Back to Kwizzy

Privacy Policy

Last updated: May 2026

Plain-English Summary: Teachers create accounts and own their quiz content. Students never create accounts — they join by PIN only. We do not collect any personal information from students. Quiz content you upload is processed by Google Gemini to generate questions and is never used to train AI models.

1. Who We Are

Kwizzy Inc. ("Kwizzy," "we," "our," or "us") operates the Kwizzy platform at kwizzy.online — an AI-powered quiz platform designed for K-8 classrooms. Our contact address for all privacy matters is support@kwizzy.online.

2. Information We Collect

2a. Teacher Accounts (via Clerk)

When a teacher creates an account, we collect through our authentication provider Clerk:

  • Email address
  • Name (as entered during sign-up)
  • Authentication identifiers (Clerk User ID)
  • Session tokens (stored in browser cookies)

This information is necessary to provide the service under a contract with you (Article 6(1)(b) GDPR).

2b. Billing Information (via Stripe)

For paid subscriptions, payment processing is handled entirely by Stripe. Kwizzy never sees, stores, or processes raw card numbers. We store only: your Stripe Customer ID and subscription status (Free / Pro / Growth).

2c. Quiz Content

Documents, URLs, or text you upload to generate quizzes are transmitted to Google's Gemini API for processing. We do not permanently store uploaded source documents. Generated quiz questions are stored in our database and remain your property.

2d. Students — No PII Collected (COPPA/FERPA Design)

Students never create accounts. They join sessions by entering a 4-digit PIN on a shared classroom device or their phone. No name, email, age, or any personally identifiable information is required or stored for students.

For asynchronous ("Deep-Quest") mode, a random UUID is generated and stored in the student's browser localStorage only. This UUID:

  • Is generated locally in the browser — it never leaves the student's device to be tied to their identity
  • Is not linked to any name, email, school ID, or other identifier
  • Cannot be used to identify the student across sessions or devices
  • Is deleted when the student clears their browser storage

Anonymous session responses (correct/incorrect per question) are stored server-side for up to 365 days for post-game reporting, then permanently deleted.

3. AI Processing Disclosure

Documents and URLs you submit are sent to the Google Gemini API (Google AI Studio) for quiz generation. Please be aware:

  • No training: Kwizzy uses Google's API in a mode where your data is not used to train or improve Google's AI models. See Google AI Studio Terms for details.
  • Content sensitivity: Do not upload documents containing sensitive personal data, student records, or confidential information.
  • AI accuracy: AI-generated quiz content may contain inaccuracies. Review all generated content before using.

4. Third-Party Services

We use the following sub-processors. Each operates under its own privacy policy:

  • Clerk (clerk.com) — Teacher authentication and session management
  • Stripe (stripe.com) — Payment processing and subscription management
  • Cloudflare (cloudflare.com) — API hosting, CDN, DDoS protection, and access logs
  • Pusher (pusher.com) — Real-time WebSocket messaging for live quiz sessions
  • Google (Gemini API) (ai.google.dev) — AI quiz generation from uploaded content
  • Neon (neon.tech) — Serverless PostgreSQL database hosting
  • Vercel (vercel.com) — Frontend web application hosting

5. COPPA Compliance

The Children's Online Privacy Protection Act (COPPA) prohibits the collection of personal information from children under 13 without verifiable parental consent. Kwizzy is designed to be COPPA-compliant by default:

  • Students do not create accounts or provide any personal information
  • No names, emails, ages, photos, or device identifiers are collected from students
  • Student participation is fully anonymous and PIN-based only
  • Teacher accounts are intended for adults (18+) only

6. FERPA Compliance

The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records. Kwizzy supports FERPA compliance for schools using the platform:

  • We do not collect, store, or process student education records
  • Quiz performance data is stored only as anonymous aggregates (e.g., "60% of the class answered Q3 correctly") — no individual student records are created
  • Teachers retain full control over quiz content and session data
  • Schools or districts requiring a Data Processing Agreement (DPA) may contact us at support@kwizzy.online

7. Your Rights (GDPR — EEA/UK Users)

If you are located in the European Economic Area or the United Kingdom, you have the following rights under the General Data Protection Regulation:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate data
  • Erasure ("Right to be Forgotten"): Request deletion of your account and associated data
  • Portability: Receive your data in a machine-readable format
  • Restriction: Request that we limit processing of your data
  • Objection: Object to processing based on legitimate interests

To exercise any of these rights, email support@kwizzy.online. We will respond within 30 days.

8. Your Rights (CCPA — California Users)

California residents have the right to know what personal information is collected, the right to deletion, and the right to opt out of the sale of personal information. Kwizzy does not sell personal information to third parties. To make a CCPA request, contact support@kwizzy.online.

9. Data Retention

  • Teacher accounts and quiz content: Retained for the lifetime of your account, plus 90 days after a deletion request (to allow recovery), then permanently deleted.
  • Session logs and student responses: 365 days from the session date. After 365 days, only anonymized aggregate statistics are retained.
  • Billing records: 7 years, as required by US tax law (IRS regulations).
  • Cloudflare access logs: 90 days, per Cloudflare's standard retention.

10. Security

We protect your data using industry-standard measures including TLS encryption in transit, encrypted databases at rest, and role-based access controls. However, no internet transmission is 100% secure. In the event of a data breach affecting personal information, we will notify affected users within 72 hours of discovery, as required by GDPR and consistent with best practice.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered teacher accounts. The "Last Updated" date at the top of this page reflects the most recent revision. Continued use of the service after changes constitutes acceptance.

12. Contact

For all privacy inquiries, data subject requests, or DPA requests:

Privacy Policy — Kwizzy | Kwizzy.online - AI-Powered Learning