CMMI Institute

CMMI Institute Privacy Policy

Welcome to the CMMI Institute's Privacy Notice

Effective Date: 04/01/2019


This page explains how we collect, use, share, and protect information about visitors or registered users on, from or through the Platform and the choices that visitors and registered users have about the collection and use of certain information about them.

The CMMI Institute LLC. (“CMMI Institute”, “CMMI”, “we”, “our”, or “us”) operates the site and subsites located at and its subdomains (collectively “Site”) and provides the content (including email and electronic communications) and services (collectively “Services”) offered on or through the Site. “Platform” means the “Site” and/ or “Service”.


This Privacy Notice applies solely to information that we collect from visitors and registered users through the Platform or through electronic communications that we receive at the address indicated in section “Contact Us”.

A “visitor” is an individual who visitors the Platform, without having registered. We do not know the identity of the individual. A “registered user” is an individual who has registered with the Platform, and whose identity can be determined directly or indirectly from the information provided. For the purpose of this Privacy Notice “you” means a visitor or a registered user; and a “visitor” includes a “registered user”.

This Privacy Notice does not apply to the websites of third parties to which the Platform may link. CMMI does not endorse, and is not responsible for the content of these websites, their policies or practices, or any product or service that they may offer. Any activity you perform on these third-party websites will be subject to the privacy policies and other terms and conditions of these third parties. We recommend that you review these third-party terms before providing any personal information to them.

How to Contact Us

If you have any questions about this Privacy Notice, please contact us by email at

Data Protection Contacts

EU Representative:
Dr. Volker Wodianka, LL.M. (IT&T)
SCHLUTIUS Data Privacy & Compliance GmbH
Ferdinandstra├če 3
20095 Hamburg, Germany
T: +
M: +

CMMI Institute Contact:
Todd Sant

CMMI Institute
11 Stanwix Street, Suite 1150
Pittsburgh, PA 15222, USA


  • Consent

    By using the Platform, you signify your agreement to the terms of this Privacy Notice. Please ensure that you read this Privacy Notice carefully.

    We may modify this Privacy Notice from time to time. We will notify you of material changes to this Privacy Notice by posting the amended terms in accordance with applicable laws. If you do not agree with the proposed changes, you should discontinue your use of the Platform before the new Privacy Notice takes effect. If you continue using our Platform after the new terms take effect, you will be bound by the modified Privacy Notice.

  • How does the CMMI Institute collect visitor and registered user information?

    We (and our service providers) collect information in a variety of ways, such as through the methods identified below:

    • From the visitor’s browser, such as the screen resolution, operating system name and version, device manufacturer and model, language, or browser type and version.

    • Through a visitor’s activities offline, for example when a visitor responds to a newsletter or interacts with us by telephone.

    • Through the visitor’s activities online when using the Service – for example, taking a course filling out an online form or responding to quiz.

    • Through a visitor’s social media account if it is connected to the visitor’s account on our Platform.

    • Through cookies and other technologies that help analyze how our Platform is used, measure and track general visitor activities, and on third party websites and compile statistical reports.

  • What information does the CMMI Institute collect?

    We collect information from visitors when they interact with the Platform. This includes, for example, the following:

    Information We Collect Automatically

    When a visitor uses, or interacts with our Platform the visitor’s browser automatically provides, and we automatically collect and store, certain information about the visitor’s device (computer, tablet, smart phone,) and the visitor’s activities. This includes, for example:

    • Preferences and settings: time zone, language, and character size;

    • Identifiers: IP address; mobile device advertising identifier, Media Access Control (MAC) address;

    • Technical information: type of device, operating system name and version, device manufacturer, browser information (type, version), screen resolution;

    • Connection: Internet service provider or mobile carrier’s name, connection speed and connection type;

    • Information about use of the Platform: date stamp, URL of the last webpage visited before visiting our Platform, and URL of the first page visited after leaving our Platform, pages viewed, time spent on a page, click through, clickstream data, queries made, search results selected, comments made, search history, type of service requested, purchases made;

    • Information collected through cookies, pixel tags, and other technologies; and

    • General geographic location.

