Privacy & Security

Last reviewed Feb 5 2026

Scribo Holdings Pte Ltd / Scribo Learning (Scribo) are committed to safeguarding and preserving the privacy & security of our website visitors and product users. This Privacy Policy explains what happens to any personal data that you provide to us or that we collect from you while you use our software or visit our site.  

It is a requirement of Scribo that all end-users are fully aware and informed of this Privacy Policy. In educational environments such as schools where consent is obtained on behalf of the student (see Verifiable Parental Consent), we do not show in-program acceptance and consent interfaces to students. However, this policy should be made available to all users by the school / organisation using the product. We also provide links to the policy at multiple access points in application. 

By using our Applications, Extensions, Add-ins or Services in any way means that you agree to our Terms, Privacy Policy and (if applicable) the GDPR Data Processing Addendum. 

Verifiable Parental Consent

Scribo does not impose a minimum age restriction. Where required under applicable law, parental or guardian consent is obtained and managed by the school or relevant education authority through their established enrolment and consent processes, which Scribo accepts as valid authorisation for student use.

PDPA Compliance (Singapore and Malaysia)

We comply with the requirements of the Personal Data Protection Act 2012 (PDPA) of Singapore and the Personal Data Protection Act 2010 (PDPA) of Malaysia.

Our obligations under the PDPA include:

  • Purpose Limitation: We collect, use and disclose personal data only for purposes directly related to providing and improving our educational services, or as required by law.
  • Consent: We obtain and rely on appropriate consent for the collection, use and disclosure of personal data, including through schools and educational institutions where applicable.
  • Notification: We inform individuals of the purposes for which their personal data is collected, used, and disclosed, through this Privacy Policy and other appropriate means.
  • Access and Correction: Individuals have the right to access and correct their personal data. Requests can be made via team@scribolearning.com and will be addressed within 30 days.
  • Protection: We implement reasonable security arrangements to protect personal data in our care from unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
  • Retention Limitation: We retain personal data only for as long as is necessary to fulfil the stated purposes, or as required by law or contractual obligations.
  • For school-based implementations, we require that schools or organisations obtain all necessary parental or guardian consents, where applicable, before providing student data to us in compliance with the PDPA.

If you have any questions about our compliance with the PDPA, or wish to exercise your rights under the PDPA, please contact us at team@scribolearning.com.


FERPA Compliance

We take student privacy seriously and comply with the Family Educational Rights and Privacy Act (FERPA).

Data Use: Student information is used solely to provide our educational services.
Data Protection: We implement robust security measures, such as encryption and access controls, to safeguard student information.
Access Control: Scribo employees access school data only when authorized by the school for troubleshooting or assistance. All Scribo personnel are trained to handle data in a FERPA-compliant manner.
No Unauthorized Sharing: We do not share student information with third parties unless explicitly authorized by the school or required by law.
Parental Consent: Schools are responsible for obtaining verifiable parental consent before sharing student information with Scribo. Schools must establish internal policies to ensure FERPA compliance.

For any questions about our FERPA compliance, please contact us at team@scribolearning.com.

COPPA Compliance

Scribo is a "K-to-grey" platform, and we are proud to serve primary schools and their students. We comply with the Children’s Online Privacy Protection Act (COPPA) to protect the privacy of children under 13.

Data Collection: We collect personal information from students only to provide our educational services.
Parental Consent: Schools are responsible for obtaining verifiable parental consent before sharing student information with us, and must establish internal policies to ensure COPPA compliance.
Data Protection: We use strong security measures to keep student information safe and only allow access to authorized personnel for the purposes of troubleshooting, as requested by the school.
Parental Rights: Parents can review, request deletion, and refuse further collection of their child's information by contacting the school.

For any questions about our COPPA compliance, please contact us at team@scribolearning.com

Data Stored by Scribo Pronto

The information we collect when teachers use the Scribo Pronto add-in for Microsoft Word includes:

  • The name and email address of the teacher using the service as registered with Microsoft
  • The name and email address of the student that owns the document as registered with Microsoft
  • Metrics about student writing, for example their vocabulary and sentence use   
  • Optionally, grades and feedback given by the teacher

Required permissions for add-ins and extensions

Applications that integrate with Microsoft products must declare their intent to access your data by requesting permission from you when you install them. Scribo requests permissions based on the principle of least privilege. That is, we request permission to access only the minimum subset of your data that we need to function correctly. Should permission requirements and functionality change, Scribo will request your permission again. Your express permission must be granted in order for Scribo to integrate with Microsoft Word. 

