Ouriginal is now part of the Turnitin family Learn More

Privacy and Personal Data Protection Policy

This Privacy and Data Protection Policy applies to all businesses and group companies of Ouriginal. We continuously review, and where necessary, update our privacy information. This is privacy and data protection update 2021-02-23.

Privacy and Data Protection are considered vital components for a sustainable democracy. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7).

Data protection is about protecting any information relating to an identified or identifiable natural (living) person, such as names, dates of birth, photographs, video footage, email addresses and telephone numbers.

We, Ouriginal, recognise that the right to privacy and both are instrumental in preserving and promoting fundamental values and rights; and to exercise other rights and freedoms – such as free speech or the right to assembly. The notion of data protection originates from the right to privacy. Therefore, we consider it our duty and mission to safeguard those rights and be a frontrunner.

We keep track of the relevant privacy regulations and security standards of the EU, US, Canada, Norway and Switzerland to make sure we are compliant with the ongoing changes in global legislation.

Please reach to us if you have any questions in regards to our work with Privacy and Personal Data Protection. You can email us at: dataprotection@ouriginal.com

Ouriginal Anti-Plagiarism Service

Ouriginal is a service that consists of an analysis of whether a specific text contains similarities with other sources, for the purpose of analysis of whether all or part of the text has been plagiarized.

Our offering is to schools and universities all around the world. We help schools and universities prevent plagiarism. 

In this day and time personal data is valuable for many enterprises, but we only collect and process such personal data that we need to be able to provide this help/our service to the schools and universities, and we solely process the personal data for that very purpose.

Ouriginal Anti-Plagiarism Service - Why we process personal data and legal basis

We process personal data on behalf of the schools and universities, and only the personal data we have been instructed by the schools and universities. This is because schools and universities have been allowed the processing of such personal data that is necessary for the performance of their task carried out in the public interest or in the exercise of official authority vested in them (article 6.1(e) GDPR). The schools and universities are responsible for this personal data and therefore they decide how the personal data they hold is to be handled.

The natural person that submits the text for this purpose is referred to as the Submitter (mainly students). The natural person that receives the analysis-report is referred to as the Receiver (mainly instructors/teachers). We process the personal data regarding the Submitter of the submitted text, for the sole purpose to display that personal data to the Receiver for the Receiver to be able to identify the Submitter.

Personal data is processed regarding the schools or university’s staff, which have been specified or given authorization by the schools or university, for the purpose of maintaining Receiver Accounts and for the purpose of our performance of our contractual obligations.

No personal data regarding data subjects of a school or university situated within the EU or outside the EU is transferred from the EU.

1. What personal data we process and what we use it for on behalf of the schools and universities

1.1 Personal data of Receivers (instructors/teachers) and Administrators
– Email address;
– Name;
– IP address; and
– “Single sign-on” identity (Shibboleth*, ActiveDirectory etc.).

*Our service complies with the GÉANT Data Protection Code of Conduct: http://www.geant.net/uri/dataprotection-code-of-conduct/v1

1.2 Personal data of Submitters (mainly students)
– Email address;
– Name;
– IP address; and
– Linguistic style, which has the potential to identify an individual.

We use the personal data to be able to create and maintain user accounts for the school’s or university’s system-administrators (administrator), students (submitter), and instructors and teachers (receiver), for the submission of documents for the anti-plagiarism check, to send the analysis report to the authorized receiver by the school or university and the identification of the submitter to that receiver.

We process ”Single sign-on” identity for the purpose of secure login and IP addresses for data security reasons, to be able to detect and ward off possible attempts of intrusion.

We process linguistic style to be able to further develop our service to detect so-called ghost-writing.

1.3 The personal data regarding the Submitter is collected through the Submitter’s submission of a text-document for plagiarism analysis, through uploading the text-document in:
– a Learning Management System (LMS), via an account integration or via API for custom, or proprietary LMS;
– Our web app, through the Submitter’s creation of a User Account, for the sole purpose to enable submission through the uploading of text-document in our web app, or;
– Submitter’s submission of text-document by email.

