Privacy & Security

Issue 2 Rev 15 : Auth LL : Last reviewed Dec 2024

Scribo Holdings Pte Ltd (Scribo) are committed to safeguarding and preserving the privacy & security of our website visitors and product users. This Privacy Policy explains what happens to any personal data that you provide to us or that we collect from you while you use our software or visit our site.  

It is a requirement of Scribo that all end-users are fully aware and informed of this Privacy Policy. In educational environments such as schools where consent is obtained on behalf of the student (see Verifiable Parental Consent), we do not show in-program acceptance and consent interfaces to students. However, this policy should be made available to all users by the school / organisation using the product. We also provide links to the policy at multiple access points in application. 

By using our Applications, Extensions, Add-ins or Services in any way means that you agree to our Terms, Privacy Policy and (if applicable) the GDPR Data Processing Addendum. 

Verifiable Parental Consent

For Personal Licenses: Individuals aged 15 and older may generally provide their own consent for the collection and processing of personal data. For children under 15, or those unable to make privacy decisions independently, Scribo requires verifiable consent from a parent or legal guardian.

For School Licenses: The School District, School, or Teacher is responsible for obtaining verifiable parental consent for the collection and storage of student information on the Scribo platform. This includes, but is not limited to, information such as names, email addresses, and assignment data. By sharing student information with Scribo, the School District, School, or Teacher confirms that such consent has been obtained in compliance with applicable laws.

We will treat consent provided by a School District, School, Teacher, parent, or legal guardian as consent given on behalf of the child. Notices provided to the relevant School, Teacher, or parent/guardian will be considered as notices provided to the child.

FERPA Compliance

We take student privacy seriously and comply with the Family Educational Rights and Privacy Act (FERPA).

Data Use: Student information is used solely to provide our educational services.
Data Protection: We implement robust security measures, such as encryption and access controls, to safeguard student information.
Access Control: Scribo employees access school data only when authorized by the school for troubleshooting or assistance. All Scribo personnel are trained to handle data in a FERPA-compliant manner.
No Unauthorized Sharing: We do not share student information with third parties unless explicitly authorized by the school or required by law.
Parental Consent: Schools are responsible for obtaining parental consent before sharing student information with Scribo. Schools must establish internal policies to ensure FERPA compliance.

For any questions about our FERPA compliance, please contact us at team@literatu.com.

COPPA Compliance

Scribo is a "K-to-grey" platform, and we are proud to serve primary schools and their students. We comply with the Children’s Online Privacy Protection Act (COPPA) to protect the privacy of children under 13.

Data Collection: We collect personal information from students only to provide our educational services.
Parental Consent: Schools are responsible for obtaining parental consent before sharing student information with us, and must establish internal policies to ensure FERPA compliance.
Data Protection: We use strong security measures to keep student information safe and only allow access to authorized personnel for the purposes of troubleshooting, as requested by the school.
Parental Rights: Parents can review, request deletion, and refuse further collection of their child's information by contacting the school.

For any questions about our COPPA compliance, please contact us at team at literatu.com

Data Stored by Scribo Pronto

The information we collect when teachers use the Scribo Pronto add-in for Microsoft Word includes:

  • The name and email address of the teacher using the service as registered with Microsoft
  • The name and email address of the student that owns the document as registered with Microsoft
  • Metrics about student writing, for example their vocabulary and sentence use   
  • Optionally, grades and feedback given by the teacher

Required permissions for add-ins and extensions

Applications that integrate with Microsoft products must declare their intent to access your data by requesting permission from you when you install them. Scribo requests permissions based on the principle of least privilege. That is, we request permission to access only the minimum subset of your data that we need to function correctly. Should permission requirements and functionality change, Scribo will request your permission again. Your express permission must be granted in order for Scribo to integrate with Microsoft Word. 

Data Stored by Scribo for Google Docs


The information we collect when teachers use the Scribo for Google Docs Chrome extension include:

The name and email address of the teacher using the service as registered with Google
The abstracted name of the student that owns the document as registered with Google
Metrics about student writing, for example their vocabulary and sentence use  
Optionally, grades and feedback given by the teacher

Required permissions for add-ins and extensions

Applications that integrate with Google products must declare their intent to access your data by requesting permission from you when you install them. Scribo requests permissions based on the principle of least privilege. That is, we request permission to access only the minimum subset of your data that we need to function correctly. Should permission requirements and functionality change, Scribo will request your permission again. Your express permission must be granted in order for Scribo to integrate with Chrome browser or Google Docs.

 

Scribo Pronto for Microsoft Word

Below is a list of the permissions we use and why they are required for the Scribo Pronto add in for Microsoft Word Online and Microsoft Word 2016.

 

Permission

How Scribo Pronto uses it
Sign you in and read your profile

Pronto accesses the name, email address and optionally profile picture of you and the users that are editors of the document you are viewing or grading.

We store your name and email in order to manage your licensing information and save your grading and feedback so you can access it again.

Have full access to all files user can access

Read only access to the document content that you are viewing or grading using the service.

