Privacy Policy

Last updated: 2026-04-23

1. What we collect

Quizzibility is an educational platform. The personal data we hold is limited to what makes the product work for you and your class:

• Account: email address, display name, role (teacher or student), password hash.
• Coursework: deck content you author, quiz responses you submit, code you write in assignments, peer-review feedback you give and receive.
• Operational telemetry: session IDs, timestamps, error reports (no full HTTP body capture), audit events for security-relevant actions.
• Optional integrations: if you bring your own AI provider key (OpenAI / Anthropic / Google), we store the key encrypted at rest and the message history you exchange with the model in this app.

We do not sell, rent, or share personal data with advertisers. We do not buy advertising audiences. We do not use your coursework to train external models.

2. Why we hold each category

See data classification for the per-table breakdown of legal basis, retention, and access control. The short version:

• Account & coursework: performance of contract — running the platform you signed up for.
• Audit events: legitimate interest (security, fraud prevention, FERPA-aligned record-keeping).
• Telemetry: legitimate interest (debugging, performance).
• AI provider key + chats: performance of contract (you opted in by entering a BYOK key).

3. Your rights

You can exercise these from your account settings or by contacting us at privacy@quizzibility.com:

• Access & export: download a ZIP of every record we hold keyed to your account. (Endpoint: GET /api/user/data-export.)
• Deletion: permanently delete your account. References from school-owned records (grades, course rosters) are anonymized ([deleted user]) but the records survive for institutional record-keeping. (Endpoint: DELETE /api/user.)
• Correction: update your email or display name from settings.
• Restriction / objection: contact us — we'll work it out case by case.

For users in the EU, UK, or other jurisdictions with statutory privacy rights: the same endpoints satisfy access, erasure, and portability requests under GDPR Articles 15, 17, and 20.

4. Sub-processors

We use a small set of vendors to operate the platform:

• Supabase: hosted Postgres, auth, file storage. Data resides in the United States.
• Vercel: web hosting + edge network.
• Fly.io: sandboxed code-execution service for student-submitted programs.
• Resend: transactional email (account confirmations, password resets, security notifications).
• Cloudflare Turnstile: bot protection on auth endpoints.
• Sentry: error tracking. We mask PII in stack traces and disable session-replay payload capture.

Each sub-processor is bound by a data-processing agreement to handle your data only on our instructions.

5. Retention

See the full retention schedule. Briefly: account-level data persists until you delete it; sessions and quiz responses persist for the academic-record period typical to a course (years, not weeks); audit events persist for 18 months; telemetry and ephemeral logs persist for 30 days.

6. Security

Passwords are hashed with bcrypt (Supabase default). All API traffic is HTTPS only. Row-level security in the database enforces per-user data scoping; service-role access is instrumented and audit-logged. Optional MFA is available for instructor accounts; mandatory for admin accounts. Security incidents are handled per the incident response runbook.

7. Children's privacy

Quizzibility is intended for use in higher-education settings (university CS courses). We do not knowingly collect data from children under 13. If you believe a child has created an account, contact us and we will delete it.

8. Changes

We will update the "Last updated" date when this policy changes. Material changes (new categories of data, new sub-processors) will trigger an in-app notification.

9. Contact

Privacy questions: privacy@quizzibility.com. Security disclosures: security@quizzibility.com.