1.4 The personal data regarding the Receiver is collected through:
– the school’s or university’s Administrator or Receiver’s creation of a Receiver Account in a Learning Management System (LMS), which is always an Ouriginal-email linked to the Ouriginal registered personal email-address of the Receiver, or;
– the Receiver’s creation of a User Account, for the sole purpose to enable submission through the uploading of text-document in our web app.

1.5 The personal data regarding the Administrator is collected through:
the school’s or university’s submission of the name of a natural person and personal email creation of an Administrator role in a Learning Management System (LMS).

GDPR Art. 13.1 (e) the recipients or categories of recipients of the personal data, if any.

2. Third-party access to your personal data

We do not sell personal data nor share it for any other means than to provide our service to the schools and universities.

We do however have companies that help us provide our service. These companies are authorized to use personal information only as necessary to provide these services to us. These companies are our so-called sub-processors from a data protection perspective, and it is our responsibility to make sure that they follow the data and privacy protection standards we have committed ourselves to in our role as data processors of the schools and universities. We do this through our data protection agreements with these companies (data sub-processor agreements).

Within the Ouriginal group, PlagScan in Germany [PlagScan GmbH, HRB 73381, at offices on Subbelrather Strasse 15, 50823 Cologne] helps our group company in Sweden, Prio Infocenter AB with customer support, technical support, maintenance, and contracted development of our service and has access to the personal data through remote access to be able to do so. Prio Infocenter in Sweden [Prio Infocenter AB, business id nr 556483-9032, at offices on Gustavslundsvägen 135, 167 51 Bromma] helps PlagScan with customer support, technical support, and maintenance of our service and has access to the personal data through remote access to be able to do so.

H1 Communication AB, business id nr 556730-0610 [Öneslingan 5, 832 51 Frösön, Sweden] helps our group company in Sweden, Prio Infocenter AB with customer support and has also been granted access to the personal data through remote access to be able to do so.

Videnca AB, business id nr 556539-6081 [Gjörwellsgatan 30, 112 60 Stockholm, Sweden] helps our group company in Sweden, Prio Infocenter AB to store data in a high-security facility at (for security reasons), a nondisclosed location in the greater Stockholm-area in Sweden.

Hetzner Online AG, HRB 3204 [Industriestrasse 25, 91710, Gunzenhause, Germany] helps our group company in Germany, PlagScan GmbH with server hosting.

3. How we handle personal data as Data Controllers

We may use third parties for the processing of personal data when this is required for information purposes, such as newsletters or information regarding product updates, and marketing data for some of our services. We will only do this if it is necessary to provide the service. For instance, Within Ouriginal PlagScan GmbH in Germany helps Prio Infocenter AB in Sweden with activities regarding information such as product updates and information to customers, users, and subscribers, customer relationship management in subscription renewals or cancellations, as well as marketing and sale activities targeted at our customers and potential new customers. In that same manner, Prio Infocenter AB in Sweden helps PlagScan GmbH in Germany with marketing activities.

The personal data accessed by our staff in Sweden or Germany is limited to personal data required for customer support and maintenance, and personal data of staff of the school or university for the purpose of Ouriginal being able to communicate with the staff of school or university, such as e-mail, telephone number of staff for the performance of Ouriginal’s obligations according to contract with the school or university.

We use Salesforce.com for the processing and sending of our newsletter. 

When you receive an email from us, we may also use analytical tools to measure and collect data. For example, we might measure when you open the email and what links you click on. 

We use Visma for administrative-accounting purposes.

We use Google, Zoom, Microsoft and Mimecast for communication purposes.

We have chosen these partners carefully so that we can ensure that your data is protecte

4. How to erase your data or receive personal data you have provided us

We always give you the choice to opt-out. You always have the right to change, update, amend or completely erase your personal data from our database. You can also ask for a record of your personal data in our database. If you wish to do any of this, please send an email to dataprotection@ouriginal.com and we will fulfill your request. Please note that we may need to verify your identity to be able to update/remove your personal data. This could mean a copy of your ID or other approved identification.

In regards to personal data where we process it on behalf of the school or university and you are an individual user who has questions or would like to make changes to your personal data, please contact the institution through which you use our service.

