Privacy Policy
Last updated: April 27, 2026
For school use, a data processing agreement template is available: Data Processing Agreement (DPA).
What Data We Collect
We collect the following data to provide our assessment service:
- Account information: email address, name, school name
- Quiz content: quizzes, questions, and answers you create
- Session data: quiz sessions you host and student responses (anonymous)
- Usage data: how you interact with the platform (only with your consent)
Why We Collect Data
Your data is used for the following purposes:
- To provide the quiz assessment service
- To generate analytics and understanding signals for teachers
- To improve the platform experience (with your consent)
Legal Basis for Processing
We process your data only when there is a valid legal basis under the GDPR:
- Performance of a contract (Art. 6(1)(b) GDPR): to deliver the service, manage your account and authentication
- Consent (Art. 6(1)(a) GDPR): for analytics and marketing cookies (revocable at any time)
- Legal obligation (Art. 6(1)(c) GDPR): for invoicing, accounting record retention, and anti-money-laundering rules
- Legitimate interest (Art. 6(1)(f) GDPR): for security, fraud prevention, and system logs
Children's Data
Qyoza is a tool designed for classroom use. Students, who are often minors, take part in quiz sessions without creating an account. Below we explain how we handle their data.
Processing roles (school use)
When a teacher or school uses Qyoza with their students, the school or teacher acts as the data controller, while Qyoza (3108 SRLS) acts as the data processor under Art. 28 GDPR. The school/teacher decides the purposes and means of processing student data; Qyoza processes that data only on the controller's documented instructions. A Data Processing Agreement (DPA) template is available at /dpa.
Lawful basis
The lawful basis for processing student data is determined by the school/teacher (the controller): typically the performance of a public-interest task connected to teaching (Art. 6(1)(e) GDPR) or consent obtained by the school or by parents/guardians. Qyoza does not collect this consent itself.
What student data we collect
For each student who takes part in a session we process pseudonymous data:
- A nickname chosen by the student (not a real name)
- The answers given to the quiz questions
- Technical and security data (e.g. IP address, session identifier) to ensure correct operation and prevent abuse
Retention
Student session data is kept for a maximum of about 12 months, after which it is anonymized or deleted. The teacher can delete sessions earlier from their dashboard.
No real names
Teachers must NOT ask students to enter their real first and last name or other identifying data as the nickname. The nickname must remain a pseudonym. This minimizes the personal data processed about minors.
Age of the minor
In Italy, the age at which a minor can consent on their own to information-society services is 14 (Art. 8 GDPR, as implemented by Art. 2-quinquies of Legislative Decree 196/2003). For younger students, consent or the lawful basis must be handled by the school or by parents/guardians. Qyoza is not intended for direct use by minors without the supervision of a teacher or parent.
Sub-processors
We rely on the following providers to deliver the service. Each is bound by a GDPR-compliant Data Processing Agreement:
| Provider | Purpose | Location | Safeguard |
|---|---|---|---|
| Stripe | Payment processing and billing | USA / Ireland | SCCs |
| PostHog | Product usage analytics (with consent) | USA | SCCs |
| Anthropic | AI content generation (Claude) | USA | SCCs |
| Sentry | Error and performance monitoring | USA | SCCs |
| Resend | Transactional email delivery | EU | EU Adequacy |
| Hetzner | Infrastructure hosting | EU (Germany) | EU Adequacy |
International Data Transfers
Some of our sub-processors are based in the United States. In those cases, transfers of personal data outside the European Economic Area are carried out in compliance with the GDPR.
We rely on the Standard Contractual Clauses (SCCs) approved by the European Commission under Decision 2021/914/EU as an appropriate safeguard for international transfers. You may request a copy of the SCCs by writing to [email protected].
Data Retention
We keep your data only for as long as necessary:
- Account data: for the lifetime of your account, until deletion is requested
- Billing data: 10 years, as required by Italian tax law
- Security logs: up to 12 months
How We Use Cookies
Qyoza uses two types of cookies. See our Cookie Policy for the full list:
- Necessary cookies: required for the platform to function (authentication, preferences)
- Analytics cookies: help us understand usage patterns (PostHog, only with your consent)
Your Rights
Under the GDPR, you have the following rights:
- Right of access: you can view all data we hold about you
- Right to portability: you can export all your data as JSON from Settings > Privacy
- Right to erasure: you can request account deletion from Settings > Privacy
- Right to rectification: you can update your information from your profile page
- Right to lodge a complaint: with the Italian Data Protection Authority (garanteprivacy.it)
Contact Us
For any privacy-related question, contact us at [email protected]. Data Controller: 3108 SRLS, Milan, Italy.