) respects your privacy. This Privacy Policy explains how we collect, use, disclose, and protect personal information obtained through our websites (including subdomains), services, applications, and related communications. By using our sites or services, you agree to this Policy.
This Policy applies to personal information collected from visitors to our public websites (e.g., stmarytx.edu and related subdomains), applicants, students, faculty, staff, alumni, donors, and other third parties who interact with us online or through our services. It does not replace specialized notices (for example, employee privacy notices or HIPAA notices) when applicable.
Information We Collect
Information you provide
- Contact details (name, email, postal address, phone)
- Academic and application information (for applicants/students)
- Employment and payroll information (for employees)
- Payment information submitted to authorized payment processors
- Communications with us (emails, chat transcripts)
- Other information you choose to provide
Information collected automatically
- Technical information (IP address, browser, device, OS, pages viewed, referring URLs)
- Cookies, tracking pixels, and similar technologies (see Cookies, Ad Trackers, and Remarketing)
- Analytics and performance data
- Interaction data captured by session recording or form-saving features (see Cookies, Ad Trackers, and Remarketing)
Tracking and Monitoring Technologies
We use a range of tracking technologies for analytics, accessibility, security, marketing, and student services. These may include, but are not limited to:
- Tracking pixels/web beacons (e.g., Facebook Pixel, TikTok Pixel, Snap Pixel, and similar).
- Session recording/session replay (e.g., Microsoft Clarity, FullStory) to understand user journeys and improve our sites.
- Keystroke / form-saving capture (only where necessary and with safeguards) to preserve form state and improve user experience.
- Chat technologies (chatbots, live chat, Zoom embeds, Botpress) to provide help and schedule services.
Purpose: Improve site usability, security monitoring, fraud detection, analytics, and legitimate institutional operations (admissions outreach, alumni engagement, etc.).
Data collected: Page interactions, clicks, scrolls, timestamps, form fields (including partially entered content), and limited device/browser metadata.
Legal basis/consent: Where required by law we will obtain user consent prior to placing or reading non-essential cookies or deploying tracking that collects personal data. For visitors in jurisdictions with opt-in requirements (e.g., GDPR for EU/EEA residents), we will require affirmative consent prior to setting those trackers.
Tracker Inventory: A complete list of all pixels, tags, and session-replay scripts by subdomain is maintained Appendix A and updated regularly.
Cookies, Ad Trackers, and Remarketing
We use cookies and similar technologies to personalize content, provide social media features, and analyze traffic. Cookies are classified as necessary (required for site functionality), performance, functional, or advertising/marketing.
- Third-party cookies and ad trackers: We use third-party services (e.g., google-analytics.com, doubleclick.net, facebook.com, tiktok.com) for analytics and advertising purposes, including remarketing and cross-site behavioral advertising.
- Do Not Sell or Share/CPRA: If you are a California resident, you may exercise your right to opt-out of the sale or sharing of your personal information by using the “Do Not Sell or Share My Personal Information” link on our homepage. (https://www.stmarytx.edu/do-not-sell).
How to manage cookies: Our cookie/consent management tool allows you to accept or decline our cookies. You may also set browser-level preferences (note: blocking certain cookies may affect functionality).
Session Recording, Keystroke Capture, and Chat — Special Notice
Some of our sites may use session recording and keystroke preservation to help troubleshoot forms or to improve user experience. We do not use these mechanisms to capture sensitive fields (e.g., full payment card numbers, complete social security numbers, or protected health information), and we will endeavor to mask fields that may contain such data.
When session recording or keystroke capture is active on a page that could collect PHI or other highly sensitive data, that functionality will be disabled or opt-in will be required.
Third-Party Sharing and Disclosures
We may share personal data with vendors and service providers (e.g., analytics, cloud hosting, payment processors), academic partners, government/regulatory bodies when required, and other parties consistent with the purposes described here.
- Third-party links and embedded content: Our sites may contain links or embedded content (maps, videos, social widgets) that are controlled by third parties. We are not responsible for third-party privacy practices.
