Your Data. Your Control.

We collect three types of data: account identifiers, quiz content, and usage metrics.

QuizAI uses artificial intelligence to generate quizzes from your study materials and to grade your free-text responses. This constitutes automated decision-making that produces scores and feedback.

Automated Decision-Making: AI-generated quiz grades and feedback are produced automatically. These scores are for study purposes only and do not carry legal or similarly significant effects. If you believe an AI-generated grade is incorrect, you can use the question fix feature to request a re-evaluation, or contact us to request human review.

Your study materials are sent to third-party AI providers for processing. We sanitize all content before transmission to protect against prompt injection, but we do not control how AI providers handle data after receipt. See the Third-Party Services section for details.

We share data with the following service providers to operate QuizAI. Each provider acts as a data processor on our behalf.

AI quiz generation and grading are routed through OpenRouter, which forwards requests to AI model providers including Anthropic, OpenAI, and others. These sub-processors may have their own data retention policies.

International Transfers: Our service providers are based in the United States. If you access QuizAI from outside the US, your data is transferred to and processed in the US under applicable legal frameworks.

QuizAI uses OAuth-only authentication. We never collect, store, or have access to your password. When you sign in, your chosen provider securely confirms your identity and shares limited profile information with us.

Supported Providers

What We Receive

• Your name and email address
• Your profile picture (if available)
• A unique identifier from the provider

We do not receive your contacts, browsing history, or any data beyond basic profile information. Each provider's data sharing is governed by their own privacy policy and your permissions with that provider.

We implement industry-standard security measures to protect your data.

• All data transmitted between your browser and our servers is encrypted via HTTPS/TLS
• Authentication uses secure, time-limited sessions with httpOnly cookies
• We enforce Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), and other industry-standard security headers
• All user inputs are validated and sanitized before processing
• Rate limiting is applied to prevent abuse of all API endpoints
• We do not store passwords — authentication is delegated entirely to your OAuth provider

No system is perfectly secure. If you discover a security vulnerability, please contact us responsibly so we can address it.

We use Vercel Analytics for basic usage metrics. This helps us understand how features are used and identify areas for improvement.

• No advertising trackers. We do not use third-party ad networks or retargeting pixels
• No cross-site tracking. We do not track your activity across other websites
• No data sales. We do not sell, rent, or share your personal information for advertising or marketing purposes

A session cookie is used to maintain your authentication state. This cookie is httpOnly (not accessible to JavaScript), secure (HTTPS only), and expires automatically. We also store a theme preference in your browser's local storage — this is a non-sensitive UI preference and does not contain personal information.

You have full control over your data. The following actions are available from your profile settings.

For EU/EEA Residents (GDPR)

Under the General Data Protection Regulation, you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — correct inaccurate or incomplete personal data
• Erasure — request deletion of your personal data
• Data Portability — receive your data in a structured, machine-readable format
• Restriction — request that we limit processing of your data
• Objection — object to processing based on legitimate interests

To exercise any of these rights, contact us at the address listed in the When This Policy Changes section.

For California Residents (CCPA)

Under the California Consumer Privacy Act, you have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information.

Legal Basis for Processing (GDPR)

• Contract Performance: Quiz generation, grading, and account management
• Legitimate Interest: Security measures, abuse prevention, and service improvement
• Consent: Optional analytics and marketing communications (if applicable)

We retain your data only as long as necessary for the purposes described in this policy.

What "delete my data" covers: Using the "Delete All Data" option removes your quizzes, questions, and attempt history. Your account profile and authentication records remain intact. To remove everything, including your account, use the "Delete Account" option.

QuizAI is not directed at children under the age of 13. We do not knowingly collect personal information from anyone under 13 years of age, in compliance with the Children's Online Privacy Protection Act (COPPA).

If you are a parent or guardian and believe your child has provided personal information to QuizAI, please contact us immediately. We will promptly delete such information from our systems.

Users between 13 and 18 should have parental or guardian consent before using QuizAI.

We may update this privacy policy to reflect changes in our practices, technology, or legal requirements. When we make material changes:

• We will update the "Last Updated" date at the top of this page
• For significant changes, we will notify you through the application
• Your continued use of QuizAI after changes constitutes acceptance of the updated policy

Contact Us

For privacy inquiries, data requests, or questions about this policy, please reach out: