Gradescope adheres to and has certified compliance with the EU-U.S. Privacy Shield framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries. Gradescope has certified that it adheres to the Privacy Shield Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement (the “Principles”). To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/ and/or https://www.privacyshield.gov/list. Gradescope complies with the provisions of Regulation (EU) 2016/679 of the European Parliament, known as the General Data Protection Regulation (“GDPR”) and acts as both a Data Controller and a Data Processor as those terms are defined in the GDPR. For purposes of Article 14(2) of the GDPR, Gradescope relies on the following lawful basis for processing Personal Data: consent, compliance with law and legitimate interest.
1. How we collect and use information
We collect the following types of information:
Information you provide to us directly: We ask for certain types of personal information when a teacher, professor or similar instructor (“Teacher”) or a representative acting on behalf of a school, university or institution (“School”) corresponds with us, requests a demo, signs up to receive newsletters or registers on our Website; including a name, school name, school district, school email address and/or account name and password, billing information, and phone number. We may also retain information if a user sends us a message, posts content to our website, interacts with us on social media (e.g., Facebook, Twitter), logs in to our site using a third party authentication service (e.g., Google, Facebook, Twitter), or responds to emails or surveys.
Once a School or Teacher begins using the Service, this information we collect may be combined with records relating to the School’s or Teacher’s use of our Service. If you are a student whose School or Teacher has enrolled in our Service (“Student”), we may collect your email address and password, which may be combined with information about you that we receive from the School (“Student Data”). We use the personal information we collect to operate, maintain, and provide the features and functionality of the Service, to analyze our Service offerings and functionality, and to communicate with our Teachers, Schools, Students and website visitors.
We do not allow third party advertising networks to collect information about the users of our Site or Service. We use or may use the data collected through cookies or other tracking technologies to: (a) remember information so that a user will not have to re-enter it during subsequent visits; (b) provide custom, personalized content and information; (c) provide and monitor the effectiveness of our Service; (d) monitor aggregate metrics such as total number of visitors, traffic, and usage on our website and our Service; (e) diagnose or fix technology problems; and (f) help users efficiently access information after signing in.
We will use personal information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. We will take reasonable steps to ensure that personal information is relevant to its intended use, accurate, complete, and current.
2. How we share your information
Gradescope only shares the personally identifiable information collected on our website in a few limited circumstances, described below. Gradescope remains liable to you for any transfer of information to such third parties (also known as ‘onward transfer’).
- We may share information with third party service providers who perform services on our behalf (e.g. accountants, mailing houses), but strictly for the purpose of carrying out their work for us. We only share data with third parties that adhere to security and data retention policies which are consistent with those described here.
- We may share aggregate or anonymous data (including personal data that has been stripped of personally identifying characteristics) with third parties as part of providing our Service.
- If you are over 18 and a student at a higher education institution, you may be able to consent to share certain kinds of your data with other Students or third parties, such as recruiters or prospective employers. Gradescope will not share your personally identifiable data with these third parties without your explicit consent.
- We may permit our users to share information with one another through our social forums and messaging functions. When a user voluntarily posts content to the public areas of our Service, the user name will be disclosed to other users. We do not control how much personal information a user voluntarily shares through these user content features on our Service.
- We may share information relating to our Services, including your personal information, in connection with a company transaction, such as a merger, sale of company assets or shares, reorganization, financing, change of control or acquisition of all or a portion of our business by another company or third party, or in the event of bankruptcy or related or similar proceedings, provided that the third party has agreed to data privacy standards no less stringent than those set forth in this policy.
3. How we store and protect your information
Storage and processing: Your information collected through the Service may be stored and processed in the United States or any other country in which Gradescope or its subsidiaries, affiliates or service providers maintain facilities. If you use our Service, you consent to have your data transferred to the United States or anywhere else Gradescope maintains facilities.
Keeping information safe: Gradescope maintains strict administrative, technical and physical procedures to protect information stored in our servers, which are located in the United States. We use industry-standard Secure Socket Layer (SSL) encryption technology to safeguard the account registration process and sign-up information. Other security safeguards include but are not limited to data encryption, firewalls, and limiting access to personal data to employees who require it to perform their job functions.
We retain your data on the Gradescope service only as long as necessary to deliver our services. Data associated with a given account is retained until the account owner or an institution, on behalf of the account owner, submits a deletion request. When a deletion request is made for data in which multiple Gradescope users have legitimate educational interest, data deletion will occur only after such users no longer need access for educational purposes. Upon deletion, data is retained in our backups for a period of one (1) year. Any data retention terms specified in an agreement Gradescope holds with an individual institution takes precedence over those outlined here. If your account is controlled by an institutional license and you would like to know the data retention terms associated with your account, please contact us at [firstname.lastname@example.org] (mailto:email@example.com). If you are over 18 and a student or the parent or guardian of a student, you may transfer the account held by the institutional licensee and convert it to a personal account. To do so, please contact us at firstname.lastname@example.org (mailto:email@example.com).
