scan2quiz.eu

Privacy Policy — scan2quiz.eu

Last updated: 2025-01-01 Version 1.0 GDPR · ePrivacy · DSA

1. Data Controller

The data controller for your personal data is [NAZWA SPÓŁKI sp. z o.o.], [NIP / KRS], registered at [Ulica, Kod, Miasto, Kraj].

For all data protection matters, contact us at: privacy@scan2quiz.eu.

2. Data We Collect

We collect only the data necessary to provide the service:

  • Registration data: first name, last name, email address, selected plan, language preference.
  • Technical data: IP address, User-Agent header, login and activity timestamps.
  • Authentication data: Argon2id password hash or OAuth token (Google, Facebook, GitHub) — we never store plain-text passwords.
  • User content: uploaded documents (PDF, JPG, PNG), generated quizzes, results.
  • Consent records: GDPR consent logs with timestamp, IP address, and policy version.
  • Audit logs: system action logs (login, registration, account deletion).

We do not collect special category data (Art. 9 GDPR), political opinions, religious beliefs, or biometric data.

3. Purpose and Legal Basis

PurposeLegal basis (GDPR)
Service provision (registration, login, quiz generation)Art. 6(1)(b) — performance of a contract
Account security and abuse preventionArt. 6(1)(f) — legitimate interests
Legal obligations (invoicing, archiving)Art. 6(1)(c) — legal obligation
Direct marketing (newsletter)Art. 6(1)(a) — consent (withdrawable)
Service quality analysisArt. 6(1)(f) — legitimate interests
GDPR consent recordsArt. 6(1)(c) — legal obligation (Art. 7(1))

4. Social Login (OAuth)

We offer login via Google, Facebook, and GitHub. When using this option:

  • The OAuth provider shares only the data you authorised in their service (typically: email, name, identifier).
  • We do not store your external service password.
  • Each provider processes your data under their own privacy policy: Google, Meta/Facebook, GitHub.
  • OAuth providers may process data outside the EU/EEA. All transfers are based on Standard Contractual Clauses (SCCs) approved by the European Commission.

5. Google Fonts

Our site loads fonts from Google Fonts (Google LLC). When loading the page, your browser connects to Google servers, which may transmit your IP address to Google. This connection is made solely to display fonts correctly.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest — visual consistency). You may block this connection in your browser settings.

Google's privacy policy: policies.google.com/privacy.

6. Data Storage and Security

We implement the following technical and organisational measures:

  • Passwords hashed with Argon2id (memory: 64 MB, time cost: 4, threads: 2).
  • Data in transit encrypted with HTTPS/TLS 1.2+.
  • Servers located exclusively in the European Union.
  • CSRF protection (one-time tokens), brute-force protection (rate limiting).
  • Data access restricted to authorised staff on a least-privilege basis.
  • Regular backups and business continuity testing.

7. International Data Transfers

As a rule, your data is not transferred outside the European Economic Area (EEA).

Exceptions apply only to the external services listed in sections 4 and 5 (OAuth providers, Google Fonts). Each transfer is based on a mechanism approved by the European Commission: Standard Contractual Clauses (SCCs) or an adequacy decision.

8. Retention Periods

Data categoryRetention period
Active account dataUntil account deletion + 30-day grace period
User content (documents, quizzes)Until deleted by user or account closure
Audit and security logs12 months from the event
GDPR consent records5 years after withdrawal (Art. 7(1) requirement)
Billing data / invoices5 years (tax obligation)
Data after account deletionPermanently deleted within 30 days

9. Your Rights

Under the GDPR you have the following rights:

  • Right of access (Art. 15) — request a copy of your data.
  • Right to rectification (Art. 16) — correct inaccurate data.
  • Right to erasure (Art. 17) — "right to be forgotten".
  • Right to restriction (Art. 18).
  • Right to data portability (Art. 20) — in machine-readable format (JSON/CSV).
  • Right to object (Art. 21) — to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7(3)) — without affecting prior lawful processing.
  • Right not to be subject to automated decisions (Art. 22).

Submit requests via Account Settings or by emailing privacy@scan2quiz.eu. We will respond within 30 days (Art. 12 GDPR). You also have the right to lodge a complaint with your national supervisory authority.

10. Cookies and Tracking

We use strictly necessary cookies only (user session, CSRF token). We do not use analytics, advertising, or third-party tracking cookies (e.g. Google Analytics, Meta Pixel).

NamePurposeLifetime
PHPSESSIDUser session (authentication)24 hours
csrf_tokenCSRF attack protectionSession

Legal basis: Art. 6(1)(b) GDPR (necessary for contract performance). No consent banner required.

11. Children and Minors

scan2quiz.eu is intended solely for users aged 16 or over. We do not knowingly collect personal data from individuals under this age. If we become aware that a child under 16 has provided data without valid consent, we will delete it immediately. Contact us at privacy@scan2quiz.eu.

12. Automated Decision-Making and AI

The service uses artificial intelligence (language models) solely to generate quiz questions from uploaded documents. This processing:

  • Does not produce legal or similarly significant effects on users.
  • Is not used to create personality profiles or assess creditworthiness.
  • Users may edit or delete any generated question.

Art. 22 GDPR (prohibition on solely automated decisions) does not apply to this process.

13. Policy Changes

We reserve the right to update this privacy policy. We will notify you of any material change by email and via an in-app notice at least 14 days in advance. Continued use of the service after that date constitutes acceptance of the new version.

Previous versions are available on request at privacy@scan2quiz.eu.

14. Contact and Complaints

Data Controller:
[NAZWA SPÓŁKI sp. z o.o.]
[Ulica, Kod, Miasto, Kraj]
Email: privacy@scan2quiz.eu

Supervisory authority:
Your national data protection authority. Full list: edpb.europa.eu.