Turnitin Services Privacy Policy

Last Updated: 21 December 2023

Turnitin, LLC (“Turnitin,” “we,” “us”), owns and operates a variety of web-based services intended to promote academic integrity, streamline assessment, and prevent plagiarism (collectively, for purposes of this Privacy Policy, the (“Services”). This Privacy Policy is intended to inform our customers (“Customers”) and their users (“Users,” “you,” “your”) about how we may collect, use, process, store and disclose your Personal Information when interacting with the Services. This Privacy Policy also describes your choices regarding our use and your access and changes to your Personal Information.

Additional information may apply to you depending on residency. If you are a resident of the United Kingdom, the European Union, or a resident of California and certain other states, there may be specific practices applicable to you as noted specifically in this policy.

For the sake of clarity, this Privacy Policy does not apply to our websites, which are governed by the policy available here.

By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy.

Table of contents


Personal Information We Collect



When we engage with a Customer, when you access or use our Services, when you request customer support or information about our Services, or when you otherwise communicate with us, we may collect certain Personal Information about you. Personal Information, for purposes of this policy, is information that identifies, describes, or reasonably relates to an identifiable person or household, or that is otherwise defined as personal information, personal data, or protected data under applicable laws (“Personal Information”). We may collect this information from Customers, which are typically education institutions, as well as from Users, who may be educators or students.

We may collect and process all or some of the following Personal Information about you, which you may provide directly or which may be provided about you from our Customers:

Registering for an Account:

To enable the Services to be used, we may collect the following Personal Information:

  • Student data, including:
    Names: First, middle and last names including pseudonyms (if utilized).

    User-specific account identifiers: Information that only a User would know in order to secure their account, which may include the answer to a ‘secret question’.

    Email address and Account Names: We require an email address and Account Name in order to service an account.

    Any data that is provided to us by a Customer to permit students to access their account: For example, a personal email address rather than an institutional one or contact details we may require to contact a User.

    Passwords: We ask Users to provide Passwords which are essential for the security of an account.

    Educational Data: This may include grade/year and educational institution, as well as data submitted pursuant to use of the Services, such as written materials in the form of essays, papers, examination answers, and other writings (“Submissions”).

  • Educator data, including:
    Names and email addresses: for the same reasons that we collect that data for Students, as stated above.

    Role: We either collect or assign an Educator’s role within the Service so we can administer the account, such as ‘Instructor’ or ‘Teaching Assistant’.

    Education institution: We will collect this data so we know that a User is using an account that is linked to their Institution.

Using the Service:

In addition to the above, when a Customer or User accesses our Services, our servers may also automatically collect information about your usage of, and activity on the Services (“Usage Information”) including:

Log Data: Including information about when and for how long a User accesses the Services.

Device Information: We may collect the ID of any device that accesses the Services, and the Internet Protocol (“IP”) address associated with your browser and device ID. We may also collect additional information such as the make and model of your device; types and versions of software being used; login timestamp, browser type and version, the operating system of the computer and language.

Location & Service Usage Information: We may also collect information from which country the Services were accessed, and the associated timestamp, and areas in the Services that Users visit most frequently and features accessed most often.

Communication Information: We collect information you provide to us. For example, we collect information from you when you request customer support or information about our Services, or otherwise communicate with us.


How We Use and Disclose Personal Information

We do not sell or rent your Personal Information, as the terms are defined under applicable laws. We use and disclose your Personal Information to operate, provide, improve, and develop our Services. Our purposes for using and disclosing your Personal Information are as follows:

  • To understand, measure, and improve our current and future Services, for legally permissible purposes, including, but not limited to, analyzing the performance of our Services,for the purposes of developing, enhancing, or further refining Turnitin’s existing products and services and developing new products and services, including those that use artificial intelligence, and/or to offer customized service suggestions. Usage Information helps us provide the Services in the local language, to diagnose technical problems, and to administer, improve, and secure the Services. We also aggregate and analyze Usage Information to better understand how our Services are used and to help us improve our Services. Some Services may allow educators to provide student IDs for rostering purposes, rubrics they use for grading Submissions, grades, and comments on their students’ Submissions.

  • To provide the Services to our Customers and their Users, including the processing of Submissions which is required in order to provide the results of the Services to our Customers.

  • To create and manage log-in credentials, for the creation, maintenance, and administration of Customer and User accounts, and to authenticate Users.

  • To provide customer support, including via email or text message to resolve a problem or support issue, to notify Customers or Users about changes or issues impacting the Services, and to otherwise communicate and solicit feedback on Customer experiences with the Services.

