This Privacy and Data Protection Policy applies to all businesses and group companies of Ouriginal. We continuously review, and where necessary, update our privacy information. This is privacy and data protection update 2021-02-23.
Privacy and Data Protection are considered vital components for a sustainable democracy. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7).
Data protection is about protecting any information relating to an identified or identifiable natural (living) person, such as names, dates of birth, photographs, video footage, email addresses and telephone numbers.
We, Ouriginal, recognise that the right to privacy and both are instrumental in preserving and promoting fundamental values and rights; and to exercise other rights and freedoms – such as free speech or the right to assembly. The notion of data protection originates from the right to privacy. Therefore, we consider it our duty and mission to safeguard those rights and be a frontrunner.
We keep track of the relevant privacy regulations and security standards of the EU, US, Canada, Norway and Switzerland to make sure we are compliant with the ongoing changes in global legislation.
Please reach to us if you have any questions in regards to our work with Privacy and Personal Data Protection. You can email us at: firstname.lastname@example.org
Ouriginal is a service that consists of an analysis of whether a specific text contains similarities with other sources, for the purpose of analysis of whether all or part of the text has been plagiarized.
Our offering is to schools and universities all around the world. We help schools and universities prevent plagiarism.
In this day and time personal data is valuable for many enterprises, but we only collect and process such personal data that we need to be able to provide this help/our service to the schools and universities, and we solely process the personal data for that very purpose.
We process personal data on behalf of the schools and universities, and only the personal data we have been instructed by the schools and universities. This is because schools and universities have been allowed the processing of such personal data that is necessary for the performance of their task carried out in the public interest or in the exercise of official authority vested in them (article 6.1(e) GDPR). The schools and universities are responsible for this personal data and therefore they decide how the personal data they hold is to be handled.
The natural person that submits the text for this purpose is referred to as the Submitter (mainly students). The natural person that receives the analysis-report is referred to as the Receiver (mainly instructors/teachers). We process the personal data regarding the Submitter of the submitted text, for the sole purpose to display that personal data to the Receiver for the Receiver to be able to identify the Submitter.
Personal data is processed regarding the schools or university’s staff, which have been specified or given authorization by the schools or university, for the purpose of maintaining Receiver Accounts and for the purpose of our performance of our contractual obligations.
1.1 Personal data of Receivers (instructors/teachers) and Administrators
– Email address;
– IP address; and
– “Single sign-on” identity (Shibboleth*, ActiveDirectory etc.).
*Our service complies with the GÉANT Data Protection Code of Conduct: http://www.geant.net/uri/dataprotection-code-of-conduct/v1
1.2 Personal data of Submitters (mainly students)
– Email address;
– IP address; and
– Linguistic style, which has the potential to identify an individual.
We use the personal data to be able to create and maintain user accounts for the school’s or university’s system-administrators (administrator), students (submitter), and instructors and teachers (receiver), for the submission of documents for the anti-plagiarism check, to send the analysis report to the authorized receiver by the school or university and the identification of the submitter to that receiver.
We process ”Single sign-on” identity for the purpose of secure login and IP addresses for data security reasons, to be able to detect and ward off possible attempts of intrusion.
We process linguistic style to be able to further develop our service to detect so-called ghost-writing.
1.3 The personal data regarding the Submitter is collected through the Submitter’s submission of a text-document for plagiarism analysis, through uploading the text-document in:
– a Learning Management System (LMS), via an account integration or via API for custom, or proprietary LMS;
– Our web app, through the Submitter’s creation of a User Account, for the sole purpose to enable submission through the uploading of text-document in our web app, or;
– Submitter’s submission of text-document by email.
1.4 The personal data regarding the Receiver is collected through:
– the school’s or university’s Administrator or Receiver’s creation of a Receiver Account in a Learning Management System (LMS), which is always an Ouriginal-email linked to the Ouriginal registered personal email-address of the Receiver, or;
– the Receiver’s creation of a User Account, for the sole purpose to enable submission through the uploading of text-document in our web app.
1.5 The personal data regarding the Administrator is collected through:
– the school’s or university’s submission of the name of a natural person and personal email creation of an Administrator role in a Learning Management System (LMS).
GDPR Art. 13.1 (e) the recipients or categories of recipients of the personal data, if any.
We do not sell personal data nor share it for any other means than to provide our service to the schools and universities.
We do however have companies that help us provide our service. These companies are authorized to use personal information only as necessary to provide these services to us. These companies are our so-called sub-processors from a data protection perspective, and it is our responsibility to make sure that they follow the data and privacy protection standards we have committed ourselves to in our role as data processors of the schools and universities. We do this through our data protection agreements with these companies (data sub-processor agreements).
Within the Ouriginal group, PlagScan in Germany [PlagScan GmbH, HRB 73381, at offices on Subbelrather Strasse 15, 50823 Cologne] helps our group company in Sweden, Prio Infocenter AB with customer support, technical support, maintenance, and contracted development of our service and has access to the personal data through remote access to be able to do so. Prio Infocenter in Sweden [Prio Infocenter AB, business id nr 556483-9032, at offices on Gustavslundsvägen 135, 167 51 Bromma] helps PlagScan with customer support, technical support, and maintenance of our service and has access to the personal data through remote access to be able to do so.
H1 Communication AB, business id nr 556730-0610 [Öneslingan 5, 832 51 Frösön, Sweden] helps our group company in Sweden, Prio Infocenter AB with customer support and has also been granted access to the personal data through remote access to be able to do so.