    Communications and Interaction

    When a visitor registers to have access to the Platform (thereby becoming a “registered user”), when we send a communication to a visitor, or when the visitor accesses, responds to, or declines to open a communication from us, completes a form to communicate with us, or contacts us, we collect and store certain information about the visitor, the visitor’s device (computer, tablet, smart phone,) and the visitor’s activities, such as:

    • The visitor’s name, login ID or pseudonym and contact information (if provided);

    • Information that the visitor provides or comments that the visitor makes;

    • The nature of the communication;

    • The purpose of the interaction, and the action we took in response to the visitor’s inquiry or request;

    • Whether the visitor opened our communication or ignored it; Any action the visitor takes upon receipt of such communication.

    Conference Registrations, Certifications, Content Downloads and Training Courses

    When a visitor registers for a course, conference, or certification or download content, we collect information about the visitor through our sign-up form. When a visitor provides his/her information during a transaction, we keep track of that information, and may contact the visitor about next steps in the visitor‘s interaction with CMMI. In this case, we may collect: first and last name, title, street address, email address, telephone number, job title, and company name, address, and phone number. In some cases, we may collect additional information, for example: password, security questions and answers, date of birth, birthplace, gender, residence status, college/higher education transcripts, passport or national id number.

    Social Media

    Our Platform includes social media features that may be managed by us or by third parties. These features may collect y a visitor’s IP address and which pages the visitor is visiting, and may set a cookie to enable the feature to function properly. A visitor’s interactions with these features are governed by the privacy policy of the company providing the feature.

    Information We Obtain from Third Parties

    We may obtain information from third parties, such as third parties with whom we do business, such as strategic business partners, service providers, public databases, or social media services to which CMMI Institute might be linked.

  • How does the CMMI Institute use the information they collect?

    In addition to some of the specific uses of information that are described in this Privacy Notice, we may use the information that we have collected or received to:

    • Send administrative information to the visitor;

    • Remember the visitor’s preference, such as language, font size, when using our Platform;

    • Remember the visitor’s interests;

    • Administer our Platform, diagnose technical problems, and otherwise manage our business;

    • Facilitate the visitor’s use of the Platform;

    • Allow the visitor to navigate or browse through our Platform quickly and efficiently;

    • Personalize the visitor’s experience by presenting content that is tailored to that specific visitor based on what we know about that visitor;

    • Keep records of contact information and correspondence;

    • Send marketing information;

    • Communicate with the visitor about our activities;

    • Send invitations to events that may be of interest to the visitor in accordance with the visitor’s preferences or apparent interests;

    • Facilitate social sharing functionality, such as sharing content, through social media networks;

    • Allow the visitor to share content with a friend through the Platform; by using this feature, you guarantee that you have the right to use and provide us the names and email addresses you submit.

    • Improve, test, and monitor the effectiveness of the Platform;

    • Develop features for the Platform that may be of interest to our visitors;

    • Optimize our marketing efforts, for example by compiling statistics regarding the use of the Platform, identifying usage trends, or measuring the effectiveness of our promotional campaigns;

    • Perform data analysis, audits, security and fraud monitoring and prevention;

    • Enhance, improve, or modify our Platform; identify usage trends;

    • Help diagnose server problems, and detect spam behavior, denial of service attacks or similar incidents.

  • How does the CMMI Institute share the information they collect?

    Some of the technologies used on our Platform are managed by third parties. The practices of some of these third parties are subject to the third parties’ privacy policies over which we may have no control. We encourage visitors to read their privacy policies. Third parties who may have access to information may include:

    Service Providers

    We share information with our suppliers, subcontractors, and other third parties who provide services to us (collectively “service providers”) in connection with advertising, hosting, data analytics, information technology and infrastructure, email delivery, auditing, and other related activities. Our service providers are given only the information they need to perform their designated functions and are prohibited from using information provided by CMMI for their own purposes

    Affiliates, Partners and Sponsors

    Some of our content is offered or promoted in conjunction with an affiliate, partner or sponsor. We may share visitor information with these parties. These affiliates, partners and sponsors will use the shared information in accordance with their own privacy policies.

    Social Media

    The Platform may include links to third party websites and social media services where a visitor is able to post comments, reviews or other information. Please note that any information that is posted or disclosed through these social media services may be available to us, or to other visitors of that service or the public. We recommend caution when using these features.

