Privacy Policy

This Privacy Policy applies to Authero (the website, teacher/admin web app, APIs, and the Authero Student desktop app) (the “Service”).

1. Institutional (B2B) use

Authero is provided to schools and educational institutions (“Institutions”). In most deployments, the Institution determines the purposes and lawful basis for processing student and staff data and provides required notices/consents. Authero acts as a service provider processing data on the Institution’s instructions (subject to the contract and this policy).

2. Key privacy principles (plain English)

• App-surface capture (not full desktop): evidence is captured from the Authero application surface during active workspace use.
• No clipboard/paste text stored: copy/paste is logged as fingerprints (e.g., hash + length + context), not raw clipboard/pasted content.
• Role-gated access: evidence is accessible only to authorised roles (e.g., teachers/admins) under authentication and authorisation controls.
• Short-lived evidence links: where links are used to view evidence, they are minted on demand and expire after a short period.
• No sale of student data: we do not sell personal information and do not use Customer Content to train unrelated AI models unless explicitly agreed in writing.

3. Information we collect

3.1 Account and identity

• Name, email address, role (student/teacher/admin), institution/tenant identifiers.
• Provisioning records (including bulk user upload) and password hashes.
• Authentication and security logs (e.g., login success/failure).

3.2 Student work and workspace content

• Assignment drafting content created inside the Authero workspace.
• Research notes created inside the Authero workspace.
• In-app research/source metadata captured within the Service (e.g., websites visited in the in-app browser and timestamps).

3.3 Integrity-evidence and monitoring data

• App-surface screenshots captured during active workspace use (not full desktop).
• Session/event metadata (timestamps, session identifiers, event types).
• Copy/paste fingerprints (e.g., hash + length + context/labels). We do not store clipboard contents or raw pasted text as part of fingerprint logging.

3.4 Technical, security and audit logs

• IP address, device/app identifiers, OS version, crash reports, performance telemetry.
• Audit logs and administrative action logs (e.g., tenant/user administration, security-related events).

4. How we use information

• Provide and operate the Service (including saving student work and enabling teacher review).
• Generate integrity evidence (timelines, events, screenshots where enabled, paste fingerprints).
• Administer Institutions, accounts, roles, and access permissions.
• Secure the Service, prevent misuse, and investigate incidents.
• Provide support and improve reliability/usability.
• Comply with legal obligations and enforce agreements.

5. Sharing and disclosure

We do not sell personal information.

We may disclose information to: (a) the Institution and authorised users (based on roles and permissions); (b) service providers who help us operate the Service (hosting, storage, security, logging, email, support tooling) under confidentiality and security obligations; and (c) authorities where required by law or to protect rights, safety, and security. A current list of service providers/sub-processors can be provided on request.

6. AI features

If AI features are enabled, prompts and relevant context may be sent to third-party AI providers to generate responses. AI outputs may be inaccurate and must be reviewed by teachers or authorised staff. Users and Institutions should avoid including unnecessary sensitive personal information in AI prompts.

We do not permit service providers to use Customer Content to train unrelated AI models unless explicitly agreed in writing.

7. Data location and international transfers

We aim to host Institution data in agreed regions where feasible. Some service providers may process data in other jurisdictions. Where cross-border transfers occur, we apply contractual and technical safeguards required by applicable law.

8. Security

We implement reasonable technical and organisational measures designed to protect information, including authentication and role-based access controls, encryption in transit, and security monitoring. Where evidence is accessed via links, access links are generated on demand and expire after a short period.

No system is perfectly secure. To the maximum extent permitted by law, we do not guarantee that unauthorised third parties will never be able to defeat our security measures. We are not responsible for unauthorised access or disclosure caused by events outside our reasonable control (including sophisticated third-party cyberattacks), except to the extent liability cannot be excluded under applicable law.

9. Retention and deletion

Retention is institution-controlled and/or contract-controlled. We retain information only as long as reasonably necessary to provide the Service, comply with legal obligations, resolve disputes, and maintain security records.

10. Access, correction, and other rights

Rights vary by jurisdiction. In most school deployments, students and staff should raise privacy requests with their Institution first (as the primary administrator). Institutions may contact us at admin@authero.app for assistance with access, correction, deletion, or export requests.

11. Children

The Service is designed for educational use and may be used by minors under Institution supervision. Institutions are responsible for providing notices and obtaining parental/guardian permissions where required.

12. Complaints and contact

Questions or complaints about this policy can be directed to admin@authero.app. If you are not satisfied, you may contact the relevant privacy regulator (for example, the Office of the Australian Information Commissioner).

13. Updates

We may update this policy from time to time. We will post the updated version with a revised effective date.