Legal
Privacy Policy
How we handle the data you and your institution share with Papiro.
1. Who we are
Papiro ("Papiro", "we", "us") is a Belgian company (currently in the process of registration) located in Antwerp. We build software that helps students document AI use and help educators review that work in context.
For questions about this policy, reach us at: privacy@papiro.be.
2. Controller and processor
Papiro operates in two roles depending on the context.
When your institution licenses Papiro, the institution is the data controller — they determine the purpose and conditions of processing. Papiro acts as a data processor on their behalf, bound by a Data Processing Agreement (DPA).
For visitors to our public website and for direct contact with us (demo requests, email), Papiro acts as the data controller and this policy applies directly.
3. What data we collect
Account data — Name, email address, role (student / educator / administrator), and the institution you belong to. Collected when your institution sets up your account.
Workspace content — Documents you upload, annotations you make, AI conversation transcripts you attach, and reflections you write. This is the core of what Papiro stores on your behalf.
Usage data — Anonymised and aggregated data about how the product is used — page visits, feature usage, session duration. This data is not linked to individual users.
Contact data — If you reach out to us directly (via the contact form or email), we store your name, email, and the content of your message to respond to you.
Cookies — See section 8 below.
4. Why we process your data
| Data type | Purpose | Legal basis |
|---|---|---|
| Account data | Access and authentication | Contract performance (Art. 6.1.b GDPR) |
| Workspace content | Core product functionality | Contract performance (Art. 6.1.b GDPR) |
| Usage data | Product improvement and reliability | Legitimate interest (Art. 6.1.f GDPR) |
| Contact data | Responding to enquiries | Legitimate interest (Art. 6.1.f GDPR) |
| Cookies (non-essential) | Analytics | Consent (Art. 6.1.a GDPR) |
5. What we don't do
- We do not sell personal data to any third party.
- We do not run AI detection scoring on student work or content.
- We do not use student content to train AI models of third parties.
- We do not share workspace content with anyone outside your institution, unless required by law.
6. Who we share data with
We use a limited number of sub-processors to operate the service — for hosting, authentication, and transactional email. All sub-processors are contractually bound to GDPR-compliant data handling.
We do not transfer personal data outside the European Economic Area (EEA) unless appropriate safeguards are in place under Chapter V of the GDPR.
7. How long we keep your data
| Data type | Retention period |
|---|---|
| Account data | Duration of institution contract + 30 days grace period for export |
| Workspace content | Duration of institution contract + 30 days grace period for export |
| Usage data | 24 months |
| Contact data | 12 months after last contact |
| Cookie consent records | 6 months |
After the applicable retention period, data is permanently deleted from all production and backup systems.
8. Cookies
Papiro uses cookies to make the service work and, with your consent, to understand how it is used.
Essential cookies (no consent required) These are strictly necessary for the platform to function — authentication tokens, session management, security. These cannot be disabled.
Analytics cookies (consent required) We use anonymised analytics to understand general usage patterns. These are only placed with your explicit consent and can be withdrawn at any time via the cookie settings in the footer of our website.
We do not use advertising cookies or tracking cookies for profiling purposes.
Cookie consent records are kept for a maximum of 6 months in line with GBA/APD guidelines.
9. Your rights under the GDPR
As a data subject, you have the following rights:
- Right of access — you can request a copy of the data we hold about you.
- Right to rectification — you can ask us to correct inaccurate data.
- Right to erasure — you can ask us to delete your data, subject to legal obligations.
- Right to data portability — you can request your data in a structured, machine-readable format.
- Right to object — you can object to processing based on legitimate interest.
- Right to withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting prior processing.
To exercise any of these rights, contact your institution's administrator or write to us directly at privacy@papiro.be We will respond within 30 days.
10. Changes to this policy
We may update this policy as the product evolves or as legal requirements change. We will notify institutional administrators of material changes by email.
The most recent update of this page: April 21, 2026.