Date of Last Amendment: January 29, 2023
Passed.ai (Fractal SAAS Inc.) respects and endorses Users’ rights to privacy and to understand how and why we collect, use, safeguard, and disclose personal information, both their own and the third-party personal information they collect as Data Controllers and that we process on their behalf as sub-processor.
Fractal SAAS Inc. Inc. (“Fractal SAAS Inc.,” “Passed.ai,” “we,” “us,” “our”) helps Users of its Passed.ai services identify academic writing that is plagiarized or AI-generated.
We use the terms “Clients” and “Users” interchangeably to refer to purchasers/users of our Passed.ai services. Clients may be individuals (educators), public or private educational institutions (schools, school boards, colleges universities), academic journals/publishers, etc. In some contexts, Users also refers to visitors to our Website who have not yet created an account or purchased our services. This second type of User may also be referred to in this Policy as a Website User.
References to our Website include our Passed.ai App, Chrome Extension, API..
Section O. details the respective obligations of Fractal SAAS Inc. and our Clients with respect to Third Parties’ personal information.
- Personal Information
Two types of personal information are subject to privacy rights.
The first is information that identifies a specific person (either alone or in combination with other information).
If it is rare enough, a person’s name alone could be personal information. If it is not sufficiently uncommon (and most people’s names are not), an individual’s name combined with a second piece of information is an example of personal information. Home address, email address, telephone number, social media identifier, age, nickname, a detailed description of physical features, the neighbourhood in which the person lives, where they went to school, and their medical history are examples of information that would be personal information when combined with a name or other identifier.
The other type of protected personal information is anything of a personal nature about an identifiable individual.
Examples of this kind of personal information include
- The person’s race, national or ethnic origin, colour, religion, age, sex, sexual orientation, or marital or family status.
- The person’s education or medical, psychiatric, psychological, criminal, or employment history.
- The person’s financial status or information relating to financial transactions in which the person has been involved.
- The person’s social security number or another unique number or identifier assigned to them.
- The person’s fingerprints or blood type.
- The individual’s personal opinions or views about social or political issues.
- The views or opinions of others about the person.
- Generally, any information that could prove embarrassing or harmful to an individual’s reputation or that a reasonable person would not want to be in the public domain.
- The Personal Information We Collect
Given the nature of our business and the reason Users visit our Website and enter into transactions with us, the personal information we collect from Clients and use is limited to
- Identification information necessary for Clients to create accounts and purchase and use our services: name, email address, and password.
- Information that helps us improve our services, Website, and business processes.
- Information to conduct customer relationship audits and management procedures, as well as marketing and advertising initiatives, including identifying service improvements and additional products or services that may be of interest to Clients.
- Information that will help us better manage and improve our Clients’ overall relationship with us so that they continue doing business with us, including improving User experience on our Website.
- For additional information about points two through four in this list, see Other Information We Collect.
- Why We Collect Personal Information and Clients’ Consent
We collect personal information so that
- Our Website works as Users expect and provides Users with a personalized experience.
- Clients can purchase and use our services.
- We can carry out our contractual obligations to Clients and take the necessary steps to enter into contracts with Clients.
- For other reasons described in this Policy.
Examples of carrying out our contractual obligations to a Client include providing access to the dashboard on our Website.
We collect personal and non-personal information to operate our business and our Website. We require this information to ensure that our services meet the evolving needs of our Clients and that the design and navigability of our Website are optimized for the best User experience.
Examples of the type of information we collect for these purposes and how we collect it can be found in Other Information We Collect.
In all instances, we only collect personal information for the purposes outlined in this Policy. We do not collect personal information for any other purpose, i.e., we do not collect personal information that is not needed for Clients to purchase and use our services or for us to communicate with Clients, including (i) providing service updates and support, (ii) operating our business. (e.g., keeping proper records), and (iii) improving or adding to our offerings and Website, all of which are legitimate business purposes.
Fractal SAAS Inc. does not conduct business with or knowingly collect personal information from minors (children). If a Website User has not reached the age of majority where they live, they must not (i) enter any personal information in any form on our Website, (ii) provide personal information any other way, (iii) transact or attempt to transact business with Fractal SAAS Inc. by, for example, creating an account, or (iv) continue to browse our Website.
