Quizimoto
Back to Home

Privacy Policy

Last updated: February 17, 2026 · Effective: February 17, 2026

1. Who We Are

Quizimoto ("we", "us", "our") provides an embed-first quiz and decision flow platform. This Privacy Policy explains how we collect, use, and protect personal data when you use our website, dashboard, embeds, and API (collectively, the "Service").

2. Roles: Controller vs. Processor

As a Data Controller: We act as the data controller for data we collect directly from dashboard users (account holders), including account registration data, billing information, and usage analytics.

As a Data Processor: When quiz creators collect responses from their end users (respondents) through our embeds, we act as a data processor on behalf of the quiz creator (the controller). Quiz creators are responsible for obtaining appropriate consent from their respondents and maintaining their own privacy policies.

3. Data We Collect

3.1 Account Data (Dashboard Users)

  • Email address and name (registration)
  • Password hash (PBKDF2 — we never store plaintext passwords)
  • Workspace names and settings
  • Domain verification records

3.2 Quiz Submission Data (Respondents)

  • Quiz responses and scores
  • Lead capture data (email, name, or custom fields as configured by quiz creator)
  • Submission timestamps
  • Browser user agent and IP address (for rate limiting and fraud prevention)

3.3 Usage and Analytics Data

  • Quiz view counts and completion rates (aggregated, not per-user)
  • Daily rollup statistics
  • API usage metrics

4. How We Use Data

  • Service delivery: Rendering quizzes, processing submissions, delivering webhooks, sending email notifications
  • Security: Rate limiting, fraud prevention, abuse detection via Cloudflare Turnstile
  • Analytics: Pre-computed daily rollups for dashboard reporting (never real-time scanning of raw submissions)
  • Communication: Transactional emails about submissions, account notifications

5. Sub-Processors

We use the following infrastructure providers to deliver the Service:

ProviderPurposeData Processed
Cloudflare, Inc.Hosting (Workers, Pages, D1, KV, R2, Queues, Durable Objects), CDN, DDoS protection, Turnstile bot detectionAll Service data
Amazon Web Services (SES)Transactional email deliveryRecipient email addresses, notification content

When quiz creators use the Bring Your Own Key (BYOK) AI feature, their API keys are encrypted at rest (AES-GCM) and used solely to call the creator's chosen AI provider. We do not store or log AI request/response content.

6. Data Retention

  • Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
  • Submission data: Retained per workspace settings (default: 730 days). Older submission bodies are archived to cold storage (R2) and eventually purged.
  • IP addresses: Hashed after 90 days.
  • Webhook delivery logs: Payload data cleaned after 90 days.

7. International Transfers

Our infrastructure runs on Cloudflare's global network. Data may be processed in any region where Cloudflare operates. Cloudflare maintains Standard Contractual Clauses (SCCs) for EU-to-third-country transfers. AWS SES is configured in the US region.

8. Your Rights (GDPR, CCPA)

Depending on your jurisdiction, you may have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate data
  • Erasure: Request deletion of your data
  • Portability: Receive your data in a machine-readable format
  • Restriction: Limit processing of your data
  • Objection: Object to processing based on legitimate interests
  • Non-discrimination (CCPA): We will not discriminate against you for exercising your rights

Quiz respondents: If you completed a quiz and want to exercise your data rights, contact the quiz creator first (they are the data controller). You may also contact us at [email protected] and we will assist in processing your request.

Dashboard users: You can export or delete your data from your account settings, or contact us at [email protected].

9. Security

  • Passwords hashed with PBKDF2 (600,000 iterations, SHA-256)
  • API keys stored as SHA-256 hashes
  • BYOK AI keys encrypted with AES-GCM
  • Webhooks signed with HMAC-SHA256
  • All traffic encrypted via TLS
  • Multi-tenant data isolation enforced at the application layer

10. Children's Privacy

We do not knowingly collect data from children under 13 (or under 16 in the EU). If quiz creators target audiences that may include minors, they are responsible for COPPA/age-gating compliance. See our Acceptable Use Policy.

11. Changes to This Policy

We will post any changes to this page and update the "Last updated" date. Material changes will be communicated via email to registered account holders.

12. Contact

For privacy inquiries: [email protected]