List of active policies

Name Type User consent
Privacy Policy Privacy policy All users
Terms of Use Site policy All users
Cookie Policy Other policy All users

Summary

How we collect, use, and protect your personal data.

Full policy

1. Who we are

This platform ("AI for Peace", the "Course", the "Platform"), available at aiforpeacecourse.org, is operated jointly by CMI and New York University (NYU). CMI and NYU act as joint controllers of your personal data for the purposes described in this Policy, in accordance with Article 26 of the EU General Data Protection Regulation (GDPR). The allocation of responsibilities between the joint controllers is summarised in Section 12.

For any question about this Policy or your personal data, or to exercise your rights, contact the joint controllers at cmi.helsinki@cmi.fi (CMI) or digital-privacy-group@nyu.edu (NYU). Postal contact details for each controller are available on request.

2. Scope

This Policy explains what personal data we collect when you register for and use the Platform, why we process it, the legal bases we rely on, who we share it with, how long we keep it, and the rights you have. It applies to learners and to any staff or facilitators who hold accounts.

3. What personal data we collect

Data you provide when you create an account and use the Course:

  • Identity and contact data: first name, surname, email address, chosen language/country.
  • Authentication data: a securely hashed password (we never store your password in readable form).
  • Optional profile data you choose to add (e.g., city, description, profile picture).

Data generated through your use of the Course:

  • Learning activity: your submissions, answers, forum and message posts, quiz responses, grades, and course-completion records.
  • AI activity data: the text you enter into the Course's AI-assisted activities (for example the reflection chat and AI review) and the AI-generated responses and assessments produced in reply. See Section 6.

Data collected automatically:

  • Technical and log data: IP address, browser type, device and operating-system information, pages accessed, and timestamps, retained in server logs for security and troubleshooting.
  • Cookies strictly necessary to operate the site — see our separate Cookie Policy.

We do not intentionally collect special categories of data (such as data revealing health, religion, or political opinions). Please do not enter such data into free-text or AI activity fields.

4. Why we process your data and our legal bases

We process your personal data on the following bases:

  • To create and administer your account, deliver the Course, provide AI-assisted learning activities, and issue completion records — on the basis of the performance of our agreement with you (Article 6(1)(b) GDPR) and our legitimate interest in providing the education service (Article 6(1)(f)).
  • To send service emails such as registration confirmation, password reset, and course notifications — on the basis of our agreement with you and our legitimate interests (Articles 6(1)(b) and 6(1)(f)).
  • To keep the Platform secure, prevent abuse, and maintain logs and backups — on the basis of our legitimate interests (Article 6(1)(f)).
  • To comply with legal obligations — Article 6(1)(c).
  • For any optional processing where we ask for it (for example optional communications) — on the basis of your consent (Article 6(1)(a)), which you may withdraw at any time.

Where we rely on legitimate interests, we have balanced those interests against your rights and are satisfied the processing is proportionate. You may object at any time (see Section 9).

5. Recipients and processors

We do not sell your personal data. We share it only with service providers ("processors") who act on our instructions under a data processing agreement, and only as needed to run the Platform:

  • Hosting: Hetzner Online GmbH, Germany (EU) — server hosting and storage.
  • Transactional email: Brevo (Sendinblue SAS), France (EU) — sending Course emails on our behalf.
  • AI activities: Anthropic, PBC, United States — processing the text you submit to AI-assisted activities to generate responses and feedback (see Section 6).

We may also disclose data where required by law, or to establish, exercise, or defend legal claims.

6. AI-assisted activities and automated processing

Some Course activities use artificial intelligence to give you feedback and to support reflection. When you use these activities:

  • The text you enter is sent to Anthropic (Claude) via its API to generate a response or an assessment. Anthropic processes this data as our processor. Under Anthropic's commercial API terms, inputs and outputs are not used to train its models and are retained only for the limited period necessary to provide the service and to meet legal and safety obligations.
  • This involves an international transfer of your data to the United States, protected by Standard Contractual Clauses and supplementary safeguards — see Section 7.
  • The AI provides feedback and suggested assessments only. It does not make decisions that produce legal or similarly significant effects about you without human involvement, and the Course is subject to human oversight. You are therefore not subject to solely-automated decision-making within the meaning of Article 22 GDPR. If you disagree with any AI-generated feedback, you may contact us.