By contracting with Fractal SAAS Inc. (i.e., purchasing our Passed.ai services), Clients consent to our collection and use of personal information as outlined in this Policy.
By browsing our Website, Users consent to our collection and use of personal and non-personal information arising out of that use as outlined in this Policy.
A User who does not want us to collect or use personal information is advised not to browse our Website or purchase our services. A User unable to find an acceptable alternative to our services and having no choice but to purchase from us, but still not wishing to provide us with personal information, may contact our Privacy Compliance Officer (PCO) at [email protected] to discuss if and how this can be accomplished. When contacting our PCO, please indicate “Privacy Inquiry” in the subject line.
A User who objects to our collection of information while they access our Website may contact our PCO at [email protected]. We will make commercially reasonable efforts to delete and permanently destroy any personal information collected up until the time the User made their wishes known. Non-personal (anonymous) information will not be deleted.
When a User contacts us by way of a form on this Website or sets up an account with us, they consent to our collection and use of the personal information they provide. Similarly, if a User contacts us by any other means, they consent to our collection and use of the personal information they provide. That use may include email marketing, from which Users may unsubscribe.
Should we wish to use a User’s personal information for any purpose other than as outlined in this Policy, we will first obtain their consent.
- Internal Access to Personal Information
Access to personal information is limited to Fractal SAAS Inc. employees who require it to (i) develop and provide our Passed.ai services, and (ii) provide customer support. The personal information made available to employees is limited to the information they need to do their jobs/provide their services.
If a third-party contractor has or could have access to personal information, we require that contractor to treat it as confidentially as we do. An IT contractor providing system maintenance is an example of a third party that may have access to personal information in the course of providing services to us. Other third-party services that will or may involve access to personal information include payment processing, customer services (e.g., contact centre services), data analysis, hosting services, marketing, and product development. Specific third-party contractors to which we provide personal information are identified in Other Information We Collect.
- External Disclosure of Personal Information
Other than as detailed in this Policy, Fractal SAAS Inc. does not disclose personal information to third parties except in situations in which a reasonable person would expect it to be disclosed. An example is if we hired a third party to provide customer support (e.g., Help Desk) services.
Fractal SAAS Inc. discloses personal information if required to do so by Court order or operation of law (e.g., receipt of a subpoena or summons). Unless legally prevented from doing so, we will first attempt to advise the Client that we have received an order or direction to disclose personal information so that the Client can challenge the order if they see fit.
We disclose personal information to the proper authorities if necessary to report criminal or probable criminal activity, including fraud against us or one of our Clients, or to protect the security of our Clients and their property, including their intellectual property. Clients consent to the reasonable exercise of our discretion in such matters.
We do not sell Clients’ personal information.
- Retention of Personal Information
We retain personal information indefinitely so that Clients can purchase and use our services on an ongoing basis. This also allows us to provide ongoing service updates and support.
When we dispose of personal information, we do so in a way that prevents a privacy breach, i.e., by securely shredding paper files and completely and permanently deleting electronic records. Any information retained purely for statistical purposes will be rendered anonymous and no longer personal information.
If instructed to do so by a Client or Website User, we will dispose of personal information. Please contact our PCO at [email protected] if you wish to have your personal information deleted from our records. When contacting our PCO, please indicate “Privacy Inquiry” in the subject line.
- Accuracy of Personal Information
We make commercially reasonable efforts to ensure that personal information is accurate, complete, and up to date.
For that purpose, we may require Clients to confirm/update information from time to time. We are not responsible for the inaccuracy or incompleteness of information if a customer fails to update us in a timely manner.
We use industry-standard administrative, electronic (HTTPS over TLS encryption), and physical security measures to prevent unauthorized access to Clients’ personal information.
- Data Breaches
While we take commercially reasonable steps to secure personal information, no security measures are perfect or impenetrable, and no method of data storage or transmission can be guaranteed against any interception or other misuse. In particular, any information stored online is vulnerable to interception and misuse by unauthorized parties.
