Privacy Statement – HEM Student Portal (HEM‑SP)
1. Introduction
Higher Education Marketing is committed to protecting the privacy and security of users of the HEM Student Portal (HEM‑SP). HEM‑SP is a digital platform used by educational institutions to collect, manage, and communicate student information through application forms, connected website forms, and landing pages. It also includes a comprehensive student information system and modules for managing courses, programs, classrooms, cohorts, instructors, lessons, attendance, grades, and agencies/agents. Students have access to their own dashboard within the system.
2. Information We Collect
We collect personal data submitted through application forms, website inquiry forms, and landing pages. This data may include student names, email addresses, phone numbers, physical addresses, and academic or institutional affiliations. The system may also store data related to attendance, grades, and program participation.
3. Purpose of Data Collection
We collect and process data to: (i) facilitate the submission and management of student applications; (ii) support communication between students, agents, and educational institutions; (iii) enable institutions to manage student information and academic records; (iv) personalize student experiences within their dashboards; and (v) track the source of inquiries to improve institutional outreach and engagement.
4. Legal Basis for Processing
Our legal bases for processing personal data include: (i) the data subject’s consent, obtained via opt‑in checkboxes on forms and applications; (ii) performance of a contract between the student/agent and the institution; and (iii) the legitimate interests of the institution in managing educational processes and communications.
5. Cookies and Tracking
We may use cookies or similar technologies to track the source of inquiries and enhance the functionality of the portal and associated websites. Users will be informed of such tracking where applicable and provided the option to consent where required.
6. Data Sharing
Personal data is shared only with: (i) authorized staff of the educational institution using HEM‑SP; (ii) agents or agencies associated with student applications; and (iii) trusted service providers involved in hosting and maintaining the system (e.g., AWS). All data sharing complies with applicable data protection laws and contractual safeguards.
7. Security Measures
We take appropriate technical and organizational measures to protect personal data, including encryption in transit and at rest, regular backups, and strict access controls. HEM‑SP is hosted on secure infrastructure provided by Amazon Web Services (AWS).
7A. Integrations with Google and Microsoft
HEM‑SP offers optional integrations with Google APIs (Gmail and Google Calendar) and Microsoft Graph (Outlook Mail and Calendar) to provide email and scheduling features you or your institution enable. We use OAuth 2.0 authorization; HEM‑SP never sees your account passwords.
Google API Services (Gmail & Calendar). HEM‑SP’s use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We use Google data only to provide or improve user‑facing features; we do not sell or transfer Google user data for advertising; and we do not allow human access to the content of Gmail/Calendar data except with your affirmative agreement, for security, to comply with law, or in aggregated form for internal operations.
Microsoft Graph (Outlook Mail & Calendar). We request only the minimum Microsoft Graph permissions required for the features you enable and follow the principle of least privilege.
7B. What We Store, How Long, and Deletion
- Tokens. We store OAuth tokens encrypted at rest to maintain your connection
- Message & calendar content. If you only use send and calendar features, message bodies are processed ephemerally at send time and are not persisted beyond delivery logs. If you enable any mailbox‑reading features, we may store limited email content/metadata (e.g., sync state) to power those features.
- Retention. Unless your institution specifies otherwise, we purge: (i) cached message bodies within 30 days; (ii) event payloads within 90 days after deletion in your mailbox/calendar; and (iii) OAuth tokens within 24 hours after you disconnect. Backup media rotate on a maximum 35‑day cycle.
- Deletion. You or an institutional admin may disconnect at any time; associated data is queued for deletion and completed within 30 days (or faster where required by law).
- Verification. If we request Gmail Restricted scopes (e.g., Gmail Read or Modify) and store/transmit data on servers, Google may require periodic independent security assessments.
7C. Human Access, Sharing, and Ads (Google Data)
We do not sell or transfer Google user data and we do not use Google data for ads, including retargeting or interest‑based advertising. Human access to Gmail/Calendar content does not occur except with your affirmative agreement for support, for security/investigations, to comply with law, or in aggregated form for internal operations.
7D. Your Choices and Revoking Access
- Google. You can revoke HEM‑SP’s access from your Google Account’s third‑party app access settings at any time. After revocation, HEM‑SP cannot access your Google data.
- Microsoft 365. You can review and revoke app permissions in Microsoft’s My Apps portal (Permissions → Revoke). Some organization‑wide, admin‑granted permissions may require an admin to remove.
7E. Subprocessors
We use trusted service providers (e.g., cloud hosting, monitoring). We maintain an up‑to‑date list at /subprocessors and ensure appropriate contractual safeguards.
7F. Children
HEM‑SP is not directed to children under 13. Where institutions authorize use by minors, they must ensure appropriate consent under applicable laws.
7G. Contact for Privacy Questions
See Section 12 (Contact Us) for how to reach us with questions about integrations, data handling, or privacy choices.
8. Data Retention
Data is retained only for as long as necessary to fulfill the purposes for which it was collected or to comply with legal obligations. Institutions may define their own retention timelines. Where this Privacy Statement specifies stricter retention for integration data, those timelines apply.
9. International Data Transfers
If personal data is transferred outside of the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs), to protect your information.
10. Your Rights
Under GDPR and other applicable laws, users may have the right to access their personal data, correct or update inaccurate information, request deletion of their data, object to or restrict certain processing, and withdraw consent at any time. To exercise these rights, please contact us at support@higher-education-marketing.com or submit a request through the portal.
11. Changes to This Policy
We may update this Privacy Statement from time to time to reflect changes in our practices or legal requirements. Any updates will be posted on the HEM‑SP login page.
12. Contact Us
If you have any questions about this Privacy Statement or how your data is handled, please contact us at:
             Tel: 514‑312‑3968 | Fax: 514‑312‑8427
Postal Address
             6560 de l’esplanade, suite 204
             Montreal, QC
             Canada, H2V 4L5
HEM Head Office
             6560 de l'esplanade, suite 204
             Montreal, Quebec, H2V 4L5
             Tel. 514‑312‑3968 | Fax: 514‑312‑8427