Data Stored by Scribo for Google Docs


The information we collect when teachers use the Scribo for Google Docs Chrome extension include:

The name and email address of the teacher using the service as registered with Google
The abstracted name of the student that owns the document as registered with Google
Metrics about student writing, for example their vocabulary and sentence use  
Optionally, grades and feedback given by the teacher

Required permissions for add-ins and extensions

Applications that integrate with Google products must declare their intent to access your data by requesting permission from you when you install them. Scribo requests permissions based on the principle of least privilege. That is, we request permission to access only the minimum subset of your data that we need to function correctly. Should permission requirements and functionality change, Scribo will request your permission again. Your express permission must be granted in order for Scribo to integrate with Chrome browser or Google Docs.

 

Scribo Pronto for Microsoft Word

Below is a list of the permissions we use and why they are required for the Scribo Pronto add in for Microsoft Word Online and Microsoft Word 2016.

 

Permission

How Scribo Pronto uses it
Sign you in and read your profile

Pronto accesses the name, email address and optionally profile picture of you and the users that are editors of the document you are viewing or grading.

We store your name and email in order to manage your licensing information and save your grading and feedback so you can access it again.

Have full access to all files user can access

Read only access to the document content that you are viewing or grading using the service.

We use edit permission to insert a Writing Report into the document, if this option is chosen.


 

Scribo For Google Docs for Google Chrome

Below is a list of the permissions we use and why they are required for the Scribo Pronto extension for Chrome.

Permission

 How Scribo for Google Docs uses it
See all your Google Docs documents

 

Read access to the document content that you are viewing or grading using the service.

 
View your email address

We store the teacher's name and email in order to manage licensing information and save your optional grading and feedback so you can access it again.

Note: Google Workspace APIs are not used to develop, improve, or train generalized AI and/or ML models.
 

Data stored 

Students and Personally Identifiable Information

For Google or Microsoft SSO based registrations, we collect the following information about students so that we can create a student account:

  • Student name as registered with Google or Microsoft
  • The student’s email address as registered with Google or Microsoft
  • For the Insights Dashboard and Pronto, the student’s profile picture as provided to Google or Microsoft (if the school policy permits access)

No other Google or Microsoft profile information is collected. 

For non-Google or Microsoft SSO based registrations, we collect the following information about students so that we can create a student account:

  • Student name, or a de-identified pseudonym
  • The student’s email address or a de-identified login ID

Teachers and Personally Identifiable Information

Teacher accounts encompass all roles that are available in the application suite, for example classroom teachers, heads of department etc.  

For Google or Microsoft SSO based registrations, we collect the following information about teachers so that we can create a teacher account:

  • The teacher name as registered with Google or Microsoft. 
  • The teacher’s email address as registered with Google or Microsoft

No other Google or Microsoft profile information is collected. 

For non-Google or Microsoft SSO based registrations, we collect the following information about teachers so that we can create a teacher account:

  • The teacher name, or a de-identified pseudonym
  • The teacher’s email address

Additional Data Stored 

We only store data that is needed for the provision, administration or improvement of the functionality provided for education purposes, as required by each school.  The information we collect when students or teachers (“users”) use our web applications can include:

  • The name of the school, if the user is being included under a school license
  • The user’s classes
  • The teacher’s role  
  • Their creation or completion of assignments
  • Metrics about student responses to assignments  
  • Optionally, grades and feedback given by teachers
  • Their use of the website - when they login and which pages they access
  • Details about their device (for example, the type of device and browser in use)

Additional Data Stored by Ledger and NAPLAN Explorer (optional - chosen by the school)

The information we collect when students or teachers (“users”) use the Ledger web applications:

  • Metrics about student assessment results
  • Other data collected and imported by the school, as the school deems relevant to their needs. For example, student academic goals. 

Data security and access

Data security and privacy are important to us, and we take all steps necessary to protect your personal information. Although no security or encryption method can be guaranteed to protect information from hackers or human error,  we take all reasonable steps to secure your personally identifiable information against unauthorised access or disclosure.

Data is stored on servers provisioned in Amazon’s world class, highly secure data centers which utilize state-of-the art electronic surveillance and multi-factor access control systems. Data centers are staffed 24x7 by trained security guards, Environmental systems are designed to minimize the impact of disruptions to operations. Multiple geographic regions and Availability Zones allow Scribo to remain resilient in the face of most failure modes, including natural disasters or system failures.

