OUR Privacy
Turnitin, LLC (“Turnitin,” “we,” “us”), owns and operates a variety of web-based services intended to promote academic integrity, streamline assessment, and prevent plagiarism (collectively, for purposes of this Privacy Policy, the (“Services”). This Privacy Policy is intended to inform our customers (“Customers”) and their users (“Users,” “you,” “your”) about how we may collect, use, process, store and disclose your Personal Information when interacting with the Services. This Privacy Policy also describes your choices regarding our use and your access and changes to your Personal Information. Additional information may apply to you depending on residency. If you are a resident of the United Kingdom, the European Union, or a resident of California and certain other states, there may be specific practices applicable to you as noted specifically in this policy. For the sake of clarity, this Privacy Policy does not apply to our websites, which are governed by the policy available here. By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy.
When we engage with a Customer, when you access or use our Services, when you request customer support or information about our Services, or when you otherwise communicate with us, we may collect certain Personal Information about you. Personal Information, for purposes of this policy, is information that identifies, describes, or reasonably relates to an identifiable person or household, or that is otherwise defined as personal information, personal data, or protected data under applicable laws (“Personal Information”). We may collect this information from Customers, which are typically education institutions, as well as from Users, who may be educators or students. We may collect and process all or some of the following Personal Information about you, which you may provide directly or which may be provided about you from our Customers:
To enable the Services to be used, we may collect the following Personal Information:
Names: First, middle and last names including pseudonyms (if utilized).
User-specific account identifiers: Information that only a User would know in order to secure their account, which may include the answer to a ‘secret question’.
Email address and Account Names: We require an email address and Account Name in order to service an account. Any data that is provided to us by a Customer to permit students to access their account: For example, a personal email address rather than an institutional one or contact details we may require to contact a User.
Passwords: We ask Users to provide Passwords which are essential for the security of an account.
Educational Data: This may include grade/year and educational institution, as well as data submitted pursuant to use of the Services, such as written materials in the form of essays, papers, examination answers, and other writings (“Submissions”).
Names and email addresses: for the same reasons that we collect that data for Students, as stated above.
Role: We either collect or assign an Educator’s role within the Service so we can administer the account, such as ‘Instructor’ or ‘Teaching Assistant’.
Education institution: We will collect this data so we know that a User is using an account that is linked to their Institution.
In addition to the above, when a Customer or User accesses our Services, our servers may also automatically collect information about your usage of, and activity on the Services (“Usage Information”) including:
Log Data: Including information about when and for how long a User accesses the Services.
Device Information: We may collect the ID of any device that accesses the Services, and the Internet Protocol (“IP”) address associated with your browser and device ID. We may also collect additional information such as the make and model of your device; types and versions of software being used; login timestamp, browser type and version, the operating system of the computer and language.
Location & Service Usage Information: We may also collect information from which country the Services were accessed, and the associated timestamp, and areas in the Services that Users visit most frequently and features accessed most often.
Communication Information: We collect information you provide to us. For example, we collect information from you when you request customer support or information about our Services, or otherwise communicate with us.
We do not sell or rent your Personal Information, as the terms are defined under applicable laws. We use and disclose your Personal Information to operate, provide, improve, and develop our Services. Our purposes for using and disclosing your Personal Information are as follows:
To understand, measure, and improve our current and future Services, for legally permissible purposes, including, but not limited to, analyzing the performance of our Services,for the purposes of developing, enhancing, or further refining Turnitin’s existing products and services and developing new products and services, including those that use artificial intelligence, and/or to offer customized service suggestions. Usage Information helps us provide the Services in the local language, to diagnose technical problems, and to administer, improve, and secure the Services. We also aggregate and analyze Usage Information to better understand how our Services are used and to help us improve our Services. Some Services may allow educators to provide student IDs for rostering purposes, rubrics they use for grading Submissions, grades, and comments on their students’ Submissions.
To provide the Services to our Customers and their Users, including the processing of Submissions which is required in order to provide the results of the Services to our Customers.
create and manage log-in credentials, for the creation, maintenance, and administration of Customer and User accounts, and to authenticate Users.
To provide customer support, including via email or text message to resolve a problem or support issue, to notify Customers or Users about changes or issues impacting the Services, and to otherwise communicate and solicit feedback on Customer experiences with the Services.
To protect our rights, such as to establish or exercise our legal rights or defend against claims. For example, sharing may be necessary in order to assert a legal claim or defense, such as to enforce our End User License Agreement.
In relation to a known or suspected violation of our terms of use, fraud prevention, or other unlawful use, including to share Personal Information with entities assisting us in an investigation and as may be required by applicable law.
