HE Higher Education Ranking — Privacy Policy

Last updated: 09 November 2025

1) Overview

This Privacy Policy explains how HE Higher Education Ranking (“HE Ranking”, “we”, “us”, “our”) collects, uses, shares, stores, and protects personal data when you use heranking.com and our related subdomains (including ranking.heranking.com) and services (collectively, the “Services”).

By using the Services, you acknowledge this Policy. Where required by law, we will collect and process personal data only after obtaining your consent or on another valid legal basis.

2) Who is the data controller?

United States (use if Delaware is your primary home):
HE Higher Education Ranking, Dover, Kent County, Delaware, USA (File No. 10157263) is the data controller for the Services.

Contact (privacy matters): privacy@heranking.com
General inquiries: info@heranking.com

3) Scope

This Policy applies to personal data we collect online via the Sites/Services and offline interactions related to them. It does not cover third-party sites we link to.

4) What personal data we collect

  • Account & contact data: name, email, password hash, affiliation/role, communication preferences.

  • Institutional submissions: contact details of institutional representatives who provide data for rankings/verification.

  • Usage & device data: IP address, device identifiers, browser type/version, pages viewed, timestamps, referrers, approximate geolocation (city/region), log files, and diagnostics.

  • Cookies & similar tech: identifiers necessary for login/session, preferences, analytics, and (if enabled) marketing.

  • Communications: messages you send us (support, corrections, right-to-reply on methodology, etc.).

  • Payment data (if applicable): limited billing details processed by our payment processors (we do not store full card numbers).

5) Sources of data

  • Directly from you (forms, emails, uploads).

  • Automatically via your device/browser (see Cookies).

  • From institutions/partners that submit data for ranking purposes.

  • From service providers (security/anti-abuse, analytics, hosting).

6) How we use personal data (purposes)

  • Provide and secure the Services (authentication, availability, fraud/abuse prevention).

  • Operate rankings workflows (institutional right-to-reply, data verification, audit trail).

  • Communicate with you (service notices, responses, updates).

  • Improve the Services (analytics, quality, methodology evaluation).

  • Comply with law and enforce our Terms of Use.

  • With consent: send optional updates/offers; set non-essential cookies; run surveys.

7) Legal bases (EEA/UK)

Where the GDPR/UK GDPR applies, we rely on:

  • Contract (Art. 6(1)(b)): to provide requested Services.

  • Legitimate interests (Art. 6(1)(f)): service security, fraud prevention, product improvement, methodology transparency; we balance these against your rights.

  • Consent (Art. 6(1)(a)): non-essential cookies/marketing.

  • Legal obligation (Art. 6(1)(c)): respond to lawful requests, keep certain records.

  • Vital/public interests rarely apply; if they do, we will explain.

8) Cookies & similar technologies

We use essential cookies (for login and core functions) and, with your consent, analytics and (if enabled) marketing cookies. You can manage choices anytime via our cookie banner or browser settings. See our Cookie Policy for details (types, durations, and vendors).

9) How we share data

We do not sell personal data. We may share with:

  • Service providers/processors (hosting, security, analytics, email delivery, payments) under contracts requiring confidentiality and GDPR-compliant processing.

  • Affiliates (if any) for service operations consistent with this Policy.

  • Legal/Compliance: if required by law, court order, or to protect rights, safety, or integrity of the Services.

  • Business reorganization: if we merge, acquire, or transfer assets, we’ll ensure protections continue and provide notice where required.

We do not publish personal contact details in rankings. Institutional names and non-personal institutional data may be published as part of results and methodology notes.

10) International data transfers

Your data may be processed in countries outside your own. Where required, we use appropriate safeguards such as:

  • EU/EEA → non-EEA: European Commission Standard Contractual Clauses (SCCs); supplementary measures where needed.

  • UK → non-UK: UK IDTA / UK Addendum to the SCCs.

  • Turkey: transfers comply with KVKK requirements (if Turkey is your controller home).
    You can request a copy of relevant transfer safeguards (redacted) via privacy@heranking.com.

11) Data retention

We keep personal data only as long as necessary for the purposes above, including:

  • Account data: while your account is active + up to 24 months after closure (or longer if legally required).

  • Logs/security records: typically 12–24 months.

  • Institutional submission records/audit trail: typically aligned to ranking cycles (e.g., 3–5 years) for reproducibility and disputes.

  • Legal/financial records: as required by applicable law.

We then delete or irreversibly anonymize data.

12) Security

We implement reasonable administrative, technical, and physical safeguards (e.g., encryption in transit, access controls, least-privilege, monitoring). No system is 100% secure; please use unique strong passwords and enable available security controls.

13) Your rights

Depending on your location, you may have rights to: access, rectify, erase, restrict processing, object, portability, and withdraw consent (where processing is based on consent). You may also lodge a complaint with your supervisory authority.

  • How to submit a request (DSAR): email privacy@heranking.com with “Privacy Request” in the subject. We will verify your identity and respond within the statutory period.

  • Marketing/Cookies: use the unsubscribe link in emails and the cookie banner to change preferences.

EU/UK representative (if applicable): [Insert name, address, email]
DPO (if appointed): [Insert details]

14) California & certain US state notices

For California residents (and where similar state laws apply), you have the rights to know/access, delete, correct, opt-out of “sale” or “sharing” (as defined by CPRA), and limit use of sensitive information (we do not use sensitive personal information for inferring characteristics).

  • We do not sell personal information for monetary consideration.

  • Some analytics/ads cookies could be deemed “sharing” for cross-context behavioral advertising—use the cookie banner to opt out, or email privacy@heranking.com.

  • Authorized agents may submit requests; we will verify authority/identity.

15) Turkey (KVKK) notice (keep if Turkey is your controller home)

If Turkish Law No. 6698 (KVKK) applies, you have rights under Article 11 (learn whether data is processed, request information/rectification/erasure, object, claim damages). Submit requests to privacy@heranking.com per Communiqué on Application Procedures and Principles.

16) Children’s privacy

Our Services are not directed to children. We do not knowingly collect personal data from:

  • Under 13 (US COPPA).

  • Under 16 in the EEA/UK without verifiable parental consent (or the lower age allowed by local law, but not below 13).
    If you believe a child provided data, contact privacy@heranking.com and we will delete it.

17) Automated decision-making

We do not use automated decision-making producing legal or similarly significant effects about individuals. Our rankings concern institutions and are based on stated methodologies and datasets, not on profiling individuals.

18) Do Not Track

We currently do not respond to Do Not Track (DNT) signals. Use our cookie controls to manage tracking.

19) Changes to this Policy

We may update this Policy. We will change the “Last updated” date and, where required, provide additional notice or seek consent.

20) Contact us

Questions, requests, or complaints about privacy: privacy@heranking.com
General: info@heranking.com
Mailing address: [Insert your official mailing address]
If unresolved, you may contact your local data protection authority.