    Responding to legal requests and preventing harm

    We may disclose information about a visitor in response to a facially valid request from a government agency or a private litigant in the form of a subpoena, court order or search warrant, or where we believe, in good faith, that it is necessary to do so for the purposes of a civil action, criminal investigation, and other legal matter.

    Change of Control

    We may disclose and provide information about our visitors to a third-party in the event of reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of any of our business, assets, or stock, including in connection with bankruptcy or similar proceedings.

    Aggregated, Anonymized, or Statistical Information

    We generate and use aggregated, anonymized, or statistical information about the use of our Platform. We may provide this information to third parties such as advisers or consultants for research, analytical or strategic purposes. This information is not intended to allow the identification of any specific visitor of our Platform.

  • How does the CMMI Institute use cookies and other tracking technologies?

    We use cookies, beacons, pixels, tags, statistical IDs, flash cookies, and similar tracking technologies to collect information about the activities of our visitors and registered user over time and across different Sites, such as the pages a visitor views, the links on which a visitor clicks, how frequently a visitor accesses the Platform, and other actions a visitor takes. We also collect log file information from a visitor’s browser such as web request, IP address, browser type, referring / exit pages and URLs, and landing pages. We may use statistical modeling tools to attempt to recognize visitors across multiple devices.

    We may retain the services of third party service providers who may link personal information about a visitor - such name or email address - to other information they may have – for example, past purchases. This information may allow us to identify assumed interests or preferences of that visitor, so that we can provide a visitor with more useful and relevant ads.

    We use these technologies to:

    • Display information more effectively;

    • Gather statistical information about the use of the Platform to understand how our Platform is used, and improve design and functionality;

    • Store, on a visitor’s device, information about that visitor’s preferences and settings;

    • Recognize a visitor when the visitor moves from page to page, or returns to use the Platform;

    • Collect information such as browser type, time spent on the Platform, pages visited, and traffic data;

    • Track responses to our marketing and advertising campaigns; and for security purposes.

    We also use these technologies to understand the activities and interests of our visitors, including to:

    • Measure traffic and usage of our Platform

    • Monitor the effectiveness of our Platform

    • Better understand the interests of visitors

    • Recognize new or past visitors to our Sites

    • Present more personalized content and advertisements

    • Optimize a visitor’s shopping experience

    • Identify visitors across devices, and third party websites.

    • Identify improvements or enhancements to our Platform that might be of interest to our visitors

    How to block Cookies

    You have the ability to control some of our use of cookies. How you do so depends on the type of cookie. You may be able to configure certain browsers to delete or disable browser cookies. Most browsers contain information on how to control or delete cookies. These settings will typically be found in the “options” or “preferences” menu of a browser. You may also wish to refer to and for information on commonly used browsers.

    To control flash cookies, you can visit:  the macromedia help center.

    Please note that blocking or disabling certain cookies may interfere with certain functionalities of some parts of our Platform. Choices you make about cookies are also browser and device specific. Further, while disabling a cookie may prevent the collection of information in the future, it does not prevent the use of information collected before the cookie was disabled. If you block or delete cookies, not all of the tracking described in this notice will stop.

    View our cookie policy here.

  • How does the CMMI Institute use Google Analytics?

    Information collected by Google Analytics is transmitted to, and stored by, Google in accordance with its privacy practices. To see an overview of privacy at Google and how this applies to Google Analytics, please click here:

    To opt out of Google Analytics, please go to

  • How does the CMMI Institute use Internet Based Advertising?

    We may – or may have third parties, on our behalf - display to a visitor interest-based advertising and other custom content regarding our capabilities, products or services that may be of interest to visitors. This advertising may be served to a visitor on our Platform, or in our emails or on third-party sites or may be placed on other websites. It may be based on assumed interests attributed to a specific visitor, based on the use of our Platform by that visitor, or use information gathered about that visitor over time across multiple sites. They may be based on other interactions you have with us or our Platform. They may be based on other activities and behaviors that you demonstrate online.