Videnca AB, business id nr 556539-6081 [Gjörwellsgatan 30, 112 60 Stockholm, Sweden] helps our group company in Sweden, Prio Infocenter AB to store data in a high-security facility at (for security reasons), a nondisclosed location in the greater Stockholm-area in Sweden.
Hetzner Online AG, HRB 3204 [Industriestrasse 25, 91710, Gunzenhause, Germany] helps our group company in Germany, PlagScan GmbH with server hosting.
We may use third parties for the processing of personal data when this is required for information purposes, such as newsletters or information regarding product updates, and marketing data for some of our services. We will only do this if it is necessary to provide the service. For instance, Within Ouriginal PlagScan GmbH in Germany helps Prio Infocenter AB in Sweden with activities regarding information such as product updates and information to customers, users, and subscribers, customer relationship management in subscription renewals or cancellations, as well as marketing and sale activities targeted at our customers and potential new customers. In all these cases all relevant personal data is stored in Sweden. In that same manner, Prio Infocenter AB in Sweden helps PlagScan GmbH in Germany with marketing activities.
We use Salesforce.com for the processing and sending of our newsletter. Salesforce has its location for the storage of relevant personal data in Sweden.
When you receive an email from us, we may also use analytical tools to measure and collect data. For example, we might measure when you open the email and what links you click on. We use Microsoft in Europe for this purpose. Microsoft has their location for the storage of relevant personal data in the EU.
We use Visma for administrative-accounting purposes.
We have chosen these partners carefully so that we can ensure that your data is protected.
We always give you the choice to opt-out. You always have the right to change, update, amend or completely erase your personal data from our database. You can also ask for a record of your personal data in our database. If you wish to do any of this, please send an email to email@example.com and we will fulfill your request. Please note that we may need to verify your identity to be able to update/remove your personal data. This could mean a copy of your ID or other approved identification.
In regards to personal data where we process it on behalf of the school or university and you are an individual user who has questions or would like to make changes to your personal data, please contact the institution through which you use our service.
Do you have any questions regarding our use of personal data, or wish to raise a complaint, please let us know. You reach us via firstname.lastname@example.org
You also always have the right to lodge a complaint or submit a report of breaches of the GDPR to the competent Supervisory Authority.
Request my data
You may at any time request information about the personal data we have about you by emailing us at email@example.com.
Remove my data
Ouriginal Group will remove all your personal information and you will no longer be contacted. If you would like to do so, please email us at firstname.lastname@example.org.
Personal data is only used for either our legitimate business interests, such as marketing purposes, research – for the performance of our services to you such as provide you with customer support or process your requests (e.g., request quote, contact, or sample report).
We collect and process personal data through our websites: ouriginal.com, careers.ouriginal.com, and go.ouriginal.com.
Following is a complete list of our websites’ objectives of collecting your personal data:
On our websites, we do not collect personal data unless you as a visitor provide us with it. This can be through a contact form, request quote, request sample report, or the downloading of a whitepaper, guide, or E-book. In these cases, you have to fill out some personal information such as name, email address, and other contact info, to access the services provided. However, you need also to carefully read and approve this privacy statement before doing so.
No personal data regarding data subjects of a school or university situated within the EU or outside the EU is transferred from the EU. Where the school or university is situated in the US that personal data remains in the US. The personal data accessed by our staff in Sweden or Germany in that case is limited to personal data required for customer support and maintenance, and personal data of staff of the school or university for the purpose of Ouriginal being able to communicate with the staff of school or university, such as e-mail, telephone number of staff for the performance of Ouriginal’s obligations according to contract with the school or university.
GDPR Art 13.2 (a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.
We store the personal data for the length of the contract with the school or university and according to the instructions of the school or university. By default, we store the name and email address of the submitter of a document for the purpose of being able to identify the submitter on behalf of the school or university for 25 months after each submission of a document for anti-plagiarism check, unless the school or university has instructed us otherwise.
Ouriginal provides a flexible authorization mechanism built with privacy by design and privacy/security by default. The authorization mechanism is based on a combination of Role-Based Access Control (RBAC) and permission-based access control. Together, these two access control technologies are used with a permission scheme matrix which is set up for each school or university by securing access/visibility to different functions and features within the system. This gives the school or university themselves the possibility to customize their own privacy and security needs and allows for a range of security settings where each school or university can, for example, choose to have documents and data deleted automatically after a defined number of months or if they wish to be able to delete data independently. Personal data is not shared between schools or universities unless the school or university has explicitly instructed Ouriginal to share data between named collaboration institutions. As a default, Ouriginal will always set up the permission schemes with privacy and security by default, meaning that the topmost security settings are applied as default with a minimum requirement of being able to use the system.
Ouriginal observes protection of privacy by restricting access to information for personnel who have access to personal data by ensuring that personnel are only provided user accounts and authorization based upon the needs of their work duties.
Access to the data is only possible via an SSH connection and protected VPN access for remote working.
All client computers and the users are in their own domain and have no direct access to the servers and the data.
All servers are managed in a separate domain with their own permission scheme.
Our staff are contractually bound by non-disclosure and trained about the data protection regulations.
Password guidelines contain minimum requirements regarding length, upper- and lower-case letters as well as obligation to use numbers and special characters, username guidelines contain a minimum length. Both can be freely chosen by the user with these restrictions. Passwords are exclusively encrypted and stored in the database.
Access to the production environment is reserved to those of our technicians and the technicians of our sub- or data processors who require access in order to maintain/develop our system and this must be approved by the “operations manager” before access is provided.