  • To protect our rights, such as to establish or exercise our legal rights or defend against claims. For example, sharing may be necessary in order to assert a legal claim or defense, such as to enforce our End User License Agreement.

  • In relation to a known or suspected violation of our terms of use, fraud prevention, or other unlawful use, including to share Personal Information with entities assisting us in an investigation and as may be required by applicable law.

  • In connection with legal or regulatory obligations, including to disclose your Personal Information as necessary to protect our rights or the rights and safety of our Users, or as necessary in the event of a court order, regulatory inquiry or other lawful request, or to meet national security or law enforcement requirements. Provided, however, that unless legally prohibited, we will direct any such request to you or notify you before responding unless to do so would prejudice the prevention or detection of a crime.

  • In the event of a reorganization, merger, sale, assignment, bankruptcy, or similar business change, we may need to transfer your Personal Information to that re-organized entity or new owner after the sale or reorganization for them to use in accordance with this Privacy Policy.

  • To provide our Customers with updates and offers about our Services. At any time, you may unsubscribe or opt-out of further communication on any electronic marketing communication by using the link labeled “unsubscribe” available in each email communication or by contacting us at unsubscribe@turnitin.com.


How You May Modify Your Personal Information

Customers may correct or change the Personal Information collected during registration directly in the Services. Student Users may request to access, amend, correct, or delete their Personal Information by contacting their education institution. We will work with the education institution to respond to those requests in the time requested by the Customer or otherwise as required by law. To limit the use and disclosure of their Personal Information, a Student User must first contact their education institution.

Customers may also directly request deletion of their Users’ Personal Information at any time by contacting Turnitin Customer Support at tiisupport@turnitin.com.


Cookies

We use third-party service providers to assist us in collecting and understanding Usage Information. Most browsers can be set to detect browser cookies and to let a user reject them but refusing cookies may impact your experience with the Services. You can learn more about the cookies within the Services in our Cookie Notice. To learn more about browser cookies, including how to manage or delete them, refer to the Tools, Help, or similar section of your web browser.


Children’s Privacy

In the event that a Customer chooses to use our Services with students under the age of 13 or otherwise under the age of consent in their jurisdiction, we rely on the Customer to obtain any necessary prior, verifiable parental or legal guardian consent. We otherwise comply with our direct obligations for protecting that Personal Information. If we learn that we have inadvertently collected such Personal Information without the requisite consent, we will take steps to promptly delete it.

Parents wishing to review or request deletion of their child’s Personal Information should contact the Customer. We will work directly with our Customer to facilitate any such requests.


Family Educational Rights and Privacy Act (FERPA)

Customers who are subject to the Family Educational Rights and Privacy Act (“FERPA”) contract with Turnitin as a “School Official” with a “legitimate educational interest” in providing the Services as the terms are used in FERPA §§ 99.31(a)(1). Turnitin remains under the direct control of the Customer with respect to the use and maintenance of FERPA-protected “education records” and will use student Personal Information only as set forth in our Customer agreement and in compliance with applicable law.


Third Party Service

We may engage with third-party service partners to facilitate our delivery of the Services and to provide certain features on our behalf, such as data hosting, analytics, content delivery, maintenance, security, and similar functions. These third parties may require a limited amount of information, including Personal Information, in order to deliver their services on our behalf.


Security

We implement technical, administrative, and physical safeguards to help protect the confidentiality, integrity, and availability of Personal Information. We host Customer and User Personal Information in third-party data centers that use firewalls, encryption of Personal Information, and other industry-standard technologies in an effort to prevent interference or access from outside intruders. The Internet, however, is not perfectly secure, and we are not responsible for security breaches not reasonably within our control.

Turnitin undergoes annual SOC2 Type II audits conducted by an external and independent auditor (AICPA).

We also require Customers and Users to each establish an account-identifier and password that must be entered each time Customers or Users sign into the Services. You are responsible for maintaining the confidentiality of your account identifier and password. If you become aware of any unauthorized use of an account, loss of User or Customer account credentials or suspect a security breach, it is your responsibility to promptly notify us at informationsecurity@turnitin.com.


Data Retention

We may retain certain User and Customer Personal Information for the period necessary to enable the continued use of the Services, to fulfill the purposes outlined in this Policy, for legally permissible business purposes, or as otherwise required by law. How long we retain specific Personal Information varies depending on its type and use, after which it will be deleted.

We may retain non-Personal Information, including aggregated, de-identified, or anonymized data for lawfully permissible purposes.