    The information collected about a user’s use of our Platform, or across the Internet, the products in which the user appears to be interested, etc., may be used to build an assumed profile of a particular person. To do so, our service provider may place or recognize a unique cookie on the user’s browser and use other techniques, such as pixel tags. If you are using one of our mobile applications, our ad network partners may use and store your mobile device ID or Advertising ID to show ads that they consider relevant to you.

    How to Opt-out of Interest Based Advertising

    You may opt-out of receiving interest based advertising as explained below. The opt-out may be provided through specific tracking opt-out cookies. Please note that if you get a new computer, install a new browser, or erase or alter your browser’s cookie file (including upgrading certain browsers), this may also clear any opt-out cookie.

    Each visitor may opt out of receiving interest based advertising from advertising networks that may be delivered to them on other websites by visiting the following websites, please visit or

    Mobile device visitors may also download the AppChoices app at to opt out from interested based advertising served in mobile apps.

    The features above will allow a visitor to opt out of many –but not all - of the interest-based advertising activities in which we or third parties engage.

    Do Not Track

    Some browsers give individuals the ability to communicate that they wish not to be tracked while browsing on the Internet. The Internet industry has not yet agreed on a definition of what “Do Not Track” means, how compliance with “Do Not Track” would be measured or evaluated, or a common approach to responding to a “Do Not Track” signal. Consequently, due to the lack of guidance, we have not yet developed features that would recognize or respond to browser-initiated Do Not Track signals in response to California law.

  • Links to Third-Party Sites or Applications

    The Platform may allow you to directly access applications or services operated by third parties. These links are provided for your convenience only and should be used at your discretion. These links do not constitute sponsorship, endorsement, or approval of the content, policies or practices of such third-parties’ applications.

    This Privacy Notice does not apply to information provided to or gathered by the third parties that operate them. We are not responsible for any information these third-parties’ services may obtain or how they may use it. You should review their privacy notices to understand how they may use your information.

  • Data Retention

    Your personal data is stored by the CMMI Institute on its servers, and on the servers of the database management services the CMMI Institute engages, located in the United States. the CMMI Institute retains data for the duration of the customer’s or registered user’s business relationship with the CMMI Institute and otherwise as required under applicable law. Personal data will be kept for no longer than is necessary for the purposes for which your personal data are processed. We will retain your personal data as long as you are an the CMMI Institute registered user or require our services so that we can provide these services to you.

    If you are located in the European Economic Area, at the moment you withdraw your consent for the processing of your personal information, all your personal data received and stored are erased if no longer needed by us. Unless we are required to retain this personal data by law or to comply with our regulatory obligations. In such a case, we will only keep this personal data for as long as necessary. For more information on where and how long your personal data is stored, and for more information on your rights of erasure and portability, please contact us at or you may submit a Data Subject Access Request (DSAR) here.

    You may submit a Data Subject Access Request (DSAR) here.

  • Right to Erasure

    Individuals can submit a request to the CMMI Institute to have information about them deleted from the CMMI servers. CMMI will exercise its best effort to purge personal information from written and digital data archives for that individual within one hundred eighty (180) days of submission.

    For a request to be processed successfully the following conditions must be met:

    • Submitting a request in writing to the address indicated in the “How to Contact Us” section below;

    • Clearly identifying the content or information to be removed;

    • Providing sufficient information to allow us to locate the content or information to be removed;

    • Having paid all amounts due to CMMI;

    • All orders for CMMI products and/or services placed by the individual having been fulfilled or cancelled.

    • All orders for products and/or services to be provided by the individual to CMMI having been completed or cancelled.

    • Providing proof of identity.

    In addition, any individuals making such requests for the deletion of their information will be required to agree to sign a release from all claims against CMMI such that no legal action may be brought against CMMI by or on behalf of that individual in the future for any reason.

    You may submit a Data Subject Access Request (DSAR) here.

  • Information Security

    We take reasonable measures to protect any personal information we may hold in order to prevent loss, misuse, unauthorized access, disclosure, alteration and destruction. In some areas of our Platforms, we may use Secure Socket Layer (“SSL”) or Transport Layer Security (“TLS”) encryption technology to enhance data privacy and help prevent loss, misuse, or alteration of the information under ISACA control.

