FERPA Statement & Data Privacy Policy
Last Updated: April 21, 2026
1. Introduction and FERPA Compliance
Cursive Technology, Inc. (“Cursive,” “we,” or “us”) provides authorship verification tools for educational institutions and individual learners.
We operate as a “School Official” under the Federal Education Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) when serving educational institutions.
- Institutional Role: For Moodle and other API-driven integrations, Cursive acts as a Data Processor. We process keystroke timing data to return authorship analysis to the origin institution.
- No PII in API Workflow: We do not collect names, email addresses, or other Personally Identifiable Information (PII) through these API connections.
- Voluntary Use: Adoption of the Cursive Moodle plugin is voluntary and provided on an “as-is” basis.
2. Data Collection and Surface Areas
Cursive uses a “local-first” architecture to ensure that the most sensitive data never leaves the user’s control.
A. Browser Extension & Local Backend (Personal Use)
The Software captures keyboard timing events on supported webpages while the extension is active.
- What We Collect: Keystroke timing events, including the key pressed, the time of the event, and whether it was a press or release.
- Biometric Processing: All biometric processing occurs entirely on your local device via the local backend service.
- No Cloud Transmission: Raw keystroke data, typing content, and biometric templates are never transmitted to external servers or cloud services.
- Optional Attestation Sharing: If you explicitly choose to share a specific attestation record — for example, to let a recipient verify a document you wrote — the signed attestation is transmitted to Cursive’s attestation endpoint at cursivetechnology.com over HTTPS. The transmitted record contains only signed summary statistics and a cryptographic signature; it never contains raw keystrokes, typed text, or biometric templates. You can delete any shared attestation at any time from the Authorship Review page, which removes it from Cursive’s servers.
B. Authorship Review & Document History
For the Authorship Review feature, the extension retrieves document revision history from platforms like Google Docs, Microsoft Word Online, and Substack.
- Usage: This data is used to reconstruct editing operations and display document composition history.
- Storage: This information is stored locally in your browser and persists until browser data is cleared.
C. Third-Party Platform Integrations
Microsoft (Word Online and Outlook): When you opt in to Microsoft
verification, Cursive uses the Microsoft Graph API with the read-only
“Files.Read” scope (plus “offline_access” for refresh tokens) to read
document metadata, list revision versions, and export .docx or .pdf
copies when you initiate an Authorship Review. Cursive does not
request write, delete, or share scopes, and never modifies your files.
Authentication is performed through Microsoft’s OAuth 2.0 / PKCE flow
via login.microsoftonline.com.
Google Classroom (Teacher View): When a teacher opens a student
submission in the Google Classroom grading view, Cursive renders a
small panel showing effort percentage, time spent writing, and
words-per-minute. These metrics are computed locally from the
document’s Google Docs revision history, which the teacher can access
because Classroom grants them shared-author rights on the submission.
Cursive does not capture keystrokes on Classroom itself and does not
transmit any Classroom data to Cursive servers or third parties.
Clipboard Source Attribution: When you copy or cut text on any webpage, the extension records the source page’s URL, title, and the selected text locally so that a subsequent paste into a supported editor can be attributed to its origin. This data stays on your device and is
used only to annotate authorship records on your local backend — it
is not transmitted to Cursive or any third party.
Google Fonts: The onboarding welcome page loads typefaces from
fonts.googleapis.com via standard stylesheet references. Google may
log your IP address when these stylesheets are fetched; no other data
is sent.
3. What We Do NOT Collect
To protect user privacy, Cursive strictly prohibits the capture of:
- Text content, sentences, or the meaning of what you type.
- Passwords or sensitive form field values.
- Mouse clicks, scrolling, or pointer movements.
- Browsing history or page content outside of supported writing platforms.
4. Google API & Chrome Web Store “Limited Use”
The use of information received from Google APIs adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements.
- Purpose: Data is used solely to provide and improve the user-facing authorship verification features.
- No Transfers: We do not transfer user data to third parties for advertising, marketing, or any purpose unrelated to the core functionality of the Software.
- Experimental Features: The Gmail authorship feature (disabled by default) reads the Chrome profile email address only to bind identity to local attestation tokens. This email is not transmitted to any external server.
5. Data Storage and Security
All biometric data is stored locally on your device with industry-standard protections:
- Biometric Profile: Encrypted at rest and stored in
%USERPROFILE%\.continuous-auth\. - Signing Keys: Private keys are encrypted at rest; public keys remain unencrypted by design.
- Local Server: The backend service runs entirely on your machine with no outbound network connections.
6. User Controls and Deletion
Users maintain full autonomy over their data:
- Pause Monitoring: You may toggle the Software’s capture off globally or for individual documents via the extension popup.
- Delete Data: You can delete your biometric profile at any time by clicking “Reset” in the Software or by manually deleting the data folder at
%USERPROFILE%\.continuous-auth\. - Uninstall: Remove the extension from Chrome, then uninstall the backend service (aka desktop application) and/or delete the local biometric data folder at
%USERPROFILE%\.continuous-auth\to fully remove your biometric profile. Uninstalling the extension alone does not delete the locally stored biometric data created by the backend service.
7. Contact Information
For questions regarding this policy, FERPA compliance, or data deletion requests, please contact:
Cursive Technology Inc. Email: info@cursivetechnology.com
Legal Inquiries: legal@cursivetechnology.com