Privacy Policy
Effective Date: 1st January 2026
1. Introduction and Purpose
1.1 AuthPlus Limited (“AuthPlus,” “we,” “us,” or “our”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you access our website, applications, and services (together, the “Service”). This Privacy Notice uses a combination of formal and direct language for clarity. Sections describing our legal obligations and processing activities are written in a formal tone, while sections explaining your rights and practical steps use “you” for ease of understanding. This approach ensures compliance with legal requirements while making your rights and options clear and accessible.
1.2 This Privacy Policy is issued on behalf of AuthPlus Limited, a company registered in England and Wales. Unless otherwise stated, AuthPlus is the controller responsible for processing your personal data.
1.3 We process personal data in compliance with the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation (“EU GDPR”).
1.4 This Privacy Policy should be read together with our Terms and Conditions of Use, Cookie Policy, and any institutional agreements or Service Level Agreements (“SLAs”) that may apply.
1.5 We rely on consent only for specific activities such as marketing communications and non-essential cookies. You may withdraw consent at any time using our provided “manage consent” feature (available by clicking on the bottom right of the website) without affecting prior lawful processing. See Sections 15, 18, and 19 for details.
2. Scope of Policy
2.1 This Privacy Policy applies to all users of the Service, including:
(a) Instructors, who access the Service under free-tier accounts;
(b) Departments, who subscribe on a per-student basis;
(c) Institutes, who contract under bespoke SLAs; and
(d) Students, whose Coursework may be uploaded by Instructors or Institutions.
2.2 This Privacy Policy governs all processing of personal data carried out through:
(a) our website https://authplus.ai and associated domains;
(b) any software, tools, or interfaces provided by us; and
(c) integrations or third-party services required to deliver the Service.
2.3 Where personal data is uploaded by an Institute or Department on behalf of its students, that institution acts as a controller in respect of such data. AuthPlus acts as a processor for the purposes of delivering the Service, subject to contractual obligations in the SLA and applicable data protection law.
3. Data Controller Details
3.1 The data controller of personal data processed under this Privacy Policy is:
AuthPlus Limited
203A Broadway, Yaxley, Peterborough, UK, PE7 3NT
Company number: 16612318
Email: [email protected]
3.2 Data Protection Officer (DPO): Rabi Khan/ [email protected]
4. Categories of Personal Data Collected
4.1 We may collect, use, store, and transfer different categories of personal data, including but not limited to:
(a) Identification Data – full name, institutional affiliation, role (Instructor, Department, Institute), and contact details (e.g., email address).
(b) Account Data – username, password (stored as salted and hashed), security credentials, and settings.
(c) Coursework Data – academic submissions (essays, reports, projects, or other materials), associated metadata, and derived authorship analysis reports.
(d) Technical Data – internet protocol (IP) address, device type, operating system, browser type, time zone settings, and log files.
(e) Usage Data – information about your interactions with the Service, including clickstream data, preferences, and cookie identifiers.
(f) Payment Data – billing information, transaction records, and limited payment details processed by authorised providers (e.g., Stripe, Payoneer).
(g) Communications Data – records of support requests, complaints, queries, and other correspondence with AuthPlus.
We do not knowingly collect or process government-issued identification numbers or biometric data. We may collect geolocation data if requested to maintain the integrity and security of Coursework (for example, to prevent link-sharing or unauthorized access), but such data is not displayed to other Users and is used solely for internal security and anti-fraud purposes.
5. Methods of Collection
5.1 We collect personal data in the following ways:
(a) Direct Interactions. When you register an account, submit Coursework, make a payment, or correspond with us.
(b) Institutional Submissions. Where an Instructor, Department, or Institute uploads Coursework or account details on behalf of students.
(c) Automated Technologies. Through cookies, server logs, analytics tools, and similar technologies when you use the Service.
(d) Third-Party Sources. From payment processors, institutional integrations, or service providers supporting our operations.
6. Special Category Data
6.1 Coursework submitted to the Service may incidentally include Special Category Personal Data within the meaning of Article 9 GDPR. Any such inclusion occurs solely at the discretion of the User and is not requested or required by AuthPlus. Please do not include sensitive personal data (such as health or ethnicity) in your submissions. If you do, we process it only as required to provide the Service
6.2 AuthPlus does not seek, encourage, or intend to collect or process Special Category Personal Data. Users are advised not to include sensitive information in Coursework. AuthPlus is not responsible for any Special Category Personal Data a User chooses to submit.