- Vendor contracts: Where required by law (e.g., California, Colorado, Virginia), we require vendors to adhere to privacy obligations consistent with this Policy.
Sensitive Data and Special Categories
We avoid collecting sensitive personal information (e.g., biometric data, genetic data, precise geolocation, health/medical information) via public websites. If we must collect such data for a legitimate business purpose, we will:
- Disclose the collection and the reason for it,
- Obtain affirmative opt-in consent where required by law, and
- Put appropriate safeguards in place (data minimization, retention limits, encryption).
HIPAA / Health Data: If you provide health or medical information in contexts where HIPAA applies (covered entity or business associate), separate Notices of Privacy Practices and BAA agreements will apply.
Children’s Privacy
Our services are not targeted at children under 13. If we discover that a child under 13 has provided personal information without parental consent, we will take reasonable steps to delete such data. If any of our programs or offerings are aimed at children, we will provide specific notices and obtain parental consent consistent with COPPA or applicable local law.
User Rights and Choices
Depending on where you live, you may have the right to access, correct, delete, restrict, or port your personal information. Examples include rights under the GDPR, CPRA, and other state laws.
- California residents: Rights to access, delete, correct, opt-out of sale/sharing (Do Not Sell or Share), and nondiscrimination for exercising rights.
- GPC and DNT: We will recognize Global Privacy Control (GPC) signals where legally required and will describe how users can exercise choice via our privacy controls. Do Not Track (DNT) signals are honored in accordance with applicable law.
How to exercise rights: See Contact and Exercising Rights below for contact details and instructions. We will verify requests consistent with applicable aws.
Data Retention
We retain personal information only as long as necessary for the purposes described and to satisfy legal, accounting, or reporting requirements. We maintain retention categories (e.g., admissions records, alumni data, web analytics) and approximate retention periods as outlined in Appendix B.
Data Transfers and Residency
Personal information may be processed in the United States and other countries. Where international transfers occur, we will adopt appropriate safeguards (e.g., Standard Contractual Clauses, contractual protections). If you are an EU/EEA resident, we will provide mechanisms to exercise GDPR rights and information about data transfers.
Security
We maintain administrative, technical, and physical safeguards designed to protect personal information. While we use industry-standard controls (encryption in transit and at rest where appropriate, access controls), no system is completely secure. We will notify affected parties and regulators as required by law in the event of a breach.
AI, ML, and Automated Decision-Making
If we use artificial intelligence, machine learning, or automated decision tools that process personal information, we will disclose the purposes and the categories of data used. We commit to fairness, regular audits, and safeguards (anonymization and pseudonymization) where feasible.
Changes to This Policy
We may periodically update this Policy. If changes are substantial, we will provide notice on the website and adjust the effective date at the top of this document accordingly.
Contact and Exercising Rights
For privacy inquiries or to exercise your rights with respect to our privacy practices or this Policy, or to update your information, contact us:
Email: privacy@stmarytx.edu
Mail:
St. Mary’s University
Office of University Marketing and Communications, Box 75
One Camino Santa Maria
San Antonio, TX 78228
California Residents: To submit requests related to the CPRA, use our Do Not Sell or Share link or email privacy@stmarytx.edu with subject line: CA PRIVACY REQUEST.
Appendix A — Known tracking and third-party technologies
The following is a current inventory of tracking technologies, pixels, tags, and third-party scripts deployed across St. Mary’s University web properties. This list is updated regularly and reconciled with our tag management system.