Opt-Out Policy

We send emails to Customers with information about our Services. Customers may opt-out of receiving email messages from Turnitin by clicking on the “unsubscribe” link found at the bottom of every email that we send. We do not send marketing emails to student Users.

If Customers have opted out of receiving communications from us, we may still send account-related communications regarding the Services. We do not send email messages on behalf of third parties.


Notice For California and Other US Residents

Certain US state laws, including California, provide their residents with certain rights related to their Personal Information, as described below. We provide these rights to all US residents. Before we may fulfill a request in relation to our Services, we may be required by law to verify your identity in order to prevent unauthorized access to your data. Since we will facilitate User requests through our Customers, we will rely on their verification of your identity and our existing Customer contact information in order to process requests.

Users wishing to exercise the rights described in this section should contact their education institution. We will work with them as needed should they require our assistance in fulfilling the requests.

We do not “sell” or “share” Personal Information as those terms are defined under California and other applicable state privacy laws. To the extent Personal Information is shared with third parties, it is only provided to third party service providers/processors.

Please note that your exercise of the above rights is subject to certain exemptions to safeguard the public interest (e.g., the prevention or detection of crime) and our interests (e.g., the maintenance of legal privilege). We will try to comply with your request as soon as reasonably practicable in compliance with time frames set forth under applicable law. Requests to exercise these rights may be granted in whole, in part, or not at all, depending on the scope and nature of the request and applicable law. Where required by applicable law, we will notify you if we reject your request and notify you of any reasons why we are unable to honor your request.

Right to Know and Access Information: You have the right to request access to the Personal Information we maintain about you in the ordinary course of business and to receive it in a machine-readable format so that it is available to you. This may include Personal Information we collect, use, or disclose about you.

Right of Correction: You have the right to correct inaccuracies in the Personal Information we maintain about you.

Right to Delete: You have the right to request that we delete your Personal Information. In the case of all such requests, we may not fulfill all or part of the request as permitted or required by applicable law. For example, if you request that we delete your Personal Information, there may be certain records we are legally required to retain.

Authorized Agent: If you are an authorized agent trying to exercise rights on behalf of a Turnitin User, please contact their education institution with your supporting verification information required under applicable state law.

Non-discrimination: We will not discriminate or otherwise penalize anyone for exercising their rights under applicable law or this Privacy Policy.

The following reflects our current practices and our practices that have been in place over the past 12 months.

Categories of Personal Information we collect
  • Online identifier,

  • Internet Protocol address,

  • Personal information limited to your name, email address, user ID, and password;

  • Education information, such as Submissions; Internet or other electronic network activity information related to your use of our Services;

  • If you choose to schedule a call with Turnitin or contact our Customer Support, we will collect identifiers such as a real name, work email, phone number.

We do not deliberately collect sensitive Personal Information as it is defined under applicable US state laws. We may collect sensitive personal information if included in student Submissions.

Categories or sources from which the Personal Information is collected We collect the Personal Information directly from you, from your education institution, or automatically through the Service as described above.
Business or commercial purpose for collecting or for sharing or selling Personal Information

We collect your Personal Information to operate the Services, respond to your requests and for the following business purposes:

  • Providing the Services in accordance with our contract with the Customer and our Terms of Use, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, and processing payments.

  • Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.

  • Debugging to identify and repair errors that impair existing intended functionality.

  • Sending you information and updates about our Services.

  • Improving the Services when permitted by the Customer.

  • We do not “sell” or “share” Personal Information as defined under California and other applicable state privacy laws.

Categories of third parties with whom we share Personal Information Specific pieces of Personal Information we have collected

We do not share your Personal Information with individuals or organizations to use for their own or others commercial purposes. We disclose your Personal Information only to service providers who support us in delivering the services as described above.

  • From Students: First name, last name, email address, user ID, password, institution name, grade/year, education institution, and coursework Submissions which may contain Personal Information.

  • From Educators: First name, last name, email address, role, and education institution.

  • In addition, some Services may allow educators to provide student IDs for rostering purposes, rubrics they use for grading students’ submissions, grades, and comments on their students’ submissions.

  • Internet Protocol address, device ID.

  • Internet or other electronic network activity information, including, but not limited to, how you use the Services.


GDPR Information

When we provide Services to you as a Customer or a User, we act as a “data processor” under the EU and UK General Data Protection Regulations. Our processing of your Personal Information is governed by this Privacy Policy as well as the contractual agreement with the Customer. For more detailed information on Turnitin and its GDPR compliance, see our GDPR FAQs.