    We cannot guarantee, however, that all information will remain secure. The Internet by its nature is a public forum. We encourage you to use caution when disclosing information online. Often, you are in the best situation to protect yourself online. You are responsible for protecting your login ID and password from third party access, and for selecting passwords that are secure.

  • Legal Basis for Processing of Personal Information

    Legal Basis for The Processing of Personal Information from EEA Residents

    If you reside within the European Economic Area (EEA), our processing of your personal information will be legitimized as follows:

    (i) Whenever we require your consent for the processing of your personal information such processing will be justified pursuant to Article 6(1) lit. (a) of the General Data Protection Regulation (EU) 2016/679 (“GDPR”). This article in the GDPR describes when processing can be done lawfully.

    (ii) If the processing of your personal data is necessary for the performance of a contract between you and CMMI Institute or for taking any pre-contractual steps upon your request, such processing will be based on GDPR Article 6(1) lit. (b).”). If this data is not processed, the CMMI Institute will not be able to execute the contract with you.

    (iii) Where the processing is necessary for us to comply with a legal obligation, we will process your information on basis of GDPR Article 6(1) lit. (c), for example complying in the fields of employment law.

    (iv) And where the processing is necessary for the purposes of the CMMI Institute’s legitimate interests, such processing will be made in accordance with GDPR Article 6(1) lit. (f), for example to detect fraud.

    (v) You may also receive personalized advertising where you indicate to the CMMI Institute specific interests by requesting information about a product or service or by indicating your marketing preferences in the preference center.


    Transferring Personal Data from the EU to the US:

    The CMMI Institute has its headquarters in the United States. Information we collect from you will be processed in the United States. The United States has not sought nor received a finding of “adequacy” from the European Union under Article 45 of the GDPR). A finding of “adequacy” in short means that the European Commission has decided that this country outside the EEA ensures an adequate level of data protection. The CMMI Institute relies on derogations as set forth in Article 49 of the GDPR as the United States has no “adequacy” decision and no other safeguards under the GDPR are in place (for example binding corporate rules on the transfer outside the EEA). In particular, the CMMI Institute collects and transfers to the U.S. personal data only: with your explicit consent; to perform a contract with you; in a manner that does not outweigh your rights and freedoms. If this data is not processed and transferred, the CMMI Institute will not be able to execute the contract with you or you will not have access to any or all of the benefits and features associated with your transaction. The CMMI Institute endeavors to apply suitable safeguards to protect the privacy and security of your personal data and to use it only consistent with your relationship with the CMMI Institute and the practices described in this Privacy Notice. The CMMI Institute also minimizes the risk to your rights and freedoms by not collecting or storing sensitive information about you.

    If you wish to confirm that the CMMI Institute is processing your personal data, or to have access to the personal data the CMMI Institute may have about you, please contact us at or you may submit a Data Subject Access Request (DSAR) here.

    European Union Data Subject Rights

    The European Union’s General Data Protection Regulation and other countries’ privacy laws provide certain rights for data subjects (these are persons that can be identified).

    This Privacy Notice is intended to provide you with information about what personal data the CMMI Institute collects about you and how it is used. 

    If you wish to confirm that the CMMI Institute is processing your personal data, or to have access to the personal data the CMMI Institute may have about you, or have other questions, please contact us at or you may submit a Data Subject Access Request (DSAR) here.

    You may also request information through our Data Subject Access Portal about: the purpose of the processing; the categories of personal data concerned; who else outside the CMMI Institute might have received the data from the CMMI Institute; what the source of the information was (if you did not provide it directly to the CMMI Institute); where the personal data is stored and how long it will be stored. You have a right to correct (rectify) the record of your personal data maintained by the CMMI Institute if it is inaccurate. You may request that the CMMI Institute erase that data or cease processing it, subject to certain exceptions. You may also ask the CMMI Institute for your personal data to be supplemented or updated, or for their transformation into anonymous format or to block any data held in violation of the law, as well as to oppose their treatment for any and all legitimate reasons. You may withdraw your consent for the processing of personal data or the further processing of personal data by the CMMI Institute at any time.  YOU MAY ALSO REQUEST THAT THE CMMI INSTITUTE CEASE USING YOUR DATA FOR DIRECT MARKETING PURPOSES THROUGH THE DATA SUBJECT ACCESS PORTAL OR BY EMAILING INFO@CMMIINSTITUTE.COM. In many countries (including EEA countries), you have a right to lodge a complaint with the appropriate data protection authority if you have concerns about how the CMMI Institute processes your personal data. When technically feasible, the CMMI Institute will—at your request—provide your personal data to you or transmit it directly to another controller. You have the right to receive your personal information in a structured and standard format.

