Privacy Policy

Effective Date: May 1, 2024

Grand Canyon University is located in Phoenix, AZ. The university, a top Christian institution serving both traditional and online students, is committed to protecting our constituents' privacy. This statement is designed to expound upon the necessary collection of data/information that GCU acquires from site visitors and to define how that information is used.

Changes in Privacy Statement

This privacy policy is current as of the effective date set forth above. GCU reserves the right to change this privacy policy at least once every 12 months, remaining consistent with applicable privacy laws and principles.

Family Educational Rights and Privacy Act (FERPA)

Grand Canyon University annually informs students of the Family Educational Rights and Privacy Act (FERPA) of 1974. FERPA affords students certain rights with respect to their education records. Questions concerning FERPA may be referred to the Office of Academic Records.

  • The right to inspect and review educational records within 45 days from the day the university receives a request for access. Students should submit written requests that identify the record(s) they wish to inspect to the Office of Academic Records. The university will make arrangements for access and notify the student of the time and place where the records may be inspected. 
  • The right to request an amendment of education records that the student believes is inaccurate or misleading. Students may ask the university to amend a record that they believe is inaccurate or misleading. They should write the Office of Academic Records and clearly identify the part of the record they want changed and specify why it is inaccurate or misleading. If the university decides not to amend the record as requested by the student, the university will notify the student of the decision and advise the student of his or her right to a hearing regarding the request for amendment. Additional information regarding the hearing procedures will be provided to the student when notified of the right to a hearing. 
  • The right to consent to disclosure of personally identifiable information contained in the student's education records, except to the extent that FERPA authorizes disclosure without consent. One exception that permits disclosure without consent is disclosure to school officials with legitimate educational interests. A school official is a person employed by the university in an administrative, supervisory, academic, research or support staff position (including law enforcement, personnel and health staff); a person or company with whom the university has contracted (such as an attorney, auditor or collection agent); a person serving on the Board of Trustees; or a student serving on an official committee, such as a disciplinary or appeal committee or assisting another school official in performing his or her tasks. A school official has a legitimate educational interest if the official needs to review an education record in order to fulfill his or her professional responsibility. Upon request, the university discloses education records without consent to officials of another school in which a student seeks or intends to enroll. 
  • The right to file a complaint with the U.S. Department of Education concerning alleged failures by the University to comply with the requirements of FERPA. The name and address of the Office that administers FERPA is: 

    Family Policy Compliance Office 
    U.S. Department of Education 
    400 Maryland Ave., SW 
    Washington, DC, 20202-5920

Grand Canyon University has designated certain information in the education records as directory information for the purposes of FERPA. Students are required to complete a Student Information Release Form (SIRF), submitted to the Office of Academic Records, to control the release of such information with respect to student records. The SIRF authorizes a third party to receive designated records as requested by the student, however, it does not authorize GCU to have discussions about it or any portion of the student’s education record or for the authorized person to take action on the account.

Designated third parties are expected to abide by university policy; the university reserves the right to discontinue communication if the third party fails to follow policy guidelines or otherwise demonstrates an inability to communicate properly with the university or its representatives. The SIRF information is sent out to students annually. It is the responsibility of students to notify the Office of Academic Records if they would like to make any changes to their SIRF information.

Although GCU recognizes some information as directory, GCU's practice is not to release most directory components unless the university determines a need to do so (for example, police request). Some directory information will be released when it comes to athletes or other student activities, such as theatre productions, regardless if a student opts out.

Students wishing to opt out of ALL directory information disclosure must send their request to the following email address: directoryoptout@gcu.edu. If choosing to opt out, students must provide their student ID, and/or reply from their GCU email address.

Prior to opting out of directory information, graduating students’ decision to request non-disclosure should be considered critically since it could affect the ability of GCU to complete employment documentation on behalf of the student, such as institutional recommendations.

  • Student name
  • Student number
  • Address
  • Personal email address
  • Phone number
  • Date and place of birth
  • Hometown
  • Degrees and awards received and dates
  • Dates of attendance (current and past)
  • Full or part-time enrollment status
  • Participation in officially recognized activities or sports
  • Weight and height of members of athletic teams
  • Most recently attended educational institution
  • Major field of study
  • Academic levels
  • Photographs

Reporting an Online Security Incident

This form provides a way to submit feedback on a security flaw, vulnerability or malicious activity from one of our information assets. Please provide specific details such as IP address, URL, user account or any other details that will help us to fully understand the issue. Also, it is very helpful if you provide contact info where we can follow up with questions if we have any difficulty in finding or replicating the issue.