Please avoid entering sensitive personal data, or the personal data of other people, into AI activity fields.

7. International data transfers

Our hosting and email providers process your data within the EU. Our AI provider (Anthropic) processes data in the United States. For that transfer we rely on the European Commission's Standard Contractual Clauses together with appropriate technical and organisational safeguards. You may request further information about this transfer using the contact details in Section 1.

8. How long we keep your data

We keep your account and learning data for as long as your account remains active — that is, until you or we close it, or until you ask us to delete it. Because the Course is designed for long-term learner access, including returning to materials and retaining completion records, we do not automatically delete active accounts on a fixed schedule.

  • You may request deletion of your account and personal data at any time (see Section 9). We action erasure requests without undue delay, subject to any overriding legal retention obligation.
  • Server logs are retained for up to 90 days for security purposes.
  • Backups are retained on a rolling 35-day basis and are then overwritten; data deleted from the live system is purged from backups within that window.

9. Your rights

Under the GDPR you have the right to access your data; to request rectification of inaccurate data; to request erasure ("right to be forgotten"); to restrict or object to processing; to data portability; and, where processing is based on consent, to withdraw that consent at any time without affecting processing carried out beforehand.

You can exercise many of these rights directly in the Platform, under Profile → Preferences → Privacy and policies, where you can submit data export or deletion requests, or by contacting us at cmi.helsinki@cmi.fi (CMI) or digital-privacy-group@nyu.edu (NYU).

You also have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU country of your habitual residence or place of work.

10. Security

We use appropriate technical and organisational measures to protect your data, including encryption of data in transit (HTTPS/TLS), hashed passwords, access controls, a firewalled server, restricted administrative access, and regular backups. No system is completely secure; if a personal data breach occurs that is likely to result in a risk to your rights, we will notify the competent authority and, where required, affected users.

11. Children

The Course is intended for adults aged 18 and over. If you are under the age at which you can consent to online services in your country, please do not register without the involvement of a parent or guardian. If we learn that we have collected data from a child contrary to this Policy, we will delete it.

12. Joint controller arrangement

CMI and NYU have agreed their respective responsibilities for compliance with the GDPR, in particular regarding the exercise of your rights and the provision of information to you. Regardless of this arrangement, you may exercise your rights against, and contact, either controller; requests received at cmi.helsinki@cmi.fi (CMI) or digital-privacy-group@nyu.edu (NYU) will be handled on behalf of both.

13. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified through the Platform, and where a change affects the basis on which we process your data you may be asked to review the updated Policy on your next login.

14. Contact

Questions about this Policy or your data: cmi.helsinki@cmi.fi (CMI) or digital-privacy-group@nyu.edu (NYU).


Summary

The rules for using the learning platform, including acceptable use and your rights.

Full policy

1. Acceptance

These Terms of Use ("Terms") govern your access to and use of the AI for Peace platform at aiforpeacecourse.org (the "Platform"), operated jointly by CMI and New York University (NYU) ("we", "us"). By creating an account or using the Platform, you agree to these Terms and to our Privacy Policy and Cookie Policy. If you do not agree, please do not use the Platform.

2. Eligibility and accounts

  • You must be at least 18 years old, or have the involvement of a parent or guardian where required by local law.
  • You are responsible for the accuracy of your registration details, for keeping your password confidential, and for all activity under your account.
  • Please notify us promptly of any unauthorised use of your account.
  • One person, one account. Do not impersonate others or misrepresent your affiliation.

3. Acceptable use

When using the Platform, including its AI-assisted activities, forums, and messaging, you agree not to:

  • break any applicable law, or infringe the rights of others;
  • upload or post unlawful, harassing, hateful, defamatory, obscene, or otherwise objectionable content;
  • submit malicious code, or attempt to gain unauthorised access to, disrupt, overload, scrape, or reverse-engineer the Platform;
  • attempt to identify other learners from their contributions, or misuse other people's personal data;
  • use the AI activities to generate harmful content, or to enter sensitive personal data or other people's personal data;
  • use the Platform for commercial solicitation or spam.