All data in transit (inbound and outbound traffic) is symmetrically encrypted (AES-256). Data is also encrypted at rest. 

Scribo employees have very limited access to content on our servers. Access is authorized strictly on a least privileged basis using secured connections. Where we need to access your data to provide you with support, we will obtain express permission to do so.


Accessibility Options for Disabled Students


We are committed to ensuring that all students have access to our educational services. To enhance accessibility, we provide accessibility toolbars ensuring compliance with WCAG 2.1 and ADA standards. 

Accessibility Features: Our toolbars offer various features to assist disabled students, including text-to-speech, keyboard navigation, screen reader compatibility, and more.
Compliance: Our accessibility solutions are designed to comply with the Web Content Accessibility Guidelines (WCAG 2.1) and the Americans with Disabilities Act (ADA).
Opt-In Process: Schools can request to enable these accessibility options for their students. Please contact us to activate these features.

For more information about our accessibility options, or to opt-in, please contact us at team@scribolearning.com.
 

Disclosing your information

We never disclose your personal information to any other party other than in accordance with this Privacy Policy and where we are legally required by law to disclose your personal information.

Scribo will never sell any user’s personal information to any third party. We do not display advertising, therefore, no data is collected for ad targeting. We do not operate any referral program and do not display any sponsored links.

GDPR and Transfer of Personal Data

Scribo recognize the EU General Data Protection Regulation (GDPR) as a cornerstone of data protection and is committed to safeguarding the personal data of all users. We ensure that:

  • Personal data is processed fairly, lawfully, and transparently.
  • Personal data is collected and processed only for specified and lawful purposes.
  • Processed data is adequate, relevant, and limited to what is necessary.
  • Processed data is accurate and kept up to date as necessary.
  • Personal data is retained only as long as necessary for its intended purpose.
  • Personal data is processed in accordance with individual rights under GDPR.
  • Personal data is protected with robust technical and organizational security measures.


Transfer of Your Data Outside the EU

To provide our services, we may transfer or store data outside the EU, including in secure Amazon data centers located in Sydney, Australia. In addition, we use third-party providers, including Google and Microsoft, to facilitate key functionalities such as Single Sign-On (SSO) for user authentication. These providers process limited user data during authentication (e.g., credentials) and return verification data to us to confirm access rights. 

Neither Australia nor the USA has been granted adequacy status by the EU. To ensure GDPR compliance and protect your data during transfers outside the EU, Scribo has implemented Standard Contractual Clauses (SCCs) as approved by the European Commission. These SCCs include:

Processor to Controller SCCs: Governing data transfers between Scribo (Processor) and EU-based schools (Controllers) when processing student data.
Controller to Processor SCCs: Governing data transfers between Scribo (Controller) and third-party processors such as Google and Microsoft, for operations such as SSO.
Controller to Controller SCCs: Governing data exchanges where both Scribo and third-party providers act as independent Controllers.

You can review our GDPR Data Processing Addendum, which includes links to the SCCs, here

Third-Party Data Transfers

Google: Google’s SCCs are integrated into their Data Processing Addendum (DPA), which governs the processing of personal data through Google Workspace and related services. For more information on Google’s compliance measures, please visit Google’s Data Processing Addendum.

Microsoft: Microsoft incorporates SCCs within their DPA, ensuring GDPR compliance for services like Microsoft 365 and Azure. More information about Microsoft’s data protection measures is available here.

Your Rights
Under GDPR, you have the right to access, rectify, delete, or restrict the processing of your personal data. You also have the right to data portability and to object to the processing of your data. For any requests or questions regarding your data, please contact team@scribolearning.com.

 

Third-Party Subprocessors and AI Processing Controls

Scribo engages a small number of carefully selected third-party service providers (“subprocessors”) to support the delivery, security, and reliability of our products. These subprocessors may process limited personal data on our behalf, strictly for the purposes described in this Privacy Policy. All subprocessors are bound by written data protection agreements that include confidentiality and security. We review all subprocessors for security and privacy compliance and maintain least-privileged access controls.

Data Minimization
Where possible, we remove, anonymise or pseudonymise personally identifiable data before processing. Subprocessors have no rights to use personal data for their own purposes.