Complete the Incident Report

Information Gathered

We may collect information you volunteer to provide, which may be used to identify your records directly or indirectly. GCU states to have collected the displayed attributes as listed in the table below in the past 12 months.

CategoryExamplesCollected
A. IdentifiersA real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number or other similar identifiersYES
B. Commercial informationRecords of personal, property, products or services purchased, obtained or considered or other, purchasing or consuming histories or tendenciesYES
C. Biometric informationGenetic, physiological, behavioral and biological
characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, face prints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns and sleep, health or exercise data
YES
D. Internet or other similar network activityBrowsing history, search history, information on a consumer’s interaction with a website, application or advertisementYES
E. Geolocation dataPhysical location or movementsYES
F. Sensory dataAudio, electronic, visual, thermal, olfactory or similar informationNO
G. Professional or employment-related informationCurrent or past job, history or performance evaluationsYES
H. Non-public, education information (per the Family Educational Rights and Privacy Act (20,U.S.C. Section 1232g, 34 C.F.R. Part 99))Education records, directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student, schedules, student identification codes, student financial information or student disciplinary recordsYES
I. Inferences drawn from other personal informationProfile reflecting a, person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudesYES – This is oriented toward Human Resource (HR) use purposes (e.g. complaint cases).

 

How We Use Your Information

Some of the information collected may be used for business purposes such as:

  • Operating, maintaining and improving services
  • Analyzing process performance and conducting consumer research
  • Debugging an information system that contains personal records
  • Financial aid evaluation, transcript evaluation, enrollment and other processes outlined in existing GCU enrollment agreements and the student handbook.
  • Marketing services / products to individuals, as applicable
  • Monitoring the security of your data and performing auditing functions to maintain state, federal and international compliance
  • Other business-related functions, per need

GCU may assign you a username and password to permit access to certain sites. PII data will be collected in order to create these unique identifiers. Additionally, credit card or other financial PII may be requested for activities such as: purchases, orders, donations and registrations, which may be handled by a PCI compliant third-party service provider.

PII data may also be collected for those filling out online applications relating to employment. Employment forms may request PII such as: your name, address, telephone number(s), email address, employment history, language fluency, educational history, work experience and other work/skill related PII data. Please note that external job application sites that are not affiliated with the company may have a different privacy policy in place, as GCU may use to redirect information, which it is recommended to review as applicable.

GCU does not sell personal data records and has not done so in the past 12 months. In some cases, GCU may share PII with a contracted entity in order to perform a business purpose.

Alternative to Website Transactions

GCU websites provide access to information and services for constituents that may not have a formal relationship with the university as a student or employee. If you are neither a student nor employee and prefer not to provide any information online, we invite you to cancel the transaction and contact the administrative unit responsible for the service to conduct the business in person, by mail or by telephone. Contact information is found in the “More Information” section of this policy.

GCU employee working at computer

Security

GCU is committed to providing secure online environments for our constituents and online visitors. Our websites have standard and advanced security measures in place to protect against the loss of, misuse, unauthorized access, disclosure, alterations and destruction of information we process and control. Although GCU has security controls in place to safeguard against malicious actors, it is important to remain alert when entering GCU-assigned credentials to external sites that are not affiliated with the university.

We recommend ensuring that your device is kept protected with an up-to-date Antivirus software. GCU does not accept liability for data that is compromised due to the following: (i) utilizing a password that is deemed weak or commonly used; (ii) voluntarily providing credentials to a malicious site; (iii) transmitting information through an insecure channel not provided by GCU or its partner institution (e.g. utilizing an unprotected public network or a compromised personal device). To further protect your data, we regularly educate our employees on standard data protection procedures and new cybersecurity threats/technologies through cybersecurity awareness programs.

If you suspect a security incident may be related to a record handled by GCU, please contact ITSecurity@gcu.edu for a prompt response.

Disclosure and Portability of PII Data

Grand Canyon University may disclose PII data to third parties who are approved vendors dedicated to performing tasks on behalf of GCU, where security obligations are in place to maintain confidentiality, integrity and availability of all the information transmitted. We may also disclose PII in response to legal processes, such as court order or a subpoena, in the response to a law enforcement agency’s request or where we believe it is necessary to investigate, prevent and/or act upon notices regarding suspected illegal activities.