    In addition to the information contained in this Privacy Notice, you may be provided with additional and contextual information concerning particular services or the collection and processing of your personal data upon request.

    Reasonable access to your personal data will be provided at no cost to the CMMI Institute customers, conference attendees and others upon request made to the CMMI Institute at via the Data Subject Access Portal or If access cannot be provided within a reasonable time frame, the CMMI Institute will provide you with a date when the information will be provided. If for some reason access is denied, the CMMI Institute will provide an explanation as to why access has been denied.

    You may submit a Data Subject Access Request (DSAR) here.

  • Marketing Choices

    We may use aggregated and non-identifying information to deliver tailored advertisements targeted to a specific audience. Based upon the aggregated information we have collected about visitors, we display the advertisement to the intended audience based on these general criteria. Some advertisement methodology may be directed to a specific individual, and may be based on the specific apparent interest of the visitor of a specific device.

    Electronic Communications

    If you receive commercial electronic communications from us, you can unsubscribe from the receipt of future commercial electronic communications from us by clicking on the “unsubscribe link” provided in such communications. Please also note that if you do opt out of receiving emails from us, we may still send you important administrative messages (such as updates about your account or service changes), and you cannot opt out from receiving these messages. Please note that even though you have opt-out of receiving marketing-related Communications from us, we may still send you important administrative messages.

    We may need to retain certain information for record keeping purposes and/or to complete any transaction that you began before requesting a change or deletion. In addition, it is likely that residual information might remain within our databases, back-ups or other records and might not be removed.

    Shine the Light

    If you have an established relationship with us you may request from us a list of the categories of personal information we have disclosed to third parties for those third parties’ direct marketing purposes, and a list of all third parties to whom we have shared that information. We will include in that list the names and addresses of the third parties who received the information and used it (or who we believe may have used it) for their own marketing purposes.

    To exercise your rights, you may make one request each year by emailing us as set forth in the “How to Contact Us” section below. Indicate in your letter that you are making a “Shine the Light” inquiry. Responses to requests that meet these requirements will be provided within the time frame required by law.

    California Right of Erasure

    If you are a California resident under the age of 18, and you are registered visitor of the Platforms, you may request that we remove content or information that you posted on the Platform or stored on our servers, by submitting a request in writing as indicated in the “How to Contact Us” section below, and clearly identifying the content or information that you wish to have removed, and providing sufficient information to allow us to locate the content or information to be removed.

    You may submit a Data Subject Access Request (DSAR) here.

  • Your Privacy Choices


    Each visitor has the right to review, change, or suppress personal information that we have collected from that visitor. You may exercise this right by contacting us as indicated in the “How to Contact Us” section. For your protection, we may need to verify your identity before implementing your request. We will try to implement your request as soon as reasonably practicable. We reserve the right to refuse to act on a request that is manifestly unfounded or excessive (for example because it is repetitive) and/or to charge a fee that takes into account the administrative costs for providing the information or taking the action requested.

    In your request, please make clear what information you would like to have changed, whether you would like to have your personal information suppressed from our database, or other limitations you would like to put on our use of your personal information. We may only implement requests with respect to personal information that is associated with the particular email address that you use to send your request.

    You may submit a Data Subject Access Request (DSAR) here.

  • Children

    The Service is a general audience service. Our content is neither directed towards minors nor children who are under the age of 13. We do not knowingly collect personal information from children under the age of 13. If we become aware that a minor or a child under the age of 13 has provided us with personal information without parental consent, that information will be deleted. Parents who have questions about personal information that may have been submitted by a child under the age of 13 should email us at the address provided in the “How to Contact Us” section.

    By using the Platform, you represent that you are at least 13 years old.