6.3 Where AuthPlus is the Data Controller, any incidental Special Category Personal Data is handled only to the extent necessary for the operation of the Service and is otherwise subject to the general processing rules applicable to Coursework Data. AuthPlus does not commit to any specific retention or processing obligations beyond what is strictly required by law.
6.4 Where AuthPlus acts as a Data Processor, any incidental Special Category Personal Data in Coursework is processed solely on the documented instructions of the Controller. AuthPlus does not establish or rely upon any independent lawful basis under Article 9 GDPR and does not assume responsibility for determining the appropriateness of such data being submitted to the Service.
7. Purposes of Processing and Lawful Bases
7.1 We process personal data only where there is a lawful basis under the UK GDPR and EU GDPR.
7.2 The purposes for which we process personal data, and the corresponding lawful bases, include:
(a) Service Provision. To register accounts, process Coursework, and deliver authorship analysis reports.
(b) Account Administration. To manage credentials, provide updates, and maintain service access.
(c) Security and Fraud Prevention. To protect our systems, monitor suspicious activity, and prevent misuse.
(d) Analytics and Service Improvement. To analyse use of the Service and enhance performance, where possible using anonymised data.
(e) Marketing Communications. To send newsletters, updates, and offers (subject to opt-in consent discussed further in section 18). See Section 18 for opt-out details.
(f) Payments and Billing. To process transactions and maintain financial records.
(g) Legal Compliance. To comply with court orders, regulatory requirements, and lawful requests from authorities.
7.3 Where multiple lawful bases apply, we will identify the most appropriate basis at the time of collection.
8. Automated Decision-Making and Profiling
We use AI to assist with authorship analysis, and AI output is indicative only, but all decisions involve human review. The reports produced by the Service are intended to provide additional data to instructors and to supplement their existing tools and practices. Since we generated authorship reports and utilize statistical models, this constitutes as profiling within the meaning of Article 4(4) GDPR.
8.1 As a matter of ideology, we do not deploy neural networks and/or any other ‘blackbox’ models to make judgements on the scores, and the scoring of the quizzes is based on a rule-based system. All reports generated by Auth+ has three parts 1) A summary score (called “familiarity indicator” ) of the outcome of the test, 2) Answer sheets which clearly display the number of questions the student responded to, the question the student was asked, the correct (or incorrect) answer the student chose, and 3) The document overlay which highlights the passages from the document the student was quizzed on. All of this data is provided to aid human decision making and to provide transparency in how the final summary score was calculated.
8.2 You acknowledge and agree that:
(a) reports generated by the Service are probabilistic and indicative only;
(b) such reports do not constitute determinative or conclusive evidence of authorship;
(c) outputs are designed to support human decision-making academic integrity processes, not replace human judgment.
8.3 We ensure that significant decisions affecting Users are not based solely on automated processing. Human oversight is maintained, and Users retain the right to contest outputs.
8.4 Users (or their institutions) have the right to:
(a) obtain an explanation of the logic involved in automated processing;
(b) request human review; and
(c) contest any outcome derived from profiling that materially affects them.
9. Data Retention and Deletion
9.1 We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, including for legal, accounting, or reporting requirements.
9.2 Retention periods are reviewed annually to ensure they remain appropriate, our retention periods are as follows: (a) Coursework Data: retained for a maximum period of 7 years after the end of the academic year in which the submission was made, or earlier if an annual review determines that continued retention is no longer necessary After this period, Coursework Data will be permanently deleted or anonymised unless a data subject exercises their right to erasure earlier, or retention is required by law or a binding agreement. (b) Account Data: retained for the life of the account and deleted within 6 months of closure. (c) Payment Records: retained for 6–7 years in accordance with statutory tax obligations. (d) Technical and Usage Data: retained for up to 12 months, after which it is anonymised or deleted. (e) Support/Communications Data: retained for 3 years after resolution, unless longer retention is required for legal defence.
9.3 Users may request deletion of their personal data at any time by contacting [email protected]. Requests will be honoured unless retention is required by law or for the establishment, exercise, or defence of legal claims.
10. Data Sharing and Disclosure
10.1 We do not sell, rent, or trade personal data or Coursework Data to any third parties. Such data is used solely to provide and improve the Service, maintain academic integrity, and fulfil our legal and contractual obligations.
10.2 We may share personal data with trusted third parties strictly for the purposes set out in this Privacy Policy, including:
(a) Hosting Providers – Google Cloud Platform (US data centres).
(b) AI Processing – Gemini, for text generation capabilities.
