Privacy Policy

Privacy Policy

Last Updated: June 3, 2026

1. WELCOME 

Institute for Higher Education Policy (“IHEP,” “we,” “us,” or “our”) is a nonpartisan, nonprofit research, policy, and advocacy organization committed to promoting postsecondary access and success for all students. IHEP operates the website located at www.ihep.org and related online services (collectively, the “Site”). This Privacy Policy describes how we collect, use, disclose, and protect personal information in connection with the Site and our Services. It also describes rights that may be available under applicable U.S. privacy, data security, consumer protection, and breach-notification laws. 

This Privacy Policy applies to information collected through the Site, our online donation pages, our newsletter sign-up and email communications (including via Constant Contact), contact forms, event registration pages, donor-advised fund (“DAF”) donation portals, survey and research participation, event photography and video, and any other services or platforms that link to this Privacy Policy (collectively, the “Services”). This Privacy Policy does not govern third-party websites that we may link to; those sites have their own privacy practices. 

By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy. This Privacy Policy is not intended to, and does not, create any contractual or other legal right in or on behalf of any person. If you do not agree with our practices, please do not use the Services. 

2. INFORMATION WE COLLECT 

2.1 Information You Provide 

Donation Information. When you donate to IHEP through our website or through donor-advised funds, you may provide your name, email address, mailing address, phone number, donation amount, credit or debit card details, and any dedication or tribute information. Donations are processed through third-party payment processors such as PayPal and DAF Direct (including Fidelity Charitable, Schwab Charitable, and BNY Mellon). Credit card information is collected and processed directly by those vendors; IHEP does not store full credit card numbers or complete payment account credentials. 

Newsletter and Contact Forms. When you sign up for our newsletter, request information, or submit inquiries through our contact forms, you may provide your name, email address, phone number, organization, job title, and message content. 

Event Registration and Attendance. When you register for or attend IHEP events, conferences, or webinars, you may provide your name, email address, organization, job title, dietary restrictions, accessibility needs, and other registration details. Some event registration information, such as dietary restrictions or accessibility needs, may reveal sensitive personal information. We use that information only to administer the event, provide requested accommodations, and comply with applicable law. IHEP also reserves the right to photograph or record attendees at events and to use those images or recordings in publications, social media, and other materials. Images will not be identified using full names or other personal identifying information without written approval. Attendees may opt out of photography by notifying privacy@ihep.org within five (5) business days of the event. 

Donor-Advised Fund Forms. The DAF portal may request the sponsoring organization, fund designation, and donation amount in order to process your grant recommendation. 

Survey and Research Data. When participating in IHEP-sponsored surveys, research studies, or program evaluations, you may provide demographic, educational, or professional information. Participation is voluntary, and any information collected will be used in accordance with this Privacy Policy and any supplemental notices provided at the time of collection. Some survey or research responses may include demographic or other information that could be considered sensitive personal information under applicable law. Where appropriate, IHEP may provide supplemental notices, consent language, or research-specific terms at the time of collection. 

2.2 Automatically Collected Information 

When you use our Services, we may automatically collect certain technical and usage information, including: 

  • IP address 
  • browser type and device characteristics 
  • operating system 
  • language preferences 
  • referring URLs and pages visited 
  • date and time of access 
  • device type and approximate location (country or region) 

This information is collected for security, website administration, analytics, and operational purposes. We use Google Analytics to measure web traffic, page popularity, and usage patterns. Google Analytics may set cookies to assist with analysis. Google’s privacy policy is available at www.google.com/policies/privacy/partners. You may set your browser to refuse cookies; however, some parts of the Services may not function properly. 

2.3 Information from Third Parties 

We may receive limited personal information from payment processors (such as confirmation numbers and transaction dates), Constant Contact (newsletter subscription status), and donors’ sponsoring DAF organizations. We may also receive photographs or videos from event photographers and may obtain aggregated, de-identified statistics from analytics providers. 