Do you have any questions regarding our use of personal data, or wish to raise a complaint, please let us know. You reach us via dataprotection@ouriginal.com

You also always have the right to lodge a complaint or submit a report of breaches of the GDPR to the competent Supervisory Authority.

Request my data

You may at any time request information about the personal data we have about you by emailing us at dataprotection@ouriginal.com.

Remove my data

Ouriginal Group will remove all your personal information and you will no longer be contacted.  If you would like to do so, please email us at dataprotection@ouriginal.com.

Cookie policy

Find out more about how we use cookies to improve your user experience on our website.

5. Collection and processing of personal data for our legitimate interests

Personal data is only used for either our legitimate business interests, such as marketing purposes, research – for the performance of our services to you such as provide you with customer support or process your requests (e.g., request quote, contact, or sample report).

We collect and process personal data through our websites: ouriginal.comcareers.ouriginal.com, and go.ouriginal.com.

Following is a complete list of our websites’ objectives of collecting your personal data:

  • Web form: “Follow us”
    We will only use the personal data collected, i.e., your name and email address, in order to send you updates via email and for analytical and marketing purposes. If you provide us with this data and accept this privacy statement, you give your consent for us to do this.
  • Job application (through careers.ouriginal.com)
    If you apply for a job at Ouriginal through our website, we will only use your personal details to be able to contact you regarding the recruitment process. Please note that careers.urkund.com is operated by Teamtailor AB and has its own Privacy Statement which you can find here. If you have applied for a job and wish to be completely removed from the system, click here.

On our websites, we do not collect personal data unless you as a visitor provide us with it. This can be through a contact form, request quote, request sample report, or the downloading of a whitepaper, guide, or E-book. In these cases, you have to fill out some personal information such as name, email address, and other contact info, to access the services provided. However, you need also to carefully read and approve this privacy statement before doing so.

We also use cookies on our websites. The storing of cookies can sometimes be considered equivalent to the processing of personal data. This can be information such as which browsing device you are using, your geographic locations, which pages you visit, etc. Please note that this information is anonymous and used only for analytical purposes. To read more about our use of cookies, please see our Cookie Policy page.

6. Retention and erasure

GDPR Art 13.2 (a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.

We store the personal data for the length of the contract with the school or university and according to the instructions of the school or university. By default, we store the name and email address of the submitter of a document for the purpose of being able to identify the submitter on behalf of the school or university for 25 months after each submission of a document for anti-plagiarism check, unless the school or university has instructed us otherwise.

How we keep the data secure

1. Access Control (physical security of locations and protection of data during storage)

  • Access Control (physical security of locations and protection of data during storage)
  • The IT environment has been established with a high level of security both with respect to physical as well as logistical security. The IT environment has high redundancy and is located in two geographically separated locations.
  • All employees undergo thorough security training in which routines for handling user accounts/passwords, antivirus, downloading software, discarding of materials, use of computers externally, etc. are reviewed.
  • Security guidelines are employed in the development process.
  • Most of the external libraries used are wrapped in data processor’s adapters to encapsulate the functionality.
  • Detection of hacking/intrusion attempts as well as data leaks are made by tracking and alerting anomalies in application logs as well as OS-level logs is employed for the purpose of detection of hacking/intrusion attempts.
  • Handling of attempts is made by blocking/locking user logins and by blocking IP-addresses and requests.
  • All user-sensitive information such as passwords are encrypted in transit and at rest using proven strong cryptographic standards.

2. Sharing Control

  • Ouriginal provides a flexible authorization mechanism built with privacy by design and privacy/security by default. The authorization mechanism is based on a combination of Role-Based Access Control (RBAC) and permission-based access control. Together, these two access control technologies are used with a permission scheme matrix which is set up for each school or university by securing access/visibility to different functions and features within the system. This gives the school or university themselves the possibility to customize their own privacy and security needs and allows for a range of security settings where each school or university can, for example, choose to have documents and data deleted automatically after a defined number of months or if they wish to be able to delete data independently. Personal data is not shared between schools or universities unless the school or university has explicitly instructed Ouriginal to share data between named collaboration institutions. As a default, Ouriginal will always set up the permission schemes with privacy and security by default, meaning that the topmost security settings are applied as default with a minimum requirement of being able to use the system.

