Harvard Business School understands that Internet users value their privacy. In November 2007 we adopted and published a privacy policy ("Website Privacy Policy") that would govern the Business School's use of personal information obtained from discrete visitors to the HBS website (the "Website"). The Website Privacy Policy and its terms and protections apply to all of the publicly-available pages on the Website. Except as specifically provided in this Privacy Policy for Restricted-Access Pages, the Website Privacy Policy, incorporated herein by reference, applies as well to pages that are password-protected and accessible only to members of the HBS community ("Restricted Access Pages").

The exceptions that apply to Restricted-Access Pages on the Website are as follows:

• Although (as the Website Privacy Policy explains) users are not required to identify themselves or disclose personal information in order to visit the public portions of the site, users who seek to visit Restricted-Access Pages must submit login and password information to HBS.
• Users who successfully log in to view Restricted Access Pages will have an additional, "HBS User" Cookie installed on their hard drive. The HBS User Cookie carries the user's login and encrypted access information—not the user's password. We use the cookie to provide HBS users with access to protected resources and for web analytics—that is, to track use patterns on the Restricted Access Pages. Our analytics are conducted at the level of user categories—e.g., students, faculty, staff. For MBA students, the user-identifying information obtained from the cookie is included in the database that generates analytics reports for HBS. However, analytics reports are gathered in the aggregate, and individual user information is not reported to HBS staff. For staff and faculty, the user-identifying information obtained from the cookie is excluded from the database that generates analytics reports for HBS; we are therefore unable to generate reports on individual users.
• A third-party vendor has contracted with HBS to supply the web analytics services discussed above. The vendor hosts the analytics application and receives and logs usage information gleaned from the HBS User Cookie, and the non-user-identifying analytics reports generated by HBS personnel are created and saved within the vendor's system. The vendor does retain logs of user-identifying usage information for a limited period of time, so that data can be reprocessed as necessary to accomplish additional reporting functions. These logs are kept in a secure facility. The vendor's personnel are prohibited from reviewing confidential user information, except as required to provide technical assistance or troubleshoot reporting problems.
• Exception: HBS has deployed ShareSites and My Sites technology that enable HBS community members to exchange files and engage in other web-based collaborative activities on the HBS site.
• ShareSites and My Sites usage reports contain user login IDs. These reports identify how many times per day on average a user has accessed a given ShareSite or My Site during the past 30 days. These reports do not identify what pages or documents a user has accessed. The only information that is retained is a snapshot of the last 30 days. These reports are only visible by site owners and administrators. The login ID of a user who accesses the HBS site, but not pages on the site that are supported by ShareSites and My Sites, will not appear in these reports.

As with the Website Privacy Policy, we reserve the right to amend the terms of this Privacy Policy for Restricted-Access Pages and will post appropriate notice on the Website upon doing so.