GCU uses Google Analytics to display retargeted ads to our site prospects, on GCU’s behalf, across the internet. Google may collect non-PII data about your visits to our sites and your interaction with our products or services. This anonymous information is collected through the use of a pixel tag. No PII is collected during this process. If you do not want Google to collect this information, you may opt out of their service by visiting: https://tools.google.com/dlpage/gaoptout.

Grand Canyon University's online advertising features include: Acquia Lift, Salesforce Marketing Cloud, Snapchat, Quantcast, Quinstreet, Bing and Yahoo. GCU also uses some or all of the following: Facebook and Twitter cookie tracking, web beacons and similar technologies. These features allow GCU to track impressions on our sites for marketing purposes. If you wish to opt out of these online advertising features, please follow the instructions on the corresponding pages.

Protecting Children’s Privacy

GCU’s services are not oriented towards the use of individuals who are 13 and under. Any personal data records that may be tied to an applicable individual who cannot provide parental consent will have their record deleted promptly as enforced by the Children’s Online Privacy Protection Act of 1998 (Rule 15 U.S.C. §§ 6501–6506). Certain data regulations, such as GDPR, may require an individual who is under 16 to provide parental consent. If this applies to you, please defer from utilizing our services until parental consent has been provided.

Third-Party Links

While browsing Grand Canyon University sites you may encounter links to webpages not directly affiliated with GCU. External link content is under the control of the site that manages/owns/operates it. GCU recommends you review the privacy policy of those external organizations before proceeding with interacting with site content as processing variables may differ from this policy.

NOTE: We would like to remind you that the voluntary disclosure of PII data on social networks and other similar sites can be collected and used by others. When you leave a GCU controlled site we cannot guarantee the safety of the PII data you disclose to that entity.

Cookies

While browsing Grand Canyon University, cookies may be collected. Cookies are small text files stored by your browser on your device(s) to save certain information or image files. You can change the preferences in your browser(s) and refuse to accept cookies, disable cookies or even remove stored cookies from your computer. Please note that by taking this action, you may affect your browsing experience on sites which rely on cookies to function.

Opt Out

You may make a request to be removed from our mailing lists by sending your name, email address and home address to:

Grand Canyon University Opt-Out
3300 W. Camelback Road
Phoenix, AZ 85017 
 

If you do not wish to receive marketing emails from GCU, please submit a request.

Consent

Voluntarily browsing a Grand Canyon University site indicates your acceptance of the terms and conditions in use. Additionally, you are agreeing to the terms of this Privacy Statement, all non-conflicting principles of the student handbook, employee handbook, faculty handbook, computer use policies and the gcu.edu terms and conditions. If you are in disagreement with consenting, then please discontinue use of GCU sites.

Text Messaging Terms and Conditions

Effective Date: Sept. 24, 2024

Please read these Text Messaging Terms and Conditions (Text Terms) carefully. By enrolling or otherwise agreeing to receive text messages from or on behalf of Grand Canyon University you agree to these Text Terms. 

Opt-In Consent – when you provide opt-in consent to GCU, you expressly agree to receive automated texts messages from GCU concerning products, services, offers, promotions, transactions, as well as about GCU’s relationship with you. Message frequency may vary, and normal message and data rates may apply. 

Opt-in consent is provided through several mechanisms, including but not limited to: 

  • Entering a telephone number through a website; 
  • Clicking a button on a mobile web page; 
  • Sending a message from your mobile device that contains an advertising keyword; 
  • Initiating a text message exchange in which GCU replies to you with responsive information; 
  • Signing up at a point-of-sale (POS) or other GCU on-site location; or 
  • Opting-in over the phone using Interactive voice response (IVR) technology. 

Consent to receive marketing text messages is not required as a condition of purchasing any goods or services. Once you have opted-in, you will receive a confirmation message before any additional messaging is sent. 

Mobile data collected during the opt-in process for messaging services will not be sold to third parties. Please see “How We Use Your Information” section above. 

Opt-Out Information - You may opt out of receiving text messages at any time by replying STOP, END, CANCEL, UNSUBSCRIBE, or QUIT to any text messages we send, or email privacy@gcu.edu and specify that you want to opt out of text messages. 

HELP Information 

For additional information, text HELP or contact 855-GCU-LOPE. 

Location Services for Mobile Applications 

Our mobile applications include features that may utilize location services and data to enhance the user experience. We collect this type of data for specific purposes, including enabling features such as automated Chapel check in. Location services can be managed in your mobile device settings.