  • Ouriginal observes protection of privacy by restricting access to information for personnel who have access to personal data by ensuring that personnel are only provided user accounts and authorization based upon the needs of their work duties.

  • Access to the data is only possible via an SSH connection and protected VPN access for remote working.

  • All client computers and the users are in their own domain and have no direct access to the servers and the data.

  • All servers are managed in a separate domain with their own permission scheme.

  • Our staff are contractually bound by non-disclosure and trained about the data protection regulations.

  • Password guidelines contain minimum requirements regarding length, upper- and lower-case letters as well as obligation to use numbers and special characters, username guidelines contain a minimum length. Both can be freely chosen by the user with these restrictions. Passwords are exclusively encrypted and stored in the database.

  • Access to the production environment is reserved to those of our technicians and the technicians of our sub- or data processors who require access in order to maintain/develop our system and this must be approved by the “operations manager” before access is provided.

3. Transmission Control (protection of personal data during transmission)

  • Personal data is not transported or processed via data carriers. External access to the data is via an SSL-encrypted connection. The exception is cases where a Submitter uses email to submit text-documents for analysis.
  • Strong algorithms for encryption are used in transmissions. All communication to and from our system is encrypted using TLS/SSL over HTTP(s) where exploits in SSL are monitored.
  • Our production environment is logically separated by firewalls and networks which separate external web frontends from the backend.

4. Input Control / Logging

  • Transactions in our systems are logged. Individual usernames ensure that logged input, modification, and deletion of data can be traced. The logs are stored in text format and may contain personal data such as IP number, ID number, and are normally stored for maximum of six months before they are erased unless otherwise instructed by the data controller. These logs are used to troubleshoot and to investigate any attempted intrusion.
  • Input data material is stored on three different levels. Log files (for troubleshooting and traceability), databases and file systems.
  • We uphold data minimization by processing the minimum amount of personal data required to provide our service.

5. Order Control

  • Our sub-processors are subject to appropriate instructions and measures for their processing tasks.

6. Availability Control

  • Disk mirroring to reduce the data loss risks in case of a hard disk failure to be minimized.
  • Backup is automatically created and stored in two different locations for redundancy and disaster recovery purposes.
  • All service disruptions, as well as emergency situations, are communicated through our status page (https://status.urkund.com).
  • On the status page,  information will be communicated regarding the severity of the incident and how it affects our users. Regular updates will also be communicated in terms of the ongoing technical investigation by our teams, and when a solution to the problems has been found.
  • Availability risks are minimized by having a system that utilizes High Availability throughout the different layers of the OSI model.

7. Separation Rule

  • A logical client separation is employed. Data is assigned concretely down to the User level and can be processed separately for different purposes. The separation of access and processing on clients is given on the User level.
  • Test environments are separated from the production

8. Testing, assessment, and evaluation of the effectiveness of technical and organizational measures for ensuring the security of the processing

  • Tests against known vulnerabilities of IT security are performed regularly and logged. Automated vulnerability scans are conducted each month on all servers and computers for the purpose of detecting misconfigurations, or other vulnerabilities that could lead to potential data leaks and access to sensitive data, bad patches and versions, missing updates, etc.
  • Patches on production servers are performed continuously.
  • External penetration tests are conducted to ensure the integrity of software.
  • Internal port scanning is conducted on a regular basis and vulnerability scanning is done to look for inadequately configured firewalls.
  • IT security, data integrity introduction for all new employees, and repletion for all employees.
  • Risk assessment of the impact on personal integrity and data security for development.

Links to Other Websites

Our website contains links that lead to other websites. If you click on these links, we are not held responsible for your data and privacy protection. Visiting those websites is not governed by this privacy policy agreement. Make sure to read the privacy policy documentation of the website you go to from our website.


The English version of the Privacy Policy is the official version. In case a translation differs, the English version is the official and applicable.

This website uses cookies to improve the site’s overall user experience and performance. Read more here.