Current Subprocessors 

Only third parties that process identifiable personal data on behalf of Scribo are included. Services that receive only completely anonymised data, or services used solely at the direction of the school that push data to us (such as SSO or school roster data), are not classified as subprocessors.
 

Sub-processor Purpose Personal Data Processed Location / Region Compliance / Security
Amazon Web Services (AWS) Cloud hosting, storage, encrypted backups

All platform data and related processing operations

 Sydney, Australia AWS Data Processing Addendum & Compliance
Google LLC (Analytics) Pseudonymous site analytics
  • Pseudonymous device/browser data
  • Site usage patterns
 USA Google Analytics Data Processing Terms
Zoho Corporation Customer relationship management (CRM) 
  • School details
  • Primary school contact, including email address, name and role
 USA Zoho Privacy & Compliance
WhatsApp (Meta Platforms) Support communications and notifications for Vision Workbooks users in Singapore
  • Parent phone number (only for users who opt-in)
  • Support message content submitted voluntarily
 USA WhatsApp Business Data Processing Terms
Asana Inc. Internal task management and customer enhancement request tracking
  • Teacher/admin name (when referenced in requests)
  • Email address (occasionally included)
  • Description of enhancement/support needs
 USA Asana Privacy Statement
Google Workspace (Internal Operations) Internal company email, document storage, spreadsheets, onboarding/support workflows
  • Teacher/admin emails within support correspondence
  • Internal documents that may reference users
 Global Google Workspace Data Processing Terms
Intercom Secure in-app and email-based customer support messaging
  • Teacher/admin name & email
  • Support messages and attachments submitted voluntarily
 Sydney, Australia Intercom Trust & Security
OpenAI Generative AI processing for defined product features (e.g., feedback, conversational assistance)
  • Scribo sends no user PII to OpenAI.  However, free-text (for example, essays, writing prompts) may contain indirectly identifying personal information if a user includes it (e.g., names, locations, events, relationships)
 Australia/USA OpenAI Data Processing Addendum (DPA)
OpenAI Security & Privacy
Google (Gemini) Generative AI processing for defined product features (e.g., feedback, conversational assistance)
  • Scribo sends no user PII to Google Gemini.  However, free-text (for example, essays, writing prompts) may contain indirectly identifying personal information if a user includes it (e.g., names, locations, events, relationships)
 Varies by service configuration / region Google Cloud Trust Center
Google Cloud Data Processing Addendum
Anthropic Generative AI processing for defined product features (e.g., feedback, conversational assistance)
  • Scribo sends no user PII to Anthropic models. However, free-text (for example, essays, writing prompts) may contain indirectly identifying personal information if a user includes it (e.g., names, locations, events, relationships)
 Varies by service configuration / region Anthropic Trust Center
Anthropic Data Processing Addendum (DPA)


Use of Data

Scribo does not use personal data or content to train machine learning or artificial intelligence models. Data is used solely for the purpose of delivering the Scribo service to schools, including providing feedback, grading, reporting, and ensuring the reliability, security, and correct functioning of the platform. Any analysis undertaken to maintain or improve the service is limited to aggregated and de-identified operational data, such as system performance metrics and error logs, and does not involve the reuse of data for secondary purposes. Scribo does not use data for advertising, profiling, or any purpose outside the scope of service delivery and contractual obligations to schools.

AI Processing and Anonymisation Controls

Scribo uses large language models (LLMs) to power certain optional AI features such as writing feedback, scoring, and chat assistance. These features are controlled by each school and can be enabled or disabled at any time.

We never send personally identifiable information (PII) to any LLM provider. All AI processing uses secure, API-based models that do not use customer data for training, retention, or model improvement. Before any request leaves our environment, Scribo automatically removes or replaces names, emails, class identifiers, school identifiers, and any other information that could reasonably identify a student or teacher. Only the minimum anonymised text required to complete the task is sent, and all transmissions occur over encrypted TLS connections.

All matching back to user records happens exclusively within Scribo’s own access-controlled systems. Model responses never contain raw PII, and no third-party AI provider receives or stores identifiable personal information. We verify these protections through audit logs, automated tests, periodic manual reviews, and strict change-control processes. If AI features are disabled, no data is sent to LLM providers. When a school’s contract ends, all associated AI-related logs and outputs are deleted according to our data-retention and deletion policy.

 

New Zealand Privacy Act 2020 Compliance

We comply with the requirements of the New Zealand Privacy Act 2020, including the Information Privacy Principles (IPP 1 – 13) governing the collection, storage, use and disclosure of personal information.