In the event of a data breach that poses a real risk of significant harm to Clients, we will take the following steps
- Notify Clients of the breach if their personal information was or may have been accessed or affected.
- If known, advise Clients of the specific personal information that was or may have been accessed or affected.
- Advise Clients of steps they can take to reduce the risk of harm from the breach, e.g., changing passwords or monitoring accounts.
- Advise Clients when the breach has been addressed and the risk to data has abated.
- Advise applicable government authorities of the breach if required to do so by law.
- Clients’ Access to Their Personal Information
Clients are entitled to know their personal information in our records.
Clients who would like a copy of their personal information may contact our PCO at [email protected]. When contacting our PCO, please indicate “Privacy Inquiry” in the subject line.
If any personal information in our records is inaccurate or incomplete, please advise our PCO and we will correct it.
Fractal SAAS Inc. offers its Passed.ai services to anyone with Internet access who requires them. Our Clients can be found in countries all around the world.
If you believe we are not handling your personal information as required by the privacy regulations in your country, please address your concern in the first instance to our PCO at [email protected]. When contacting our PCO, please indicate “Privacy Inquiry” in the subject line.
You have the right to have your concern reviewed fairly and impartially by our PCO in the context of the laws and regulations that apply to you, and to be advised of the outcome of the review and any steps taken to address your concern, including any amendments to this Policy or any changes to our practices as they apply to customers in your country.
- Fractal SAAS Inc.’s Privacy Compliance Officer
Fractal SAAS Inc. has designated an appropriate official as its Privacy Compliance Officer (PCO). The PCO is empowered to ensure compliance with Fractal SAAS Inc.’s confidentiality of personal information obligations.
Contact our Privacy Compliance Officer at [email protected]. When contacting our PCO, please indicate “Privacy Inquiry” in the subject line.
- Other Information We Collect
Each time a User visits our Website or otherwise connects with us electronically, we collect information. This information might be about the User’s preferences or device and is mostly used to make our Website work as Users expect it to. The information does not usually personally identify the User (although it might). It does allow for a more personalized website experience.
Examples of the information we collect or may collect include the date and time of a visit or connection, the User’s browser type, the User’s Internet Service Provider and IP address, the site the User visited before or after our Website (“navigation history,” “referring site”), and the pages on our site that were viewed. In isolation, a single piece of such information does not necessarily identify a User but, in some cases, it could be used in combination with other information to identify an individual User, particularly if the User provided us with personal information at the time of their visit or connection.
In addition to using this information to optimize our Website, we use this information for our internal security audit log, usage and trend analysis, system administration, and to gather aggregate demographic information about our User base for market identification and related purposes, including how Clients use our service. We share this information, including personal information, with third parties that provide services to us, including analysis, storage, and data aggregation/organization.
Because such information could in some cases be used to identify an individual, we treat it as personal information. This means we only use it for the legitimate purposes of operating our business and advancing our commercially reasonable business objectives, including understanding how Clients use our service. We do not use it for any other purpose.
By using our Website or otherwise connecting with us electronically, Users acknowledge that they understand that we collect information of the nature described. If a User objects to our gathering information of this type, the User is advised not to use our Website or connect with us electronically.
Cookies are small text files that are placed on users’ computers by websites. They are widely used to allow websites to work properly and be more user-friendly, remember user preferences, improve user experience, and provide website owners with information they use for legitimate business purposes. A description of what cookies are and how they work can be found here.
Some cookies placed by our Website are from third-party companies that provide us with analytics and other services. The information collected helps us understand how users interact with our Website and, in some cases, how customers use our services so that we can identify new services (or products) to offer and upgrades to existing services that will add value for our customers.
In particular, we use Google Tag Manager, a Google Analytics tool, to manage tags. Marketing tags are segments of code on a website that track user actions and collect data. Specific actions on a website trigger tags to collect data about the activity and send it to an analytics tool. Different tags serve different functions: Pageview Tags monitor visits to pages on a website; Conversion Tags track, for example, each time a sale is made or a form is filled out.
We use the Google Search Console to obtain search-engine-related data to help us optimize traffic to our Website. Examples of search-engine-related data include user queries and the number of times our site’s URLs appear in search results (impressions), along with post-click data about site engagement like bounce rates and e-commerce conversion rates.