We may remove content, and suspend or terminate accounts, that breach these Terms.

4. Course content and intellectual property

All Course materials — including text, video, graphics, logos, structure, and software — are owned by or licensed to CMI and/or NYU and are protected by intellectual property laws. They are provided to you for personal, non-commercial educational use only. You may not copy, redistribute, publish, or create derivative works from Course materials except as expressly permitted or as allowed by law. The CMI and NYU names and logos are trademarks of their respective owners and may not be used without permission.

5. Your contributions

  • You retain ownership of the original content you submit, such as your answers, reflections, and forum posts ("Your Content").
  • You grant CMI and NYU a non-exclusive, worldwide, royalty-free licence to host, store, display, and process Your Content solely to operate and improve the Course and to provide the services you request, including sending it to our AI provider to generate feedback as described in the Privacy Policy.
  • You are responsible for Your Content and confirm that you have the right to submit it.

6. AI-assisted activities

The Platform uses AI to provide feedback and support learning. AI-generated output may be inaccurate or incomplete and is not professional advice. Please use your judgement and do not rely on it as a sole source of truth. Details of how AI activity data is processed are set out in the Privacy Policy.

7. Availability and changes

We aim to keep the Platform available but do not guarantee uninterrupted access. We may modify, suspend, or discontinue any part of the Course, and may update these Terms; material changes will be notified through the Platform.

8. Disclaimers

To the fullest extent permitted by law, the Platform and Course content are provided "as is" and "as available", without warranties of any kind, whether express or implied, including warranties of fitness for a particular purpose and non-infringement.

9. Limitation of liability

To the fullest extent permitted by law, and except for liability that cannot be excluded or limited under applicable law (such as liability for death or personal injury caused by negligence, or for fraud), CMI and NYU will not be liable for indirect or consequential loss, loss of data, or loss of profits arising from your use of the Platform.

10. Termination

You may close your account at any time. We may suspend or terminate your access if you breach these Terms or where required by law. Provisions that by their nature should survive termination will continue to apply.

11. Governing law and disputes

These Terms are governed by the applicable law of the joint controllers, without prejudice to any mandatory consumer-protection rights available to you in your country of residence. Nothing in these Terms limits your statutory rights, including, for learners in the EU, the right to bring proceedings in your local courts and to complain to your local data protection authority.

12. Contact

Questions about these Terms: cmi.helsinki@cmi.fi (CMI) or digital-privacy-group@nyu.edu (NYU).


Summary

The cookies we use, why we use them, and how to manage them.

Full policy

1. What cookies are

Cookies are small text files stored on your device when you visit a website. They let the site work correctly and remember certain choices.

2. Cookies we use

The Platform uses only strictly necessary cookies required to operate the service. We list them here for transparency:

  • MoodleSession — an essential, first-party session cookie that maintains your logged-in session as you move between pages. Without it, you cannot stay logged in. It is deleted when you close your browser or log out.
  • MOODLEID1_ — a functional, first-party cookie that remembers your username on the login screen so you do not have to retype it, set only if you choose the "remember username" option. It persists until it expires or you clear your cookies.

We do not use advertising cookies, cross-site tracking, or third-party analytics cookies. Our DNS provider (Cloudflare) operates in DNS-only mode and does not set cookies on your browser for this site.

3. Managing cookies

Because our cookies are essential to the Platform, disabling them in your browser will prevent you from logging in and using the Course. You can control or delete cookies through your browser settings at any time; see your browser's help pages for instructions.

4. Changes

If we introduce new cookies in future — for example, if analytics are added — we will update this Policy and, where required, ask for your consent before any non-essential cookies are set.

5. Contact

Questions about cookies: cmi.helsinki@cmi.fi (CMI) or digital-privacy-group@nyu.edu (NYU).