(c) Payment Processors – Stripe and Payoneer.
(d) Analytics Providers – Google Analytics, Hotjar, HubSpot, and similar vendors.
(e) Consent Management Tools – e.g., Complianz.
(f) Professional Advisors – auditors, lawyers, insurers.
(g) Public Authorities – where legally required.
10.3 All third-party service providers engaged by us are contractually bound to process personal data on our behalf only, under documented instructions, and with appropriate security measures.
10.4 If an Institute or Department uploads student Coursework, AuthPlus may share data with such institutions to deliver the Service, under their controller responsibility.
10.5 Research and Service Improvement. We may use anonymised or aggregated data derived from Coursework and Service usage for the purposes of academic research, statistical analysis, and service improvement. Such processing will never involve the disclosure of identifiable personal data or Coursework content.
11. International Data Transfers
Your data may be stored in the U.S., but we use approved safeguards to keep it protected.
11.1 The Service is currently hosted on the Google Cloud Platform (GCP) in the United States, and processing by Gemini may also occur in the United States. Your data may be stored in the U.S., but we use approved safeguards to keep it protected. Accordingly, personal data may be transferred outside the United Kingdom and European Economic Area (“EEA”).
11.2 Where such transfers occur, we implement appropriate safeguards to protect personal data, including: (a) Standard Contractual Clauses (SCCs) approved by the European Commission; (b) the UK Addendum or International Data Transfer Agreement (IDTA) as approved by the UK ICO; (c) supplementary technical and organisational measures; and (d) Transfer Impact/Risk Assessments (TIAs/TRAs) to ensure adequacy of protection.
11.3 We have conducted Transfer Risk Assessments (TRAs) for transfers to the United States and concluded that the safeguards listed above provide an essentially equivalent level of protection to that in the UK/EEA.
11.4 Optionally, upon user request, we provide storage and hosting facilities through GCP in UK/EU regions upon request.
11.4.1 U.S. Users: If you are located in the United States, please note that your personal data will be stored and processed in the United States and may also be transferred to the United Kingdom or the European Economic Area.
12. Security Measures
12.1 We maintain appropriate technical and organisational measures to secure personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
12.2 Such measures include, but are not limited to:
(a) passwords stored using industry-standard hashing and salting;
(b) encryption of personal data at rest and in transit;
(c) role-based access controls restricting staff access to data;
(d) application security protocols, including threat detection, DDoS protection, and vulnerability tracking managed within Google Cloud Platform;
(e) regular risk assessments and patch management; and
(f) audit logging of all administrative access.
12.3 Despite these measures, no system is entirely secure. Users acknowledge that transmission of data via the internet carries inherent risks.
13. Children and Minors
For the avoidance of doubt, at present the Service is available only to individuals aged eighteen (18) years and over. If we expand into secondary education in future, we will implement parental consent mechanisms and appropriate safeguards before processing any personal data of minors.
14. Legal Bases for Institutional Processing
14.1 Institutions are responsible for compliance with their data protection obligations, and our role is to support institutes with their compliance measures and requirements. Where Coursework or student personal data is submitted or integrated into the Service by an Instructor, Department, or Institute — including through plugins or integrations with learning management systems — such entity shall remain the data controller with respect to that data. We act as a data processor on their behalf and process such data only in accordance with their documented instructions and/or provided access rights.
14.2 AuthPlus shall process such data as a data processor in accordance with Article 28 GDPR, under the terms of the relevant SLA and Data Processing Agreement (“DPA”).
14.3 Institutions are responsible for:
(a) providing appropriate privacy notices to students;
(b) identifying the correct lawful basis for submitting data; and
(c) ensuring compliance with applicable data protection obligations.
15. Data Subject Rights
15.1 Under the UK GDPR and EU GDPR, you have the following rights in relation to your personal data:
(a) Right of Access – to obtain confirmation as to whether we process your personal data and, if so, to receive a copy.
(b) Right to Rectification – to have inaccurate or incomplete data corrected.
(c) Right to Erasure – to request deletion of your data where lawful grounds exist (“right to be forgotten”).
(d) Right to Restriction – to request restriction of processing in certain circumstances.
(e) Right to Data Portability – to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
(f) Right to Object – to object to processing carried out on grounds of legitimate interests or direct marketing.
(g) Right to Withdraw Consent – where processing is based on consent, to withdraw that consent at any time without affecting the lawfulness of prior processing.
(h) Rights in Relation to Automated Decision-Making and Profiling – to request human review and contest outcomes that significantly affect you.
