Your data, plainly explained.

QuizRun is operated by [Your legal name or entity] ("we," "us," "our"). You can reach us at [your@email].

This Privacy Policy explains what data we collect when you use QuizRun at quizrun.app, why we collect it, who we share it with, and what choices you have. By using QuizRun you agree to the practices described here.

2.1 Information you give us directly

• Account credentials. Your email address and a password. Passwords are hashed and stored by our auth provider (Supabase); we never see or store the plaintext.
• Profile. An optional display name, shown next to quizzes and comments you post publicly.
• Two-factor authentication. If you enable TOTP, we store a factor secret in Supabase Auth so we can verify codes you generate from your authenticator app.
• Content you create. Quizzes, questions, descriptions, answers, comments, and stars you create or perform inside QuizRun.
• Files you upload. PDFs, documents, and images uploaded so we can extract their text and generate questions from them. We also cache the extracted text on a record we keep until you delete the upload.
• Billing information. When subscriptions are available, we hand payment off to Stripe, which collects and stores your card information directly. We only store the resulting Stripe customer/subscription identifiers and the plan you are on.

2.2 Information we collect automatically

• Session cookies. Supabase Auth sets a session cookie so you stay signed in. It identifies you to our servers and is required for the app to work.
• Usage logs.Each time you generate or extract content with AI, we record which feature was used, which model ran, how many input/output/cache tokens were consumed, and what it cost us. We use this to manage pricing and prevent abuse. We do NOT log the content of your prompts or files in this record beyond a short metadata blob (file type, size, question count) — your actual content is stored separately on the upload record (see 2.1 "Files you upload").
• Private share log. If someone opens a private or unlisted quiz of yours, we record who they are and when they did so, and show that record to you. This does not apply to public quizzes.
• Standard request metadata. Our hosting and database providers (Vercel, Supabase) keep short-lived logs of HTTP requests, including IP addresses, for security and operational reasons.

2.3 What we do NOT collect

• We do not run analytics, advertising, or third-party tracking scripts.
• We do not sell your data, ever.
• We do not use your private content to train any AI model.

• To run the service: store your quizzes, sign you in, render pages, deliver email.
• To generate AI questions from your uploads, by sending the extracted text or image content to Anthropic for inference. See section 4 for what they do with it.
• To send a small number of transactional emails (signup confirmation, password reset).
• To bill you for paid plans via Stripe, once paid plans are live.
• To investigate suspected abuse or breaches of these terms.

We use the following processors to run QuizRun. None of them sell your data; each one processes it only on our instructions.

• Supabase — stores your account, content, uploads, and session cookies. Database hosted in the United States. Privacy policy: supabase.com/privacy.
• Anthropic— when you generate quizzes from a file, the extracted text (and, for images, the image itself) is sent to Anthropic's API for inference. Per Anthropic's API terms, inputs and outputs are not used to train their models, and they retain content briefly only for abuse-prevention purposes. See: anthropic.com/privacy.
• Vercel — hosts the web application and keeps standard request logs. Privacy: vercel.com/legal/privacy-policy.
• Stripe (only once billing is enabled) — handles card data directly. We never see or store your full card information. Privacy: stripe.com/privacy.

You choose the visibility of every quiz you create:

• Private — only you can see it.
• Unlisted— accessible to anyone who has the share URL, but not listed on the public home page. Each opening is recorded in your "private share log".
• Public — listed on the public home page and visible to anyone, including unauthenticated visitors and search engines. Stars and comments on public quizzes are visible to everyone.

You can change a quiz's visibility at any time. Switching from public/unlisted back to private clears the share link, so previously-shared URLs stop working. Comments and stars persist across visibility changes; if you want them removed, delete the parent quiz.

Other users can fork your public or unlisted quizzesinto their own library. A fork is a separate copy; edits to your original do not flow into other peoples' forks.

We keep your data for as long as your account is active. When you delete your account (Account settings → Danger zone), we immediately delete your profile, quizzes, questions, attempts, uploads (including extracted text), comments, stars, share-view logs, usage records, two-factor factors, and any subscription mapping. Backups may retain residual data for up to 30 days before being overwritten.

When you delete an individual quiz, all of its questions, attempts, comments, stars, and forks-relationship records are cascaded automatically. Other users' existing forks of your quiz are not deleted — they are independent copies — but their back-reference to your original is cleared.

You can:

• Access and export your data — most of it is visible inside the app; email us if you want a machine-readable dump.
• Correct your display name and account email through Account settings.
• Delete individual quizzes anytime, or your entire account from Account settings → Danger zone. Account deletion is permanent and removes everything we hold about you (see section 6 for the cascade).
• Object to specific processing.

If you're in the European Economic Area, the UK, or California, you have additional rights under the GDPR / UK GDPR / CCPA — including the right to lodge a complaint with your local data protection authority.

All connections to QuizRun are encrypted with TLS. Passwords are hashed with bcrypt by Supabase Auth. Two-factor authentication (TOTP) is available and recommended. Sensitive server-side keys (Anthropic API key, Supabase service role key) are stored in Vercel environment variables and never exposed to your browser.

We do our best, but no online service is bulletproof. If we ever discover a breach that affects your data, we'll notify you by email and at this URL within 72 hours of confirming it.

QuizRun is not intended for children under 13 (or under 16 in the European Economic Area). If you are under that age, please don't create an account. If we learn we've collected data from a child without parental consent, we'll delete it.

Our database and AI infrastructure are hosted in the United States. If you are accessing QuizRun from outside the US, your data is transferred and processed there. The processors listed in section 4 maintain Standard Contractual Clauses or equivalent mechanisms for international transfers.

When we make a material change, we'll update the "Last updated" date at the top of this page and, where the change is significant, send a notice to your account email. Continued use of QuizRun after a change means you accept the updated policy.

Questions, deletion requests, or data-protection issues: email us at [your@email].