Privacy Policy


This privacy statement describes the ways in which the Harvard University Information Technology (HUIT) authentication system websites (the “Harvard Authentication System Sites,” which include: the HarvardKey authentication service, the HarvardKey Self-Service application, and the XID Self-Service application) gather and use certain types of personally identifiable information (“personal information”), such as a user’s HUID, name, address, email address, telephone number, or date of birth. 

Personal information also includes: (1) data related to past use of the Harvard Authentication System Sites; and (2) identifiers or other information about a user’s Harvard affiliation and status that may be released by Harvard to a third-party service provider to enable the user to access that service with the user’s Harvard Login ID and password.

Information gathering

The web server software for the Harvard Authentication System Sites generates log files of the IP addresses of computers accessing these Sites and the files that they access. These web server logs are retained on a temporary basis and then deleted completely from Harvard’s systems.

HUIT also collects users’ Login IDs and passwords and may ask visitors to Harvard websites to provide information about themselves to verify their identity.  In addition, HUIT may capture identifiers associated with users who access resources protected by Harvard Authentication services.

While HUIT may use cookies to maintain a user's identity between web sessions, the cookies do not contain any personal information.

Use of information

HUIT may use personal information to prove a user’s identity or to match a user’s identity to an existing account in an effort to avoid issuing multiple credentials to the same user. HUIT also may use personal information to send an emergency message to all users or to communicate with users in the case of an information security event.

HUIT may transmit a user’s personal information to other systems that are integrated with the Harvard Authentication service, including certain third-party systems, to enable the user to access a service or resource.

HUIT also reviews users’ IP addresses and the files and resources they access to help diagnose problems with HUIT’s servers and other systems and to administer Harvard’s websites by identifying: (1) which parts of Harvard’s sites are most heavily used; and (2) which portion of Harvard’s online audience comes from within the Harvard network. HUIT also uses this information to tailor site content to user needs, and to generate aggregate statistical reports.

All other personal information that HUIT collects is used to secure users’ access and help users to change passwords or transact other self-service requests.


The Harvard Authentication System Sites have security measures in place to protect the loss, misuse, and alteration of the information under HUIT’s control.

The Harvard Authentication System Sites may contain links to other websites. Harvard is not responsible for the privacy practices or the content of such websites.

Contact information

Please contact with any questions or concerns about this privacy statement or the practices of the Harvard Authentication System Sites.

European Union General Data Protection Regulations

Harvard University’s European Economic Area (“EEA”) privacy disclosures are available here:

Effective Date

This policy is effective as of March 21, 2019.