View List
| Technology/Vendor | Domain(s) | Purpose | Data Retention | Vendor Privacy Policy |
| Google Analytics | google-analytics.com, googletagmanager.com | Analytics, performance monitoring | 26 months (adjustable) | Link |
| DoubleClick | doubleclick.net | Advertising, remarketing | Varies | Link |
| Facebook Pixel | facebook.com, facebook.net | Analytics, advertising, remarketing | Varies | Link |
| Reddit Pixel | reddit.com | Analytics, advertising, remarketing | Varies | Link |
| TikTok Pixel | tiktok.com | Analytics, advertising | Varies | Link |
| Snap Pixel | snapchat.com | Analytics, advertising | Varies | Link |
| AppNexus | appnexustech.com | Analytics, remarketing | Varies | Link |
| Monsido | monsido.com | Accessibility monitoring | Varies | Link |
| Hotjar | hotjar.com | Session recording, heatmaps | 365 days | Link |
| FullStory | fullstory.com | Session recording, UX analysis | Varies | Link |
| Microsoft Clarity | clarity.ms | Session replay, analytics | 90 days | Link |
| Pendo | pendo.io | Product analytics | Varies | Link |
| Botpress | botpress.com | Chatbot | Varies | Link |
| Zoom | zoom.us | Embedded meeting links | Varies | Link |
| Gravity Forms | gravityforms.com | Manage Forms | Varies | Link |
| Swiftype | swiftype.com | Site Search | Varies | Link |
Appendix B — Data Retention Schedule
St. Mary’s University maintains the following general retention periods for personal information collected through our websites and services:
View List
| Data Category | Description | Retention Period | Legal/Regulatory Basis |
| Admissions Records | Applications, test scores, supporting documents | 7 years after decision | FERPA, institutional policy |
| Student Records | Academic records, enrollment data | Permanent (transcripts); 5 years after graduation (other records) | FERPA, accreditation requirements |
| Alumni Engagement Data | Contact information, giving history, event participation | Indefinite with opt-out capability | Legitimate institutional interest |
| Web Analytics | Page views, session data, anonymized user behavior | 26 months (adjustable per tool) | Data minimization |
| Marketing Lists | Email addresses, contact preferences | Until opt-out or 3 years of inactivity | CAN-SPAM, institutional policy |
| Employee Records | HR data, payroll, benefits | 7 years after separation | IRS, state employment law |
| Donor Records | Contribution history, contact information | 7 years (financial); indefinite (recognition) | IRS, institutional policy |
| Support/Help Desk Tickets | Chat logs, email correspondence | 3 years | Customer service, legal holds |
| Cookie/Tracker Data | Behavioral data from advertising pixels | 12-26 months depending on vendor | GDPR, CPRA |
| Security Logs | Access logs, authentication attempts | 90 days to 1 year | Cybersecurity policy |
Note: Retention periods may be extended for legal holds, litigation, investigations, or regulatory inquiries. Individuals may request early deletion of their data subject to legal and operational constraints.
This schedule is reviewed annually by the Data Governance Committee.
Definitions
Regulatory and Legal Acronyms
BAA (Business Associate Agreement)
A written agreement between a HIPAA covered entity and a business associate that ensures the protection of Protected Health Information (PHI).
BIPA (Biometric Information Privacy Act)
Illinois state law regulating the collection, use, and storage of biometric identifiers and biometric information.
COPPA (Children’s Online Privacy Protection Act)
Federal law protecting the privacy of children under 13 by requiring parental consent for collection of personal information from minors.
CPRA (California Privacy Rights Act)
California’s comprehensive consumer privacy law, amending and expanding the CCPA, effective January 1, 2023.
EU/EEA (European Union/European Economic Area)
The 27 member states of the European Union plus Iceland, Liechtenstein, and Norway, where GDPR applies.
FERPA (Family Educational Rights and Privacy Act)
Federal law protecting the privacy of student education records.
GDPR (General Data Protection Regulation)
European Union regulation governing data protection and privacy for individuals within the EU/EEA.
GINA (Genetic Information Nondiscrimination Act)
Federal law prohibiting discrimination based on genetic information in health insurance and employment.
GIPA (Genetic Information Privacy Act)
State-level laws regulating the collection and use of genetic information.
HIPAA (Health Insurance Portability and Accountability Act)
Federal law establishing privacy and security standards for Protected Health Information in healthcare contexts.
SCCs (Standard Contractual Clauses)
EU-approved contractual terms for lawful international data transfers outside the EU/EEA.
Technical Acronyms
CMP (Consent Management Platform)
A system or tool (e.g., OneTrust, Osano) that manages user consent for cookies, trackers, and other data collection practices.
DNT (Do Not Track)
A web browser setting that requests websites not track the user’s browsing activity.
