Quizonator Privacy Policy
Last updated: May 25, 2026
1. General information and definitions
This Privacy Policy (the "Policy") sets out the rules for processing personal data of users of Quizonator services, in accordance with applicable Polish law, including Regulation (EU) 2016/679 ("GDPR"). The following terms are used in this Policy: Controller - QUIZONATOR Sp. z o.o. with its registered office in Wrocław, ul. Św. Mikołaja 8/11/208, 50-125 Wrocław, KRS: 0001149825, NIP: 8971947982, REGON: 540680867, acting as the controller of personal data within the meaning of GDPR. Extension - the Quizonator extension for the Chrome browser. Website - the quizonator.com website. App - the Quizonator mobile app for Android (com.quizonator). Service - features made available by the Controller through the Extension, Website, and App. User - a person using the Service. This Policy covers the Extension, Website, and App. Where rules differ depending on the channel, this is clearly indicated. The Controller does not display ads, does not track GPS location, and does not sell personal data.
2. Data we collect
2.1. Authentication data
Email address, username, and password, as well as login data via a Google account, collected for User registration and authorization. Passwords are not stored in plain text, but in hashed form.
2.2. Device and login data
Device information (e.g. model, operating system, browser version) and IP address, collected during login to ensure security and limit misuse.
2.3. Usage data
Quiz content (questions and answers): the Extension reads question content from the exam page opened by the User and sends it to the Controller's server (backend). The Controller's backend passes this content to the OpenAI API interface solely to generate a suggested answer, and returns the answer to the User. Quiz content and generated answers may be stored in the Controller's database to allow the User to view history and for analytical purposes. Details on data transfers to OpenAI are described in section 6. Quiz result summaries: stored for statistical and analytical purposes and to improve Service quality. Information about Service usage: including time spent, activity history, and error logs, processed for analytical and technical purposes. Subscription and profile data: information about the plan, subscription status, and preferences (e.g. language). Push notifications (App only): a device identifier used to deliver push notifications. Support requests: the content of correspondence sent to support. The User declares that submitted content is their intellectual property or that they have the appropriate rights to submit it.
2.4. Cookies
The rules for using cookies are described in section 8.
3. Purpose of data processing
- Providing and ensuring Service functionality, including generating suggested answers and providing history. - User registration and authorization, to enable account access and security. - Handling subscriptions and payments. - Preventing misuse, by monitoring logins and activities to detect and counter unauthorized actions. - Statistical and technical analysis, to improve Service quality and develop new features. - Communication with the User, including handling support requests.
4. Legal basis for data processing
The Controller processes personal data on the following bases: Article 6(1)(b) GDPR (performance of a contract) - for data necessary to provide the Service: registration and authorization, generating answers, providing history, and handling subscriptions and payments. Article 6(1)(f) GDPR (legitimate interests of the Controller) - for ensuring security, preventing misuse, and conducting statistical and technical analyses to improve the Service. Article 6(1)(a) GDPR (User consent) - for analytical cookies and other optional processing. Consent is voluntary and may be withdrawn at any time, without affecting the lawfulness of processing carried out before withdrawal. Article 6(1)(c) GDPR (legal obligation) - when processing is necessary to fulfill legal obligations imposed on the Controller. Using the Service or accepting this Policy alone does not constitute consent within the meaning of Article 6(1)(a) GDPR. Where consent is required, it is collected separately through an explicit action by the User.
5. Data recipients and processors
User data is not shared with third parties except when: - it is necessary to provide the Service and is done through trusted processors, - required by law (e.g. requests from authorized authorities), - the User has given explicit consent. The Controller uses the following categories of entities processing data on its behalf: OpenAI - processing quiz content to generate suggested answers (see section 6). Stripe - payment processing in the Extension and on the Website. Google - login via Google account, distribution and payments in the App (Google Play), and delivery of push notifications. Hosting infrastructure provider - data storage and backend maintenance. All processors are obligated to protect data in accordance with GDPR under data processing agreements.
6. Transfers of data to third countries
To generate suggested answers, quiz content is transferred to OpenAI, a provider based in the United States. This means a transfer of data to a third country within the meaning of GDPR. The transfer is based on Standard Contractual Clauses (SCC) approved by the European Commission under Article 46(2)(c) GDPR, constituting an appropriate safeguard for the transfer, and on a Data Processing Agreement (DPA) concluded with OpenAI. Data transferred to the OpenAI API is not used to train OpenAI models. The Controller limits the scope of transferred data to content necessary to generate an answer. Apart from the above case, User data stored by processors is maintained on servers located in the European Economic Area or in countries providing an adequate level of data protection or covered by appropriate safeguards under GDPR.
7. Data security
- The Controller applies technical and organizational measures, such as encryption and access control systems, to protect data against unauthorized access, loss, or modification. - Access to data is granted only to authorized persons obligated to maintain confidentiality. - The User is obligated to secure their login details and not share them with third parties.
8. Cookies
The Controller uses cookies and similar technologies in two categories: Essential (technical) cookies: necessary for the proper functioning of the Service, including maintaining sessions and authorization. They do not require consent and cannot be disabled within the Service. Analytical (optional) cookies: used to analyze Service usage and improve its quality. They are used only after the User gives consent through the cookie banner. The User may change their choice regarding analytical cookies at any time in the cookie banner settings, and may also manage cookies through browser settings.
9. Data of minors
- The Service is not directed at children under 13 years of age, and use by such persons is not permitted. - For Users under 16 years of age, consent-based processing is lawful only when consent is given or approved by a person holding parental authority or legal guardianship over the child, in accordance with Article 8 GDPR. - If the Controller learns that data concerns a person below the required age without the required guardian consent, it will take steps to delete such data and close the account. - A legal guardian may contact the Controller at support@quizonator.com regarding a child's data.
10. User rights
The User has the right to:
- access their data and submitted quiz content,
- rectify incomplete or inaccurate data,
- delete data in cases provided by law,
- restrict processing in certain situations,
- data portability in a structured, commonly used format,
- object to processing based on the Controller's legitimate interests (Article 21 GDPR),
- withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
The Controller does not make decisions about the User based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect the User. Generating suggested answers serves solely to support the User and does not constitute such a decision. To exercise the above rights, contact the Controller at: support@quizonator.com. You can delete your account yourself in the user panel: go to the dashboard (/dashboard), open the "Account" tab, and select "Delete account". Detailed information on account deletion is available at: quizonator.com/usuwanie-konta The User has the right to lodge a complaint with the supervisory authority, i.e. the President of the Personal Data Protection Office, if they believe that the processing of their data violates GDPR.
11. Data retention period
Data is stored for the period necessary to achieve the purposes for which it was collected: Account and authentication data: for as long as the account exists, and after deletion for up to 30 days, except for data that must be stored longer under law. Device and login data (including IP address): up to 12 months, for security purposes. Quiz content and activity history: until the User deletes the account or withdraws consent, where applicable. Billing data and accounting documents: for the period required by tax and accounting regulations. Support requests: for the period necessary to handle the request and for evidential purposes. After the above periods expire, data is deleted or anonymized.
12. Changes to the Privacy Policy
- The Controller reserves the right to amend this Policy. - Users will be informed of material changes with appropriate notice, and the current version will be published within the Service. - Where processing is based on consent, changes requiring consent will not apply without prior consent being obtained.
13. Contact
For questions, comments, or concerns regarding this Policy, please contact us: Email: support@quizonator.com Address: QUIZONATOR Sp. z o.o., ul. Św. Mikołaja 8/11/208, 50-125 Wrocław, Poland KRS: 0001149825 NIP: 8971947982 REGON: 540680867