4. Your choices about your information
Account information and settings: You may update or modify your account information by signing into your account. Schools, Teachers and other website visitors can opt-out of receiving promotional email from us by clicking on the “unsubscribe” feature at the bottom of each email. You cannot unsubscribe from Service-related messaging.
If you have any questions about reviewing, modifying or deleting your account information, contact us directly.
Deleting or disabling cookies: You may be able to disallow cookies to be set on your browser. Please look for instructions on how to delete or disable cookies and other tracking/recording tools on your browser’s technical settings. You may not be able to delete or disable cookies on certain mobile devices and/or certain browsers. For more information on cookies, visit www.allaboutcookies.org. Remember that disabling cookies may disable many of the features available on the Service, so we recommend you leave cookies enabled.
Under GDPR, if you are an EU resident, you may request that we:
- provide access to and/or a copy of certain information we hold about you
- update information which is out of date or incorrect
- delete certain information which we are holding about you
- restrict the way that we process and disclose certain of your information
- transfer your information to a third-party provider of services
- revoke your consent for the processing of your information
We will consider all requests and provide our response within the time period stated by applicable law. If Gradescope is acting as a Data Controller, we will respond directly to you (but may ask for additional information necessary to confirm your identity). If Gradescope is acting as a Data Processor, we will recommend that you contact your teacher or your school. In most instances, Gradescope is a Data Controller when it collects personal data as part of its marketing activities, and is a Data Processor when it provides services to teachers and schools. Please note, however, that certain information may be exempt from such requests in some circumstances, which may include if we need to keep processing your information for our legitimate interests or to comply with a legal obligation. To the extent that you make such a request, we may require certain information to help verify your request and prevent fraudulent information and removal requests.
5. Children’s privacy
Our Service is not directed to children under 16 and we do not knowingly collect personally identifiable information directly from children under 16. Please contact us if you believe we have inadvertently collected personal information from a child under 16 so that we may delete such data as soon as possible.
6. Data collected during the course of providing services to schools
Gradescope provides a Service designed to assist Schools, Teachers and other educational partners to improve student learning outcomes. In some circumstances, Gradescope may receive personally identifiable information about students (“Student Data”) from the School or Teacher in the course of providing our Service. For example, a Teacher will provide a class roster, email addresses of all students in the class, as well as coursework data that may be linked to a particular student. All Student Data that we are provided by the Teacher, if any, is owned and controlled by the School and the Teacher. We consider Student Data to be strictly confidential and we have physical, administrative and technical security protections in place to protect such data. We do not use personally identifiable Student Data for any purpose other than to provide the services to the School or Teacher, and we do not share personally identifiable Student Data with any third party except as authorized or required by the School, Teacher or the Student. We may collect, analyze, and share anonymized or aggregated data or data derived from Student Data for certain purposes, but only if the disclosure of such data could not reasonably identify a specific individual or specific School. Our collection and use of Student Data provided by a Teacher or School is governed by our Terms of Service and by the provisions of the Family Educational Rights and Privacy Act (FERPA).
Student Data is provided and controlled by the School. If you are a student or the parent or guardian of a student and have questions about reviewing, modifying, or deleting personal information of a student, please contact your school directly.
7. Links to other websites and services
From time to time, we may provide links to third parties from our Service. We are not responsible for the practices employed by websites, applications or services linked to or from our Service. We recommend that you review the privacy policies of third party sites or services before providing any information to them.
8. Enforcement of this Policy
9. Dispute Resolution
In compliance with the Privacy Shield Principles, Gradescope commits to resolve complaints about your privacy and our collection or use of your personal information and will respond to such complaints within forty-five days.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our third party dispute resolution provider, JAMS. More information can be found at https://www.jamsadr.com/eu-us-privacy-shield.
In addition, if Gradescope does not resolve the complaint, you can submit the matter to binding arbitration to a single arbitrator of the Privacy Shield Panel. The remedies from this arbitration are limited to individual-specific, non-monetary equitable relief (such as access, correction, deletion, or return of the individual’s data in question) necessary to remedy the violation of the Principles only with respect to the individual.
The United States Federal Trade Commission is the statutory body that has jurisdiction to hear any claims against Gradescope regarding possible unfair or deceptive practices and violations of laws or regulations governing privacy.
10. How to contact us
Arjun Singh, Gradescope Chief Privacy and Data Protection Officer
2054 University Ave #600, Berkeley, CA 94704