GPC (Global Privacy Control)
A web browser signal that communicates a user’s privacy preferences (such as opting out of data sharing). Businesses are required to honor this in certain jurisdictions.
GTM (Google Tag Manager)
Google’s tag management system that allows organizations to manage and deploy marketing tags (snippets of code or tracking pixels) on their websites.
PHI (Protected Health Information)
Individually identifiable health information transmitted or maintained in any form or medium by a HIPAA covered entity or business associate.
UX (User Experience)
The overall experience a person has when interacting with a website, application, or digital service, encompassing usability, design, and functionality.
Key Privacy Terms
AI (Artificial Intelligence) and ML (Machine Learning)
Technologies that use algorithms to analyze data, make predictions, or automate decisions. If trained on personal information, transparency and fairness obligations apply.
Anonymization
The process of removing or altering personal information so that individuals can no longer be identified, either directly or indirectly. Anonymized data is no longer considered personal information under most privacy laws.
Biometric Information
Data based on unique biological traits (e.g., fingerprints, facial recognition, voice patterns) used to identify an individual. Protected by laws like Illinois BIPA.
Chat Technologies
Embedded live chat or chatbot tools (e.g., Zoom integrations, Botpress) that allow real-time communication. Conversations may be logged or shared with third-party providers.
Consumer Health Data
Information relating to an individual’s health status or health-related behavior. May be subject to the Washington My Health My Data Act and similar state laws.
Cookies
Small text files stored on a user’s browser to remember preferences, support website functionality, and track browsing behavior. Includes first-party cookies (set by stmarytx.edu) and third-party cookies (set by external services such as analytics or advertisers).
Covered Entity
Under HIPAA, a health plan, healthcare clearinghouse, or healthcare provider that transmits health information in electronic form.
Business Associate
Under HIPAA, a person or entity that performs functions or activities on behalf of, or provides services to, a covered entity that involve access to Protected Health Information.
Cross-Site Behavioral Advertising
The practice of tracking users across multiple websites to deliver targeted advertisements based on their browsing history and behavior.
Data Minimization
A privacy principle requiring that only the minimum amount of personal data necessary for a specific purpose be collected and processed.
Data Residency and Transfers
Rules and practices regarding where data is stored and whether it is transferred internationally. Includes safeguards like Standard Contractual Clauses (SCCs).
Data Retention
The period of time for which the University stores personal information before deletion or anonymization.
Do Not Sell or Share My Personal Information
A user right, particularly under California’s CPRA, requiring organizations to provide a clear opt-out mechanism for selling or sharing personal data with third parties.
Genetic Information
Data derived from an individual’s DNA or genetic testing, regulated by GINA and state privacy laws (e.g., GIPA).
Keystroke Capture (Form Preservation)
Technology that can capture text as it is entered into online forms to improve functionality or prevent data loss. Sensitive fields (like SSNs or payment details) are excluded.
Non-Discrimination
The legal requirement that organizations may not deny goods or services, charge different prices, or provide a different level of quality to consumers who exercise their privacy rights.
Personal Information
Any information that identifies, relates to, describes, or could reasonably be linked with an individual, including names, contact details, account information, and digital identifiers.
Pseudonymization
The processing of personal data in such a way that it can no longer be attributed to a specific individual without the use of additional information, which is kept separately and subject to technical and organizational measures.
Remarketing (Retargeting)
The practice of using analytics and cookie data to display targeted ads to users as they browse other websites.
Sensitive Personal Information
Special categories of personal data that may include: Social Security numbers, financial information, biometric data, genetic data, precise geolocation, or Protected Health Information (PHI).
Session Recording (Session Replay)
Technology that records user interactions on a website (mouse clicks, scrolling, navigation) to understand user experience. May also include form interactions.
Third-Party Cookies and Ad Trackers
Cookies or scripts placed by third parties that collect user behavior for analytics, targeted advertising, or cross-site remarketing.
Tracking Pixel (Web Beacon)
A small, often invisible, image or code snippet embedded in a webpage or email used to track user activity, measure engagement, and support remarketing campaigns.