For All International Users

If you are located outside of the United States, please be aware that your Personal information will be transferred to and processed in the United States, and may also be processed for support purposes where we have employees who work on the Services who may be in the UK, Netherlands, Germany, Sweden, Ukraine, Australia or India. In the EU, it may be possible to store Submissions exclusively in Germany.

By submitting your Personal Information, you acknowledge that we may transfer, process, and store your information in this way. Wherever the Personal Information is, it will be treated securely and in accordance with this Privacy Policy and applicable privacy laws of the United States. These laws may be different from the privacy laws in your country. However, this does not change our commitments to safeguard your privacy, and we will comply with all applicable laws relating to the cross-border transfer of your Personal Information. Where required, we will implement Standard Contractual Clauses with our Customers and with our third parties or rely on such other appropriate transfer mechanisms, if applicable, to ensure that the transfer of your Personal Information outside of the EEA, Switzerland, and the United Kingdom is lawful. Such mechanisms include the EU-US Data Privacy Framework which came into force on 10 July 2023, the principles of which Turnitin adheres to. You may request details of the transfer mechanisms that we rely on to transfer personal information outside of these regions by emailing us at DPO@turnitin.com.


EU-US Data Privacy Framework Certification

Turnitin and its group company, ExamSoft Worldwide LLC, comply with the EU-US Data Privacy Framework (“EU-US DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-US DPF) (collectively, the “Frameworks”) as set forth by the U.S. Department of Commerce. Turnitin has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-US DPF Principles”) with regard to the processing of Personal Information received from the European Union in reliance on the EU-US DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-US DPF. Turnitin has certified to the U.S. Department of Commerce that it adheres to the Swiss-US Data Privacy Framework Principles (“Swiss-US DPF Principles”) with regard to the processing of Personal Information received from Switzerland in reliance on the Swiss-US DPF. If there is any conflict between the terms in this Privacy Policy and the EU-US DPF Principles and/or the Swiss-US DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (“DPF”) program, and to view our certification, please visit https://www.dataprivacyframework.gov.

In compliance with the Frameworks, Turnitin commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, UK and Swiss individuals with inquiries or complaints regarding our handling of Personal Information received in reliance on the Frameworks should first contact Turnitin at:

Data Protection Officer

Turnitin, LLC, 2101 Webster Street, Suite 1900, Oakland 94612 CA USA

Phone: +44 (0) 191 681 0227

Email: DPO@turnitin.com

Turnitin must respond within 45 days of receiving a complaint.

In compliance with the EU-US DPF and the UK Extension to the EU-US DPF and the Swiss-US DPF, Turnitin commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (“DPAs”) and the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (“GRA”) and the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) with regard to unresolved complaints concerning our handling of Personal Information received in reliance on the respective Frameworks.

The Federal Trade Commission has jurisdiction over Turnitin’s compliance with the Frameworks. Turnitin will submit to binding arbitration in the event that a dispute can not be resolved by the aforementioned mechanisms. Turnitin shall assume liability for any onward transfers of Personal Information made to third parties.


Additional Rights

Please note that the rules in your country may provide you with additional rights related to our processing of your Personal Information or may limit these rights. In all cases, our provision of the rights will comply with the applicable laws.

If you are based in the EEA, Switzerland, or the United Kingdom, for example, you may have the right to access, update, or correct your Personal Information, to request deletion of such Personal Information, and to object to certain processing, including that related to marketing, to receive a machine-readable copy of the Personal Information that you provided to us, or request us to transfer such data to an applicable third party in certain circumstances.

Your exercise of these rights is subject to certain exemptions to safeguard the public interest (e.g., the prevention or detection of crime) and our interests (e.g., the maintenance of legal privilege). To exercise your rights, please contact your education institution. We will work with them to facilitate your request in circumstances in which they require our assistance.


Updates to This Policy

This Policy may be modified from time to time, as our services evolve. So that you are aware when changes have been made, we will adjust the “Last Updated” date at the beginning of this Privacy Policy and, when required by applicable law or regulation, we may also provide notice by email or within the Service.

The “Last Updated” note at the top of this policy indicates when it was last revised, and updates will become effective when they are posted.


Contact

If you have questions regarding this Privacy Policy, or if you have any concerns or complaints about how we handle your Personal Information, please contact us at:

2101 Webster St., Suite 1900

Oakland, California 94612

866 816 5046

legal@turnitin.com

If you have concerns or complaints regarding this Privacy Policy or our data handling procedures, you may have a right to lodge a complaint with a supervisory authority.

Our Data Protection Officer may be reached at DPO@turnitin.com.