In connection with legal or regulatory obligations, including to disclose your Personal Information as necessary to protect our rights or the rights and safety of our Users, or as necessary in the event of a court order, regulatory inquiry or other lawful request, or to meet national security or law enforcement requirements. Provided, however, that unless legally prohibited, we will direct any such request to you or notify you before responding unless to do so would prejudice the prevention or detection of a crime.
In the event of a reorganization, merger, sale, assignment, bankruptcy, or similar business change, we may need to transfer your Personal Information to that re-organized entity or new owner after the sale or reorganization for them to use in accordance with this Privacy Policy.
To provide our Customers with updates and offers about our Services. At any time, you may unsubscribe or opt-out of further communication on any electronic marketing communication by using the link labeled “unsubscribe” available in each email communication or by contacting us at unsubscribe@turnitin.com.
Customers may correct or change the Personal Information collected during registration directly in the Services. Student Users may request to access, amend, correct, or delete their Personal Information by contacting their education institution. We will work with the education institution to respond to those requests in the time requested by the Customer or otherwise as required by law. To limit the use and disclosure of their Personal Information, a Student User must first contact their education institution. Customers may also directly request deletion of their Users’ Personal Information at any time by contacting Turnitin Customer Support at tiisupport@turnitin.com.
We use third-party service providers to assist us in collecting and understanding Usage Information. Most browsers can be set to detect browser cookies and to let a user reject them but refusing cookies may impact your experience with the Services. You can learn more about the cookies within the Services in our Cookie Notice. To learn more about browser cookies, including how to manage or delete them, refer to the Tools, Help, or similar section of your web browser.
In the event that a Customer chooses to use our Services with students under the age of 13 or otherwise under the age of consent in their jurisdiction, we rely on the Customer to obtain any necessary prior, verifiable parental or legal guardian consent. We otherwise comply with our direct obligations for protecting that Personal Information. If we learn that we have inadvertently collected such Personal Information without the requisite consent, we will take steps to promptly delete it. Parents wishing to review or request deletion of their child’s Personal Information should contact the Customer. We will work directly with our Customer to facilitate any such requests.
Customers who are subject to the Family Educational Rights and Privacy Act (“FERPA”) contract with Turnitin as a “School Official” with a “legitimate educational interest” in providing the Services as the terms are used in FERPA §§ 99.31(a)(1). Turnitin remains under the direct control of the Customer with respect to the use and maintenance of FERPA-protected “education records” and will use student Personal Information only as set forth in our Customer agreement and in compliance with applicable law.
We may engage with third-party service partners to facilitate our delivery of the Services and to provide certain features on our behalf, such as data hosting, analytics, content delivery, maintenance, security, and similar functions. These third parties may require a limited amount of information, including Personal Information, in order to deliver their services on our behalf.
We implement technical, administrative, and physical safeguards to help protect the confidentiality, integrity, and availability of Personal Information. We host Customer and User Personal Information in third-party data centers that use firewalls, encryption of Personal Information, and other industry-standard technologies in an effort to prevent interference or access from outside intruders. The Internet, however, is not perfectly secure, and we are not responsible for security breaches not reasonably within our control. Turnitin undergoes annual SOC2 Type II audits conducted by an external and independent auditor (AICPA). We also require Customers and Users to each establish an account-identifier and password that must be entered each time Customers or Users sign into the Services. You are responsible for maintaining the confidentiality of your account identifier and password. If you become aware of any unauthorized use of an account, loss of User or Customer account credentials or suspect a security breach, it is your responsibility to promptly notify us at informationsecurity@turnitin.com.
We may retain certain User and Customer Personal Information for the period necessary to enable the continued use of the Services, to fulfill the purposes outlined in this Policy, for legally permissible business purposes, or as otherwise required by law. How long we retain specific Personal Information varies depending on its type and use, after which it will be deleted. We may retain non-Personal Information, including aggregated, de-identified, or anonymized data for lawfully permissible purposes.
We send emails to Customers with information about our Services. Customers may opt-out of receiving email messages from Turnitin by clicking on the “unsubscribe” link found at the bottom of every email that we send. We do not send marketing emails to student Users. If Customers have opted out of receiving communications from us, we may still send account-related communications regarding the Services. We do not send email messages on behalf of third parties.
Certain US state laws, including California, provide their residents with certain rights related to their Personal Information, as described below. We provide these rights to all US residents. Before we may fulfill a request in relation to our Services, we may be required by law to verify your identity in order to prevent unauthorized access to your data. Since we will facilitate User requests through our Customers, we will rely on their verification of your identity and our existing Customer contact information in order to process requests.