15A. U.S. State Privacy Rights
15A.1 If you are a resident of certain U.S. states, including California, Virginia, Colorado, Connecticut, or Utah, you may have additional rights under applicable state privacy laws. These rights may include:
(a) the right to know what personal data we collect, use, and disclose;
(b) the right to request access to, correction of, or deletion of your personal data;
(c) the right to opt out of the “sale” or “sharing” of your personal data (as those terms are defined under applicable state law);
(d) the right to limit the use of sensitive personal information; and
(e) the right to non-discrimination for exercising your privacy rights.
15A.2 AuthPlus does not “sell” personal data as that term is commonly understood, nor do we share personal data for targeted advertising without your consent.
15A.3 To exercise these rights, you may contact us at [email protected] with “U.S. Privacy Rights Request” in the subject line. We may verify your identity before fulfilling a request, as required by law.
15A.4 California residents may designate an authorised agent to act on their behalf, provided we can verify the agent’s authority.
15B. U.S. Student Data (FERPA Notice)
15B.1 For U.S.-based educational institutions, AuthPlus acknowledges that student education records may be subject to the Family Educational Rights and Privacy Act (“FERPA”). AuthPlus acts as a “school official” with a legitimate educational interest in processing such records, solely for the purpose of providing the Service.
15B.2 We do not disclose education records to third parties except as directed by the Institution or as permitted by law.
15C. Health Data (HIPAA Disclaimer)
The Service is not designed for health data. Do not submit protected health information (PHI).
16. Exercising Rights
16.1 To exercise any of the rights set out above, please contact us at [email protected].
16.2 We may require you to provide sufficient information to verify your identity before responding to your request.
16.3 We aim to respond to all requests within one (1) month. Where requests are complex or numerous, this period may be extended by up to two (2) further months. You will be informed of any such extension.
16.4 No fee will be charged for the exercise of your rights unless requests are manifestly unfounded, repetitive, or excessive. In such cases, we may charge a reasonable fee or refuse to act on the request.
17. Complaints
17.1 If you have concerns about how we process your personal data, please contact us in the first instance at [email protected].
17.2 You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection, at:
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, UK. https://ico.org.uk
17.3 If you are based in the European Union, you may lodge a complaint with your local supervisory authority. A list of supervisory authorities can be found here: https://edpb.europa.eu/about-edpb/about-edpb/members_en.
18. Marketing Communications
18.1 We will only send you direct marketing communications where you have expressly opted in to receive them. Marketing communication is strictly restricted to instructors and/or university staff scheduling for a demo (via hard opt-in) through the available demo page, and no marketing communication is sent to students utilizing the service either through the native web application or any Learning Management System (LMS) Plugin.
18.2 You may opt out of receiving marketing at any time by:
(a) clicking the “unsubscribe” link in emails; or
(b) contacting us at [email protected].
18.3 We will not share your personal data with third parties for their own marketing purposes.
19. Cookies and Tracking Technologies
19.1 We use cookies and similar technologies to operate our website, remember preferences, analyse traffic, and deliver marketing.
19.2 Details of the cookies we use, their purposes, providers, and retention periods are set out in our Cookie Policy.
19.3 Where required by law, we will seek your consent before setting non-essential cookies, and you may withdraw consent at any time using our cookie management tool. See Section 15 for your right to withdraw consent.
19.4 Do Not Track. Some browsers offer a “Do Not Track” signal. The Service does not currently respond to such signals. However, you may manage cookie preferences through our Cookie Policy and our consent management tool.
20. Third-Party Links
20.1 Our website and Service may include links to third-party websites, plug-ins, or applications. Clicking on those links may allow third parties to collect or share data about you.
20.2 We do not control and are not responsible for the privacy practices of third-party websites. We encourage you to read the privacy policies of every website you visit.
21. Changes to This Privacy Policy
21.1 We reserve the right to update or amend this Privacy Policy from time to time.
21.2 Any material changes will be notified by email (where appropriate) or by posting a prominent notice on our website.
21.3 The effective date of this Privacy Policy is indicated at the top. You are responsible for reviewing the policy periodically to remain informed of how we process your personal data.
22. Contact Information
If you have any questions, concerns, or requests regarding this Privacy Policy, please contact us at:
AuthPlus Limited
Registered Office: 203A Broadway, Yaxley, Peterborough, UK, PE7 3NT
Email: [email protected]
Data Protection Officer: Rabi Khan / [email protected]