Privacy Policy


How we collect, use, and protect your personal data.

1. Who we are

This platform ("AI for Peace", the "Course", the "Platform"), available at aiforpeacecourse.org, is operated jointly by CMI and New York University (NYU). CMI and NYU act as joint controllers of your personal data for the purposes described in this Policy, in accordance with Article 26 of the EU General Data Protection Regulation (GDPR). The allocation of responsibilities between the joint controllers is summarised in Section 12.

For any question about this Policy or your personal data, or to exercise your rights, contact the joint controllers at cmi.helsinki@cmi.fi (CMI) or digital-privacy-group@nyu.edu (NYU). Postal contact details for each controller are available on request.

2. Scope

This Policy explains what personal data we collect when you register for and use the Platform, why we process it, the legal bases we rely on, who we share it with, how long we keep it, and the rights you have. It applies to learners and to any staff or facilitators who hold accounts.

3. What personal data we collect

Data you provide when you create an account and use the Course:

  • Identity and contact data: first name, surname, email address, chosen language/country.
  • Authentication data: a securely hashed password (we never store your password in readable form).
  • Optional profile data you choose to add (e.g., city, description, profile picture).

Data generated through your use of the Course:

  • Learning activity: your submissions, answers, forum and message posts, quiz responses, grades, and course-completion records.
  • AI activity data: the text you enter into the Course's AI-assisted activities (for example the reflection chat and AI review) and the AI-generated responses and assessments produced in reply. See Section 6.

Data collected automatically:

  • Technical and log data: IP address, browser type, device and operating-system information, pages accessed, and timestamps, retained in server logs for security and troubleshooting.
  • Cookies strictly necessary to operate the site — see our separate Cookie Policy.

We do not intentionally collect special categories of data (such as data revealing health, religion, or political opinions). Please do not enter such data into free-text or AI activity fields.

4. Why we process your data and our legal bases

We process your personal data on the following bases:

  • To create and administer your account, deliver the Course, provide AI-assisted learning activities, and issue completion records — on the basis of the performance of our agreement with you (Article 6(1)(b) GDPR) and our legitimate interest in providing the education service (Article 6(1)(f)).
  • To send service emails such as registration confirmation, password reset, and course notifications — on the basis of our agreement with you and our legitimate interests (Articles 6(1)(b) and 6(1)(f)).
  • To keep the Platform secure, prevent abuse, and maintain logs and backups — on the basis of our legitimate interests (Article 6(1)(f)).
  • To comply with legal obligations — Article 6(1)(c).
  • For any optional processing where we ask for it (for example optional communications) — on the basis of your consent (Article 6(1)(a)), which you may withdraw at any time.

Where we rely on legitimate interests, we have balanced those interests against your rights and are satisfied the processing is proportionate. You may object at any time (see Section 9).

5. Recipients and processors

We do not sell your personal data. We share it only with service providers ("processors") who act on our instructions under a data processing agreement, and only as needed to run the Platform:

  • Hosting: Hetzner Online GmbH, Germany (EU) — server hosting and storage.
  • Transactional email: Brevo (Sendinblue SAS), France (EU) — sending Course emails on our behalf.
  • AI activities: Anthropic, PBC, United States — processing the text you submit to AI-assisted activities to generate responses and feedback (see Section 6).

We may also disclose data where required by law, or to establish, exercise, or defend legal claims.

6. AI-assisted activities and automated processing

Some Course activities use artificial intelligence to give you feedback and to support reflection. When you use these activities:

  • The text you enter is sent to Anthropic (Claude) via its API to generate a response or an assessment. Anthropic processes this data as our processor. Under Anthropic's commercial API terms, inputs and outputs are not used to train its models and are retained only for the limited period necessary to provide the service and to meet legal and safety obligations.
  • This involves an international transfer of your data to the United States, protected by Standard Contractual Clauses and supplementary safeguards — see Section 7.
  • The AI provides feedback and suggested assessments only. It does not make decisions that produce legal or similarly significant effects about you without human involvement, and the Course is subject to human oversight. You are therefore not subject to solely-automated decision-making within the meaning of Article 22 GDPR. If you disagree with any AI-generated feedback, you may contact us.

Please avoid entering sensitive personal data, or the personal data of other people, into AI activity fields.

7. International data transfers

Our hosting and email providers process your data within the EU. Our AI provider (Anthropic) processes data in the United States. For that transfer we rely on the European Commission's Standard Contractual Clauses together with appropriate technical and organisational safeguards. You may request further information about this transfer using the contact details in Section 1.

8. How long we keep your data

We keep your account and learning data for as long as your account remains active — that is, until you or we close it, or until you ask us to delete it. Because the Course is designed for long-term learner access, including returning to materials and retaining completion records, we do not automatically delete active accounts on a fixed schedule.

  • You may request deletion of your account and personal data at any time (see Section 9). We action erasure requests without undue delay, subject to any overriding legal retention obligation.
  • Server logs are retained for up to 90 days for security purposes.
  • Backups are retained on a rolling 35-day basis and are then overwritten; data deleted from the live system is purged from backups within that window.

9. Your rights

Under the GDPR you have the right to access your data; to request rectification of inaccurate data; to request erasure ("right to be forgotten"); to restrict or object to processing; to data portability; and, where processing is based on consent, to withdraw that consent at any time without affecting processing carried out beforehand.

You can exercise many of these rights directly in the Platform, under Profile → Preferences → Privacy and policies, where you can submit data export or deletion requests, or by contacting us at cmi.helsinki@cmi.fi (CMI) or digital-privacy-group@nyu.edu (NYU).

You also have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU country of your habitual residence or place of work.

10. Security

We use appropriate technical and organisational measures to protect your data, including encryption of data in transit (HTTPS/TLS), hashed passwords, access controls, a firewalled server, restricted administrative access, and regular backups. No system is completely secure; if a personal data breach occurs that is likely to result in a risk to your rights, we will notify the competent authority and, where required, affected users.

11. Children

The Course is intended for adults aged 18 and over. If you are under the age at which you can consent to online services in your country, please do not register without the involvement of a parent or guardian. If we learn that we have collected data from a child contrary to this Policy, we will delete it.

12. Joint controller arrangement

CMI and NYU have agreed their respective responsibilities for compliance with the GDPR, in particular regarding the exercise of your rights and the provision of information to you. Regardless of this arrangement, you may exercise your rights against, and contact, either controller; requests received at cmi.helsinki@cmi.fi (CMI) or digital-privacy-group@nyu.edu (NYU) will be handled on behalf of both.

13. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified through the Platform, and where a change affects the basis on which we process your data you may be asked to review the updated Policy on your next login.

14. Contact

Questions about this Policy or your data: cmi.helsinki@cmi.fi (CMI) or digital-privacy-group@nyu.edu (NYU).