Users wishing to exercise the rights described in this section should contact their education institution. We will work with them as needed should they require our assistance in fulfilling the requests.
We do not “sell” or “share” Personal Information as those terms are defined under California and other applicable state privacy laws. To the extent Personal Information is shared with third parties, it is only provided to third party service providers/processors.
Please note that your exercise of the above rights is subject to certain exemptions to safeguard the public interest (e.g., the prevention or detection of crime) and our interests (e.g., the maintenance of legal privilege). We will try to comply with your request as soon as reasonably practicable in compliance with time frames set forth under applicable law. Requests to exercise these rights may be granted in whole, in part, or not at all, depending on the scope and nature of the request and applicable law. Where required by applicable law, we will notify you if we reject your request and notify you of any reasons why we are unable to honor your request.
Right to Know and Access Information: You have the right to request access to the Personal Information we maintain about you in the ordinary course of business and to receive it in a machine-readable format so that it is available to you. This may include Personal Information we collect, use, or disclose about you.
Right of Correction: You have the right to correct inaccuracies in the Personal Information we maintain about you.
Right to Delete: You have the right to request that we delete your Personal Information. In the case of all such requests, we may not fulfill all or part of the request as permitted or required by applicable law. For example, if you request that we delete your Personal Information, there may be certain records we are legally required to retain.
Authorized Agent: If you are an authorized agent trying to exercise rights on behalf of a Turnitin User, please contact their education institution with your supporting verification information required under applicable state law.
Non-discrimination: We will not discriminate or otherwise penalize anyone for exercising their rights under applicable law or this Privacy Policy.
If you are located outside of the United States, please be aware that your Personal information will be transferred to and processed in the United States, and may also be processed for support purposes where we have employees who work on the Services who may be in the UK, Netherlands, Germany, Sweden, Ukraine, Australia or India. In the EU, it may be possible to store Submissions exclusively in Germany. By submitting your Personal Information, you acknowledge that we may transfer, process, and store your information in this way. Wherever the Personal Information is, it will be treated securely and in accordance with this Privacy Policy and applicable privacy laws of the United States. These laws may be different from the privacy laws in your country. However, this does not change our commitments to safeguard your privacy, and we will comply with all applicable laws relating to the cross-border transfer of your Personal Information. Where required, we will implement Standard Contractual Clauses with our Customers and with our third parties or rely on such other appropriate transfer mechanisms, if applicable, to ensure that the transfer of your Personal Information outside of the EEA, Switzerland, and the United Kingdom is lawful. Such mechanisms include the EU-US Data Privacy Framework which came into force on 10 July 2023, the principles of which Turnitin adheres to. You may request details of the transfer mechanisms that we rely on to transfer personal information outside of these regions by emailing us at DPO@turnitin.com.
Turnitin and its group company, ExamSoft Worldwide LLC, comply with the EU-US Data Privacy Framework (“EU-US DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-US DPF) (collectively, the “Frameworks”) as set forth by the U.S. Department of Commerce. Turnitin has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-US DPF Principles”) with regard to the processing of Personal Information received from the European Union in reliance on the EU-US DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-US DPF. Turnitin has certified to the U.S. Department of Commerce that it adheres to the Swiss-US Data Privacy Framework Principles (“Swiss-US DPF Principles”) with regard to the processing of Personal Information received from Switzerland in reliance on the Swiss-US DPF. If there is any conflict between the terms in this Privacy Policy and the EU-US DPF Principles and/or the Swiss-US DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (“DPF”) program, and to view our certification, please visit https://www.dataprivacyframework.gov. In compliance with the Frameworks, Turnitin commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, UK and Swiss individuals with inquiries or complaints regarding our handling of Personal Information received in reliance on the Frameworks should first contact Turnitin at: Data Protection Officer Turnitin, LLC, 2101 Webster Street, Suite 1900, Oakland 94612 CA USA Phone: +44 (0) 191 681 0227 Email: DPO@turnitin.com Turnitin must respond within 45 days of receiving a complaint. In compliance with the EU-US DPF and the UK Extension to the EU-US DPF and the Swiss-US DPF, Turnitin commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (“DPAs”) and the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (“GRA”) and the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) with regard to unresolved complaints concerning our handling of Personal Information received in reliance on the respective Frameworks. The Federal Trade Commission has jurisdiction over Turnitin’s compliance with the Frameworks. Turnitin will submit to binding arbitration in the event that a dispute can not be resolved by the aforementioned mechanisms. Turnitin shall assume liability for any onward transfers of Personal Information made to third parties.