3. HOW WE USE YOUR INFORMATION 

We use the information we collect for the purposes described in this Privacy Policy, which may include to: 

  • Operate, maintain, and improve our Site and Services, including processing donations, sending receipts and tax acknowledgment letters, responding to inquiries, managing newsletter subscriptions, and administering events 
  • Conduct policy research, develop educational resources, and advocate for equitable postsecondary outcomes 
  • Analyze usage of our Services, measure engagement, improve website performance and content, and evaluate fundraising and outreach efforts 
  • Send newsletters, event announcements, program updates, and fundraising appeals in accordance with your preferences (you may unsubscribe at any time by following the instructions in our emails) 
  • Comply with applicable laws and regulations; protect our rights and those of our donors, partners, and users; detect fraud or misuse; and enforce our policies 
  • Share photos and videos from our events in publications, social media, and outreach materials for program promotion and public engagement 
  • Establish, exercise, or defend legal claims 

4. COOKIES AND TRACKING TECHNOLOGIES 

Cookies are small text files transferred to your computer or mobile device whenever you visit a website. We use them to remember your preferences, enhance your user experience, and understand how people use our Services so we can improve them. Cookies can be session cookies, which expire when you close your web browser, or persistent cookies that remain on your device for a specified period or until you delete them. The main types of cookies we use include: 

  • Strictly Necessary Cookies. These cookies are necessary for the website to function, such as session cookies that remember form selections or maintain security. 
  • Analytics Cookies. Set by Google Analytics and similar tools to collect information about page views, usage patterns, and aggregated statistics. We use this information to improve the Services and do not use analytics cookies for targeted advertising. 
  • Functionality/Preference Cookies. Used by our donation forms and newsletter sign-up pages to remember your selections and ensure secure transactions, and to enhance your user experience by remembering your preferences and settings. 

You can disable the storage of cookies in your browser, restrict them to certain websites, or configure your browser to notify you when a cookie is sent. You can also delete cookies from your device at any time. Please note that doing so may result in limited page display and reduced functionality. To learn more about cookies, including how to see what cookies have been set and how to manage and delete them, visit http://www.allaboutcookies.org/. 

Do Not Track. Some browsers offer a “Do Not Track” signal or similar privacy control. Because there is not currently a uniform legal or technical standard for recognizing or honoring these signals, IHEP does not currently respond to or change its practices in response to Do Not Track signals. Third-party services used in connection with the Services may respond to such signals differently. 

5. LEGAL BASES FOR PROCESSING 

Where applicable (including for users located in the European Economic Area, United Kingdom, or Switzerland), we process personal data only when we have a lawful basis to do so: 

  • Consent. Where required, we rely on your consent (e.g., for sending marketing emails, using non-essential cookies, and processing photographs of event attendees). You may withdraw consent at any time. 
  • Legitimate Interests. We may process personal data for organizational administration, website improvement, research, fundraising, advocacy, fraud prevention, security monitoring, and analytics purposes, provided those interests are not overridden by your rights. 
  • Performance of Contract. When you make a donation, register for an event, or otherwise engage with us, we process your information as necessary to fulfill those obligations. 
  • Legal Compliance. We process personal data as necessary to comply with accounting, tax, legal, or regulatory obligations. 

6. DISCLOSURE AND SHARING OF INFORMATION 

We do not sell or rent your personal information. We may disclose personal information in accordance with this section, including to: 

  • Service Providers. We may share personal information with service providers that help us operate the Services, such as payment processors (PayPal, DAF Direct), email and newsletter providers (Constant Contact), website hosting providers, analytics providers, IT and cybersecurity vendors, event management platforms, and professional advisors. These service providers are contractually required to use your information solely to provide services to us (and for no other purpose) and to comply with appropriate security measures. 
  • Mission-Aligned Collaborations. We may collaborate with nonprofit, educational, philanthropic, research, policy, or advocacy organizations that share or support IHEP’s mission. In connection with those collaborations, we may disclose limited business contact information or aggregated, de-identified, or publicly available information where appropriate. We do not sell, rent, trade, or exchange donor names, donor contact information, donation history, or other donor personal information with other organizations for their independent fundraising or marketing purposes. If we disclose personal information in connection with a co-sponsored event, joint initiative, research project, or similar collaboration, we will do so consistent with this Privacy Policy and any applicable notice provided at the time of collection. 
  • Legal Requirements. We may disclose your personal information if required to do so by law (including responding to a subpoena or request from law enforcement, court, or government agency) or in the good faith belief that such action is necessary to (i) comply with a legal obligation, (ii) protect or defend our rights, interests, or property or that of other users, (iii) act in urgent circumstances to protect the personal safety of users of the Services or the public, or (iv) protect against legal liability or potential fraud. 
  • Business Transfers. In the event of a merger, restructuring, acquisition, or sale of assets, personal information may be transferred as part of that transaction, subject to continued protection consistent with this Privacy Policy. 
  • With Your Consent. We may disclose your information for other purposes with your explicit consent. 