We use edit permission to insert a Writing Report into the document, if this option is chosen.


 

Scribo For Google Docs for Google Chrome

Below is a list of the permissions we use and why they are required for the Scribo Pronto extension for Chrome.

Permission

 How Scribo for Google Docs uses it
See all your Google Docs documents

 

Read access to the document content that you are viewing or grading using the service.

 
View your email address

We store the teacher's name and email in order to manage licensing information and save your optional grading and feedback so you can access it again.

Note: Google Workspace APIs are not used to develop, improve, or train generalized AI and/or ML models.
 

Data stored 

Students and Personally Identifiable Information

For Google or Microsoft SSO based registrations, we collect the following information about students so that we can create a student account:

  • Student name as registered with Google or Microsoft
  • The student’s email address as registered with Google or Microsoft
  • For the Insights Dashboard and Pronto, the student’s profile picture as provided to Google or Microsoft (if the school policy permits access)

No other Google or Microsoft profile information is collected. 

For non-Google or Microsoft SSO based registrations, we collect the following information about students so that we can create a student account:

  • Student name, or a de-identified pseudonym
  • The student’s email address or a de-identified login ID

Teachers and Personally Identifiable Information

Teacher accounts encompass all roles that are available in the application suite, for example classroom teachers, heads of department etc.  

For Google or Microsoft SSO based registrations, we collect the following information about teachers so that we can create a teacher account:

  • The teacher name as registered with Google or Microsoft. 
  • The teacher’s email address as registered with Google or Microsoft

No other Google or Microsoft profile information is collected. 

For non-Google or Microsoft SSO based registrations, we collect the following information about teachers so that we can create a teacher account:

  • The teacher name, or a de-identified pseudonym
  • The teacher’s email address

Additional Data Stored 

We only store data that is needed for the provision, administration or improvement of the functionality provided for education purposes, as required by each school.  The information we collect when students or teachers (“users”) use our web applications can include:

  • The name of the school, if the user is being included under a school license
  • The user’s classes
  • The teacher’s role  
  • Their creation or completion of assignments
  • Metrics about student responses to assignments  
  • Optionally, grades and feedback given by teachers
  • Their use of the website - when they login and which pages they access
  • Details about their device (for example, the type of device and browser in use)

Additional Data Stored by Ledger and NAPLAN Explorer (optional - chosen by the school)

The information we collect when students or teachers (“users”) use the Literatu Ledger web applications:

  • Metrics about student assessment results
  • Other data collected and imported by the school, as the school deems relevant to their needs. For example, student academic goals. 

Data security and access

Data security and privacy are important to us, and we take all steps necessary to protect your personal information. Although no security or encryption method can be guaranteed to protect information from hackers or human error,  we take all reasonable steps to secure your personally identifiable information against unauthorised access or disclosure.

Data is stored on servers provisioned in Amazon’s world class, highly secure data centers which utilize state-of-the art electronic surveillance and multi-factor access control systems. Data centers are staffed 24x7 by trained security guards, Environmental systems are designed to minimize the impact of disruptions to operations. Multiple geographic regions and Availability Zones allow Scribo to remain resilient in the face of most failure modes, including natural disasters or system failures.

All data in transit (inbound and outbound traffic) is symmetrically encrypted (AES-256). Data is also encrypted at rest. 

Scribo employees have very limited access to content on our servers. Access is authorized strictly on a least privileged basis using secured connections. Where we need to access your data to provide you with support, we will obtain express permission to do so.

Accessibility Options for Disabled Students


We are committed to ensuring that all students have access to our educational services. To enhance accessibility, we provide accessibility toolbars ensuring compliance with WCAG 2.1 and ADA standards. 

Accessibility Features: Our toolbars offer various features to assist disabled students, including text-to-speech, keyboard navigation, screen reader compatibility, and more.
Compliance: Our accessibility solutions are designed to comply with the Web Content Accessibility Guidelines (WCAG 2.1) and the Americans with Disabilities Act (ADA).
Opt-In Process: Schools can request to enable these accessibility options for their students. Please contact us to activate these features.

For more information about our accessibility options, or to opt-in, please contact us at team at literatu.com.
 

Disclosing your information

We never disclose your personal information to any other party other than in accordance with this Privacy Policy and where we are legally required by law to disclose your personal information.

Scribo will never sell any user’s personal information to any third party. We do not display advertising, therefore, no data is collected for ad targeting. We do not operate any referral program and do not display any sponsored links.

Some of our services use AI and Machine Learning services, which are created, hosted and run by Scribo. Data sent to API (Application Programming Interfaces) based services such as Google Translate are anonymized and do not ever contain any user identifiable account data. All API services are accessed via encrypted communications. 

All API services are provided by validated partners such as Microsoft, Google and IBM.

GDPR and Transfer of Personal Data

Scribo recognize the EU General Data Protection Regulation (GDPR) as a cornerstone of data protection and is committed to safeguarding the personal data of all users. We ensure that:

  • Personal data is processed fairly, lawfully, and transparently.
  • Personal data is collected and processed only for specified and lawful purposes.
  • Processed data is adequate, relevant, and limited to what is necessary.
  • Processed data is accurate and kept up to date as necessary.
  • Personal data is retained only as long as necessary for its intended purpose.
  • Personal data is processed in accordance with individual rights under GDPR.
  • Personal data is protected with robust technical and organizational security measures.