Google policies require that no data be passed to Google that Google could use or recognize as personal information. More information about Google’s policies is here.
We use Google Ads to highlight our Website when users use Google’s search engine. We do not disclose personal information when we use Google Ads.
We use Meta Ads to advertise on, for example, Facebook and Instagram. We may disclose aggregate, anonymous data about visitors and visits to our Website to Meta but we do not disclose personal information.
Other Service Providers
In addition to Google, the following companies provide services to us:
- Firebase and Google Cloud for data processing and storage.
- Google Analytics for analytics.
- SendGrid We use SendGrid for email marketing.
- Stripe Is our payment processor.
Other User-Tracking Technologies
We may use web beacons (sometimes called trackers). Web beacons allow the owner of a website to count the number of users who click on an advertisement for its product or service on a third-party site (in order to assess the value of advertising on that third-party site). Web beacons collect only specific information, such as a cookie number, time and date of visit, and a description of the page on which the web beacon is installed. Personal information is not collected.
It is not possible to opt out of web beacons used on web pages. However, because web beacons are used together with cookies, their use can be limited by deleting cookies or changing browsers’ cookie settings.
Managing Cookies Settings
Cookie settings can be managed to clear or block specific cookies or all cookies. However, a User who blocks all of the cookies that we use may find their user experience affected or that our Website loses most or all of its functionality. Cookie settings are accessed via browser settings. Please keep in mind that by clearing all cookies, all website preferences will be lost.
- Third Parties’ Personal Information
Our Passed.ai services help Users identify academic writing that may be plagiarized or AI-generated. This means that in addition to collecting and storing personal information about our Clients, we process Content that their students (or others) provide to them. That Content may include personal information about the student or other individual submitting it.
Clients may wish to consider implementing procedures that permit the uploading to our services of Content that is anonymous to us.
In any event, because our Clients directly and in the first instance collect the Content that we process, they (our Clients) are the Data Controllers in relation to that Content. Our position vis-a-vis any personal information that may be contained in Content is that we are our Clients’ sub-processor (or one of them).
Data Controllers and not sub-processors are responsible to Content-submitters and regulatory authorities to ensure compliance with privacy and data protection laws and regulations.
Data Controllers are also responsible for ensuring that consent has been obtained before personal information is collected and processed (or that there is another legal basis for the lawful collection and processing of the personal information). Fractal SAAS Inc. does not collect personal information directly from Content-submitters and therefore has no way to obtain consent or ensure there is another legal basis for the lawful collection and processing of their personal information. We rely completely on our Clients for compliance with all privacy laws and regulations in that regard.
Therefore, by using our services, Clients agree to indemnify and hold harmless Fractal SAAS Inc., its directors, officers, employees, contractors, subcontractors, Website content contributors, agents, co-branders, suppliers, subsidiaries, parent companies, and affiliates from any and all liabilities, losses, claims (including, but not limited to, claims for injunctive relief), demands, disputes, damages, losses, liens, causes of action, suits, civil, criminal, statutory, or administrative actions or proceedings, fines, taxes, assessments, penalties, judgments, and/or other expenses of any kind, nature, or description whatsoever (including, but not limited to, Fractal SAAS Inc.’s legal fees and expenses and costs of investigation) resulting from or in any way connected to a violation of any law or regulation related to privacy and data protection (no matter the jurisdiction or regulatory regime). Clients warrant that, if applicable, they have the authority to bind their institution/employer/etc. in connection with this Indemnification.
Data Controllers, as the party responsible for the protection of personal information transferred to sub-processors, are expected to use contractual privacy protection clauses or other means to ensure a comparable level of protection when personal information is processed by a sub-processor.
We treat third-party personal information differently from Client’s personal information in one respect. We do not retain third-party personal information indefinitely. Instead, we dispose of it (in a way that prevents a privacy breach) within a commercially reasonable period of time, typically 90 to 120 days after it has been processed. We anonymize any Content we retain for legitimate business purposes, such as improving our services detection capabilities.
Notice to California Residents
Notice to EU/EEA Residents
Notice UK Residents