We may disclose aggregated or de-identified information that does not identify individuals for any purpose. 

6.1 No Sale, Sharing, or Donor List Rental 

IHEP does not sell personal information. IHEP also does not share personal information for cross-context behavioral advertising purposes. We have not sold or shared personal information for cross-context behavioral advertising in the preceding twelve (12) months. IHEP does not sell, rent, trade, or exchange donor names, donor contact information, donation history, or other donor personal information with other organizations for their independent fundraising or marketing purposes. 

7. DATA RETENTION 

We retain personal information only for as long as reasonably necessary and proportionate to fulfill the purposes described in this Privacy Policy, including to process donations, maintain tax and accounting records, administer newsletters and events, conduct research and advocacy activities, respond to inquiries, comply with legal obligations, resolve disputes, enforce our policies, and protect our rights and the security of the Services. 

Retention periods vary depending on the type of information, the purpose for which it was collected, applicable legal requirements, and our operational needs. Typical retention criteria include: 

  • Donation records and associated tax receipts: retained for as long as necessary to maintain tax, accounting, audit, and donor records, which may be at least seven (7) years 
  • Newsletter subscription and contact information: retained until you unsubscribe, request deletion, or the information is no longer reasonably necessary for IHEP’s communications and outreach 
  • Event photographs, videos, and media: retained for as long as reasonably useful for archival, historical, promotional, and organizational record-keeping purposes, subject to opt-out requests 
  • Analytics and website usage data: aggregated or anonymized and retained indefinitely in non-identifiable form 
  • Inquiry, correspondence, and contact records: up to three (3) years, or longer if needed for legal, compliance, or operational purposes 

Retention periods may be extended where required by applicable law, contractual obligations, or legitimate business or organizational needs. We periodically review and securely delete or anonymize information that is no longer needed. 

8. SECURITY MEASURES 

We implement appropriate technical, administrative, and organizational measures designed to protect personal information against unauthorized access, loss, misuse, alteration, or disclosure. These measures may include secure website hosting, encryption of donation transactions through our third-party processors, access controls limiting employee access on a need-to-know basis, incident response procedures, and regular evaluation of our security practices. However, no data transmission over the internet or storage system can be guaranteed to be completely secure. We cannot guarantee absolute security. Your credit card information is processed directly by our third-party payment vendors and is not stored by IHEP. 

9. YOUR PRIVACY RIGHTS 

9.1 United States Privacy Rights 

If you are located in the United States, this Privacy Policy explains how we collect, use, and disclose your personal data under the privacy laws of various states, including California, Colorado, Connecticut, Montana, Oregon, Texas, Utah, and Virginia. Although we may not currently be subject to all U.S. privacy laws given our level of activity, our Privacy Policy describes rights similar to those afforded under these laws. Subject to applicable law and verification of your request, you may have the right to: 

  • Right to Know. Request disclosure of the categories of personal information collected, categories of sources from which personal information is collected, business or commercial purposes for collecting or sharing personal information, categories of third parties to whom we disclose personal information, and specific pieces of personal information we have collected about you. 
  • Right to Delete. Request deletion of personal information we have collected from you, subject to certain exceptions (e.g., completing transactions, detecting security incidents, complying with legal obligations, internal uses reasonably aligned with your expectations). 
  • Right to Correct. Request correction of inaccurate personal information we maintain about you. 
  • Right to Opt Out. Opt out of the sale or sharing of personal information. We do not sell or share personal information. 
  • Right to Limit Use of Sensitive Personal Information. Certain laws provide a right to limit the use or disclosure of sensitive personal information. IHEP does not use sensitive personal information to infer characteristics about individuals or for purposes beyond those permitted by applicable law. We may collect sensitive personal information only where you voluntarily provide it or where it is reasonably necessary for a specific purpose, such as event accessibility accommodations, dietary needs, research participation, demographic analysis, legal compliance, or similar purposes disclosed at the time of collection. 
  • Right to Non-Discrimination. We will not discriminate against you for exercising your CCPA/CPRA rights. 