Transfer of Your Data Outside the EU

To provide our services, we may transfer or store data outside the EU, including in secure Amazon data centers located in Sydney, Australia. In addition, we use third-party providers, including Google and Microsoft, to facilitate key functionalities such as Single Sign-On (SSO) for user authentication. These providers process limited user data during authentication (e.g., credentials) and return verification data to us to confirm access rights. 

Neither Australia nor the USA has been granted adequacy status by the EU. To ensure GDPR compliance and protect your data during transfers outside the EU, Scribo has implemented Standard Contractual Clauses (SCCs) as approved by the European Commission. These SCCs include:

Processor to Controller SCCs: Governing data transfers between Scribo (Processor) and EU-based schools (Controllers) when processing student data.
Controller to Processor SCCs: Governing data transfers between Scribo (Controller) and third-party processors such as Google and Microsoft, for operations such as SSO.
Controller to Controller SCCs: Governing data exchanges where both Scribo and third-party providers act as independent Controllers.

You can review our GDPR Data Processing Addendum, which includes links to the SCCs, here

 

Third-Party Data Transfers

Google: Google’s SCCs are integrated into their Data Processing Addendum (DPA), which governs the processing of personal data through Google Workspace and related services. For more information on Google’s compliance measures, please visit Google’s Data Processing Addendum.

Microsoft: Microsoft incorporates SCCs within their DPA, ensuring GDPR compliance for services like Microsoft 365 and Azure. More information about Microsoft’s data protection measures is available here.


Data Minimization

Where possible, we remove, anonymise or pseudonymise personally identifiable data before processing. This ensures that personal data remains protected and compliant with GDPR standards.

Your Rights

Under GDPR, you have the right to access, rectify, delete, or restrict the processing of your personal data. You also have the right to data portability and to object to the processing of your data. For any requests or questions regarding your data, please contact team@literatu.com.

Monitoring usage

Cookies

Cookies are text files containing small amounts of information, which your computer or mobile device creates when you visit a website. We do not store any cookies for the purpose of marketing or advertising. The following cookie types are used. 

Authentication, Security, Basic Functionality

Sometimes called “necessary cookies”, these cookies are needed for our sites to work properly. Without these cookies, core site services, such as accessing secure areas, can’t be provided. These cookies don’t gather information about you and are not used for marketing purposes. 

Preferences

These functional cookies are all about the choices you make. They help us tailor your experience by remembering changes you’ve made to customisable content. Without these cookies, our application won’t remember any choices you’ve previously made, or personalise your browsing experience.

Google Analytics

Google Analytics cookies are used to track visitor usage. Google Analytics is a web analytics tool that helps website owners understand how visitors engage with their website. Google Analytics customers can view a variety of reports about how visitors interact with their website so they can improve it. Google Analytics collects information anonymously. It reports website trends without identifying individual visitors.

You can read Google's privacy policy here for further information  http://www.google.com/privacy.html

Other API Services

Presto uses YouTube API Services to augment study content with educational videos. We do not send your personal details to make these API calls. You can find YouTube's Terms of Service here https://www.youtube.com/t/terms and Google's Privacy Policy here http://www.google.com/privacy.html  

By using these service, users are agreeing to be bound by the YouTube Terms of Service. 

Notice of changes to the pricacy policy

From time to time, we may make changes to this policy. We will notify you of any changes via our messaging system. In the case of material changes to the policy, we will also seek your renewed consent. Notifications of changes to the policy will include a link to the updated policy, a summary of the changes, why the update was necessary and how it affects you.

If you do not agree with any aspect of the updated policy, you must notify us promptly and cease using our services. We recommend that you regularly check for changes and that you review this policy when visiting our website.

Successor Entities

If we are acquired by or merge with another entity, to the extent that we can we will require such entity to assume our obligations under this privacy policy. In the alternative, we will provide all users with an option to decline transferring their information to the successor entity.

Enforcement, accessing, updating and removing your personal information.

We will take reasonable steps to make sure that the personal information we collect and use is accurate and up to date. If your personal details change, such as your name or email address, please amend your profile accordingly.

You have the right to see the personal information we hold about you via an access Request. You may ask us to make any changes to ensure that it is accurate and up to date, unless an exception under relevant privacy legislation applies. You also have the right to ask us to remove your data. 

If you wish to access or remove your data, please contact us using the contact details set out below.  Requests will be met within 30 days of receiving the request. 

We regularly review our compliance with our Privacy Policy. All comments, queries, complaints and requests relating to our use of your personal information are welcomed and should be addressed to:

The CEO

Scribo Holdings Pte Ltd

StorHub 743, 743 Lor. 5 Toa Payoh, Singapore 319457

Email: team@literatu.com

We will promptly acknowledge and investigate any complaint about the way we manage personal information.