Our obligations under the New Zealand Privacy Act 2020 include:

Purpose Limitation: We collect, use and disclose personal information only for purposes directly related to providing and improving our educational services, or as required by law, consistent with IPP 1 and 2.

Access and Correction: Individuals in New Zealand have the right to access and request correction of their personal information under IPP 6 and 7. Requests can be made via team@scribolearning.com and will be addressed within 30 days.

Protection: We implement reasonable security arrangements to protect personal data in our care from unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks, consistent with IPP 5.

Retention Limitation: We retain personal information only for as long as is necessary to fulfil the stated purposes or as required by law, in accordance with IPP 9.

Cross-Border Data Transfers: Scribo data is hosted in secure Amazon Web Services data centres located in Australia and Singapore. In accordance with IPP 12, we ensure that any cross-border disclosure of personal information is protected by comparable safeguards to those required under the New Zealand Privacy Act 2020. All transfers are secured through encryption, Standard Contractual Clauses (SCCs), and equivalent contractual and technical measures.

Breach Notification: In the unlikely event of a privacy breach that is likely to cause serious harm, Scribo will promptly notify the New Zealand Privacy Commissioner and any affected individuals, in accordance with Sections 114 to 117 of the Privacy Act 2020.

If you have any questions about our compliance with the New Zealand Privacy Act 2020, or wish to exercise your rights under the Act, please contact us at team@scribolearning.com.

Monitoring usage

Cookies

Cookies are text files containing small amounts of information, which your computer or mobile device creates when you visit a website. We do not store any cookies for the purpose of marketing or advertising. The following cookie types are used. 

Authentication, Security, Basic Functionality

Sometimes called “necessary cookies”, these cookies are needed for our sites to work properly. Without these cookies, core site services, such as accessing secure areas, can’t be provided. These cookies don’t gather information about you and are not used for marketing purposes. 

Preferences

These functional cookies are all about the choices you make. They help us tailor your experience by remembering changes you’ve made to customisable content. Without these cookies, our application won’t remember any choices you’ve previously made, or personalise your browsing experience.

Google Analytics

Google Analytics cookies are used to track visitor usage. Google Analytics is a web analytics tool that helps website owners understand how visitors engage with their website. Google Analytics customers can view a variety of reports about how visitors interact with their website so they can improve it. Google Analytics collects information anonymously. It reports website trends without identifying individual visitors.

You can read Google's privacy policy here for further information  http://www.google.com/privacy.html

Other API Services

Presto uses YouTube API Services to augment study content with educational videos. We do not send your personal details to make these API calls. You can find YouTube's Terms of Service here https://www.youtube.com/t/terms and Google's Privacy Policy here http://www.google.com/privacy.html  

By using these service, users are agreeing to be bound by the YouTube Terms of Service. 

Notice of changes to the pricacy policy

From time to time, we may make changes to this policy. We will notify you of any changes via our messaging system. In the case of material changes to the policy, we will also seek your renewed consent. Notifications of changes to the policy will include a link to the updated policy, a summary of the changes, why the update was necessary and how it affects you.

If you do not agree with any aspect of the updated policy, you must notify us promptly and cease using our services. We recommend that you regularly check for changes and that you review this policy when visiting our website.

Successor Entities

If we are acquired by or merge with another entity, to the extent that we can we will require such entity to assume our obligations under this privacy policy. In the alternative, we will provide all users with an option to decline transferring their information to the successor entity.

Enforcement, accessing, updating and removing your personal information.

We will take reasonable steps to make sure that the personal information we collect and use is accurate and up to date. If your personal details change, such as your name or email address, please amend your profile accordingly.

You have the right to see the personal information we hold about you via an access Request. You may ask us to make any changes to ensure that it is accurate and up to date, unless an exception under relevant privacy legislation applies. You also have the right to ask us to remove your data. 

If you wish to access or remove your data, please contact us using the contact details set out below.  Requests will be met within 30 days of receiving the request. 

We regularly review our compliance with our Privacy Policy. All comments, queries, complaints and requests relating to our use of your personal information are welcomed and should be addressed to:

The CEO
Scribo Holdings Pte. Ltd.
67 Ubi Ave 1, StarHub Green #06-03, Singapore 408942
Email: team@scribolearning.com

We will promptly acknowledge and investigate any complaint about the way we manage personal information.