Privacy Policy
Last updated: June 6, 2026
1. Data Controller
QuizyPeasy ("we", "us", or "our") is the data controller responsible for your personal data under the General Data Protection Regulation (GDPR). If you have any questions about how we handle your data, please contact us. We are not required to appoint a Data Protection Officer (DPO) as we do not carry out large-scale systematic processing of personal data.
2. Information We Collect
We collect the following categories of personal data:
- Account data: Your name and email address, provided via your Google, Microsoft, or Apple account, or entered directly when registering with email and password.
- Subscription data: Your subscription status and plan tier, managed by LemonSqueezy as our Merchant of Record.
- Uploaded content: Documents, text, and other materials you upload to generate tests. We process this solely to deliver the service.
- Usage data: AI token usage counts and feature activity, used to enforce plan limits and improve the service.
- Technical data: IP addresses and browser information collected automatically by our servers and infrastructure.
3. Legal Basis for Processing
We process your personal data on the following legal bases (GDPR Art. 6):
- Contract performance (Art. 6(1)(b)): Account data and uploaded content are processed to provide the service you signed up for.
- Legitimate interests (Art. 6(1)(f)): Usage analytics and technical data are processed to improve service reliability and performance. Our legitimate interest does not override your rights.
- Consent (Art. 6(1)(a)): Marketing and newsletter emails are only sent if you have explicitly opted in. You may withdraw consent at any time.
4. How We Use Your Information
- Generate personalised tests and quizzes based on your uploaded content.
- Create and manage your account.
- Email you regarding your account, subscription, or service updates.
- Fulfil and manage purchases and subscription billing through LemonSqueezy.
- Monitor usage to enforce plan limits and prevent abuse.
- Analyse aggregate trends to improve the service.
5. Data Retention
- Account data: Retained while your account is active and for 30 days after a deletion request, after which it is permanently removed.
- Uploaded files: Deleted when you remove them, or upon account closure.
- Anonymised analytics: Retained indefinitely as they contain no personal data.
6. Third-Party Sub-processors
We share your data only with the following sub-processors, strictly as necessary to deliver the service:
| Provider | Purpose | Location |
|---|---|---|
| OAuth sign-in, AI generation (Gemini) | USA (SCCs) | |
| Microsoft | OAuth sign-in | USA (SCCs) |
| Apple | OAuth sign-in | USA (SCCs) |
| Supabase | Database & file storage | EU |
| LemonSqueezy | Payment processing (Merchant of Record) | USA (SCCs) |
| Resend | Transactional email delivery | USA (SCCs) |
| Vercel | Hosting & CDN | USA (SCCs) |
7. International Transfers
Some of our sub-processors are located outside the EU/EEA. Where data is transferred to countries without an EU adequacy decision (such as the USA), transfers are safeguarded by Standard Contractual Clauses (SCCs) approved by the European Commission. Supabase stores your data within the EU.
8. Your Rights
Under GDPR, you have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate or incomplete data.
- Erasure: Request deletion of your personal data ("right to be forgotten").
- Portability: Receive your data in a structured, machine-readable format.
- Restriction: Request that we limit how we process your data.
- Objection: Object to processing based on legitimate interests.
- Withdraw consent: Withdraw consent for marketing emails at any time, without affecting prior processing.
- Complaint: Lodge a complaint with your national supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.
To exercise any of these rights, please contact us. We will respond within 30 days.
9. Data Security
We use administrative, technical, and physical security measures to protect your personal information, including encryption in transit (HTTPS) and at rest. While we take reasonable steps to secure your data, no method of transmission or storage is completely secure. In the event of a data breach affecting your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay.
10. Cookies
We use a minimal set of cookies:
- Session cookie: Strictly necessary for authentication. No consent required.
- Analytics: Vercel Analytics collects anonymised, aggregate data about page visits. No personal data is collected and no consent banner is required.
We do not use advertising or tracking cookies.
11. Marketing Communications
We will only send marketing or newsletter emails if you have explicitly opted in. The legal basis for this processing is your consent (GDPR Art. 6(1)(a)). You may withdraw consent at any time by clicking the unsubscribe link in any marketing email, or by updating your preferences in your profile settings. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
12. Contact & GDPR Requests
To exercise your data rights, submit a GDPR request, or ask any questions about this Privacy Policy, please contact us via our contact page. We aim to respond within 30 days.
Contact Support via our Contact Page