Authorized Agents. California residents may designate an authorized agent to submit requests on their behalf by providing written authorization to privacy@ihep.org. We may require you to verify your identity directly with us and confirm that you authorized the agent to submit the request. 

9.3 Response Time and Verification 

We will confirm receipt of a privacy rights request within ten (10) business days and respond within forty-five (45) days (extendable by an additional 45 days where permitted by law with notice). We will verify your identity before fulfilling your requests by comparing the information you provide with the information we maintain. 

9.4 EEA, Switzerland, and UK Residents (GDPR/UK GDPR) 

If you are located in countries within the European Economic Area (“EEA”), Switzerland, or the United Kingdom, GDPR and its Swiss and UK counterparts provide you rights with respect to your personal data, subject to any exemptions provided by the law, including: (1) Right to Access your personal data; (2) Right to Correction or deletion of your personal data; (3) Right to Limit Use and processing of your personal data; (4) Right to Data Portability; (5) Right to Withdraw Consent at any time without affecting the lawfulness of processing based on consent before withdrawal; (6) Right to Object to processing based on legitimate interests or for direct marketing purposes; and (7) Right to Lodge a Complaint with your local supervisory authority. To exercise these rights, contact us using the details in Section 15 below. 

10. INTERNATIONAL DATA TRANSFERS 

IHEP is based in Washington, D.C., United States. Sharing of information sometimes involves cross-border data transfers to the United States and other jurisdictions. Your personal data may be subject to privacy laws that are different from those in your country of residence. Where our Services are available to users in the EEA, UK, or Switzerland, and when we transfer their personal data to countries outside of these regions, we do so in accordance with applicable privacy laws, including implementing appropriate contractual, technical, and organizational measures such as Standard Contractual Clauses approved by the EU Commission. 

11. CHILDREN’S PRIVACY 

Our Services are intended for a general audience and are not designed for or meant to be used by children. We do not knowingly collect personal information from children under thirteen (13) years of age without parental permission. If a parent or guardian learns that their child has provided us with information without their consent, they should contact us at privacy@ihep.org as soon as possible. We will delete such information from our records within a reasonable time. For users in the EU/UK, our Services are not intended for children under sixteen (16). We comply with the Children’s Online Privacy Protection Act (“COPPA”) and do not knowingly collect personal information from children under the applicable age. 

12. THIRD-PARTY LINKS AND SERVICES 

Our Services may contain links to third-party websites, apps, and services, including PayPal, DAF Direct, Constant Contact, and social media platforms. This Privacy Policy does not cover the activities of third parties when they collect or use data for their own purposes. We are not responsible for the privacy practices or content of third-party services. We recommend reviewing their privacy policies before sharing your information. 

13. DATA SECURITY INCIDENTS 

If we become aware of a security incident involving personal information, we will investigate and respond in accordance with applicable law. Where required, we will notify affected individuals, regulators, consumer reporting agencies, or other parties within the timeframes and in the manner required by applicable breach-notification laws. 

14. CHANGES TO THIS PRIVACY POLICY 

If IHEP makes material changes to this Privacy Policy, we will notify you by: (i) updating the “Last Updated” date at the top of the Privacy Policy, (ii) sending an email or other communication to affected users where practicable, and/or (iii) adding a notice to the Site. Material changes include new categories of personal information collected, new purposes for processing, new categories of third parties with whom we share information, or substantial changes to your rights. Your continued use of the Services after notice indicates acceptance of the updated policy. 

15. CONTACT INFORMATION 

If you have any questions regarding privacy while using our Services or about our practices, or if you wish to exercise your privacy rights, please contact us via the following: 

For General Inquiries and Privacy Rights Requests: 

Institute for Higher Education Policy 

Attn: Privacy Officer 

1615 L Street, NW, Suite 310 

Washington, DC 20036 

Email: privacy@ihep.org 

Phone: (202) 861-8223 

Event and Media Queries: communications@ihep.org 

To Submit a Privacy Rights Request: 

Email: privacy@ihep.org 

Subject Line: “Privacy Rights Request – [Type of Request]” 

Include: Your name, email address associated with your interactions with IHEP, a description of your request, and your jurisdiction of residence (if applicable).