AT&T, Sprint, T-Mobile®, Verizon Wireless, Boost, Cricket, MetroPCS, U.S. Cellular, Virgin Mobile, ACS Wireless, Appalachian Wireless, Bluegrass Cellular, Carolina West Wireless, Cellcom, C-Spire Wireless (formerly Cellsouth), Cellular One of East Central Illinois, Cincinnati Bell Wireless, Cross (dba Sprocket), Duet IP, Element Mobile, EpicTouch, GCI Communications, Golden State, Hawkeye (Chat Mobility), Hawkeye (NW Missouri Cellular), Illinois Valley Cellular, Immix (Keystone Wireless / PC Management), Inland Cellular, iWireless, Mobi PCS (Coral Wireless LLC), Mosaic, MTPCS / Cellular One (Cellone Nation), Nex-Tech Wireless, nTelos, Panhandle Telecommunications, Peoples Wireless, Pioneer, Plateau, Revol Wireless, Rina - Custer, Rina - All West, Rina - Cambridge Telecom Coop, Rina - Eagle Valley Comm, Rina - Farmers Mutual Telephone Co, Rina - Nucla Nutria Telephone Co, Rina - Silver Star, Rina - South Central Comm, Rina - Syringa, Rina - UBET, Rina - Manti, South Canaan / CellularOne of NEPA, Thumb Cellular, Union Wireless, United, Viaero Wireless, West Central Wireless, Leaco, Nemont/Sagebrush.

Loading

Use of the GCU Wi-Fi Network for On-Campus Students

GCU's internet network is guarded by a firewall that protects on-campus students from entering sites that may be unsafe, requested to be blocked by management, or deemed not aligned with our Christian values. Sites are selected by category to filter usage. Seven categories are set to make the site unavailable but pressing the "Continue" button allows you through to the site. These site topics include, but are not limited to drugs, illegal activities, gambling and other questionable sites.

There are eight categories that are identified to make sites wholly unavailable, including, but not limited to pornography, cheating websites, malware, key loggers and sites that promote terrorist activities. The Learning Management System and eBooks websites are specifically white-listed to ensure students are always able to access them. If you feel a blocked website should be made available, contact the Office of Residence Life. Your request will be reviewed as soon as possible.

NOTE: The LOPES network, GCU's student intranet, does not authenticate students prior to allowing site access and their web filter's reporting capabilities are limited to big-picture summaries that describe general usage. Reporting on individual students will not be possible. GCU does not proactively monitor usage or sites visited.


Data Access Requests

If you are a European citizen, per GDPR regulations, you have the right to ask us for access to your data in a readable format, rectification or erasure of your information; to refuse to be subjected to automated decision making, including profiling; right to lodge a complaint with a supervisory authority; to restrict processing (pending correction or deletion); to object to communications or direct marketing; and to ask for the transfer of your information electronically to a third party (data portability).

GCU will not discriminate against an individual who wishes to exercise their rights as allowed to by applicable data protection regulations. Some of these rights are not automatic. We reserve the right to discuss with you why we might not comply with a request from you to exercise them varying on the circumstances involved.

A charge is not issued for personal data record requests, unless requests are excessive. in which a charge may be applied per regulation allowance. For further information please use the contact form, email address and/or phone number found in the “More Information” section of this policy.

GCU employees are also subject to certain data subject rights, such as the right to be informed of the attributes stored within their record as applicable through the rightful authorization of GDPR.

Per GDPR, you always retain the right as an EU data subject to lodge a complaint about our management of your personal information with the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, SK9 5AF (ico.org.uk)

If you are an EU citizen residing in an EU member state that is subject to GDPR regulation and you wish to request a copy of the data GCU has collected from you or wish to exercise a granted right by GDPR, please contact one of our communication methods listed. If you are a registered student, you may also contact your student services counselor. Your request may take up to 30 days to complete, unless notified with a reasonable delay of up to 90 days.


This Privacy Statement

This privacy statement only applies to information collected on the following sites: gcu.edu, grand-canyon.edu, my.gcu.edu and gcu.edu subdomains. GCU’s Privacy Statement is available on our website and can be found in our University Policy Handbook. A hard copy of this policy may be requested via telephone or mail. Some personal records may be subject to additional laws that are not listed in this policy, which GCU will reasonably comply with regulations that are not publicly listed.

More Information

For additional information about this statement or GCU’s privacy practices, please contact:

Grand Canyon University, Legal Department, Building 26
3300 W. Camelback Road
Phoenix, AZ 85017

EMAIL: privacy@gcu.edu
PHONE: 602-639-8288

Request Information