GDPR Compliance
Last Updated: November 2, 2025
Our Commitment to Data Protection
NeuraQuiz is committed to protecting and respecting your privacy in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679. This page explains how we comply with GDPR requirements and what rights you have regarding your personal data.
1. Data Controller Information
NeuraQuiz acts as the data controller for the personal information we collect through our services. You can contact us regarding data protection matters:
Data Protection Contact:
Email: [email protected]
Website: Contact Form
Response Time: We aim to respond to all data protection inquiries within 72 hours
2. Legal Basis for Processing
We process your personal data based on the following legal grounds under GDPR Article 6:
Consent (Article 6(1)(a))
We process data based on your explicit consent when you:
- Create an account on our platform
- Subscribe to our newsletter
- Participate in optional surveys or promotions
- Accept cookies beyond essential ones
Contract Performance (Article 6(1)(b))
We process data necessary to provide our services:
- Creating and managing your user account
- Providing quiz functionality and tracking progress
- Delivering educational content and results
- Responding to your support requests
Legitimate Interests (Article 6(1)(f))
We process data for our legitimate business interests:
- Improving our services and user experience
- Preventing fraud and ensuring platform security
- Analyzing usage patterns and platform performance
- Communicating important service updates
Legal Obligation (Article 6(1)(c))
We process data to comply with legal requirements:
- Tax and accounting obligations
- Responding to lawful requests from authorities
- Maintaining records as required by law
3. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights regarding your personal data:
π Right of Access (Article 15)
You can request a copy of all personal data we hold about you, including information about how we use it.
βοΈ Right to Rectification (Article 16)
You can request correction of inaccurate or incomplete personal data we hold about you.
ποΈ Right to Erasure (Article 17)
You can request deletion of your personal data ("right to be forgotten") in certain circumstances.
βΈοΈ Right to Restriction (Article 18)
You can request that we restrict processing of your data while verifying accuracy or investigating a complaint.
π¦ Right to Data Portability (Article 20)
You can receive your personal data in a structured, machine-readable format and transfer it to another service.
π« Right to Object (Article 21)
You can object to processing based on legitimate interests or for direct marketing purposes.
π€ Automated Decision-Making (Article 22)
You have rights regarding automated decision-making and profiling that produces legal effects.
π Right to Withdraw Consent
You can withdraw consent at any time where processing is based on consent, without affecting prior processing.
4. How to Exercise Your Rights
To exercise any of your GDPR rights, please follow these steps:
π§ Submit a Request
- Send an email to [email protected] with your request
- Include your registered email address and specify which right(s) you wish to exercise
- Provide sufficient details for us to identify your account and verify your identity
- We will respond within 30 days (may extend to 60 days for complex requests)
Identity Verification:
To protect your privacy, we may ask for additional information to verify your identity before processing requests. This may include security questions or confirmation codes sent to your registered email.
5. Data We Collect
Under GDPR Article 13 and 14, we are transparent about what data we collect:
Personal Identification Data
- Name (first name, last name)
- Email address
- Username
- Account password (encrypted)
Usage Data
- Quiz attempts and scores
- Time spent on quizzes
- Category preferences
- Learning progress and history
- Login timestamps and activity logs
Technical Data
- IP address
- Browser type and version
- Device information
- Operating system
- Cookies and similar technologies
6. Data Retention
We retain your personal data only for as long as necessary for the purposes outlined in our Privacy Policy:
Active Accounts:
Data retained while your account remains active and for 3 years after last login
Deleted Accounts:
Personal data deleted within 30 days of account deletion request
Legal Requirements:
Some data may be retained longer to comply with legal obligations (e.g., financial records for 7 years)
Anonymized Data:
Aggregated and anonymized data may be retained indefinitely for statistical purposes
7. International Data Transfers
Your data may be transferred to and processed in countries outside the European Economic Area (EEA). We ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): We use EU-approved standard contractual clauses for data transfers
- Adequacy Decisions: We transfer data to countries recognized by the EU as providing adequate protection
- Binding Corporate Rules: Our service providers comply with binding corporate rules approved by EU authorities
- Your Consent: In some cases, we may ask for your explicit consent for international transfers
8. Data Security Measures
We implement appropriate technical and organizational measures to ensure data security (GDPR Article 32):
π Technical Measures
- Data encryption at rest and in transit (TLS/SSL)
- Secure password hashing (bcrypt)
- Regular security audits and updates
- Firewall and intrusion detection systems
- Regular backups with encryption
π₯ Organizational Measures
- Access controls and role-based permissions
- Staff training on data protection
- Confidentiality agreements with employees
- Incident response procedures
- Regular security awareness training
9. Data Breach Notification
In the event of a personal data breach, we will comply with GDPR Article 33 and 34:
Our Breach Response Procedure:
- Detection: Immediate identification and containment of the breach
- Assessment: Evaluation of the risk to your rights and freedoms within 24 hours
- Notification to Authorities: Report to supervisory authority within 72 hours if risk exists
- Notification to Users: Inform affected users without undue delay if high risk to rights
- Documentation: Maintain records of all breaches and response actions
- Prevention: Implement measures to prevent future breaches
10. Data Protection by Design & Default
We implement data protection principles from the start (GDPR Article 25):
11. Third-Party Data Processors
We work with trusted third-party processors who comply with GDPR. All processors:
- Have signed Data Processing Agreements (DPAs) with us
- Process data only on our instructions
- Implement appropriate security measures
- Assist with GDPR compliance (responding to data subject requests, breach notification, etc.)
- Delete or return data upon termination of services
Current Third-Party Processors:
- Hosting Services: Cloud infrastructure providers with EU data centers
- Email Services: Transactional email delivery (double opt-in for marketing)
- Analytics: Privacy-focused analytics tools (anonymized data)
- Payment Processing: PCI-DSS compliant payment processors (if applicable)
For a complete list of processors, please contact [email protected]
12. Children's Privacy
We take additional measures to protect children's data:
- Age Requirement: Users must be at least 13 years old to create an account
- Parental Consent: Users under 16 in the EU require parental consent (Article 8 GDPR)
- Verification: We may verify parental consent through email confirmation
- Special Protection: Enhanced privacy protections for users who identify as minors
- Immediate Action: If we learn we've collected data from a child without consent, we delete it immediately
13. Automated Decision-Making & Profiling
We want to be transparent about any automated processing:
Limited Automated Processing:
We use limited automated decision-making for quiz recommendations and adaptive learning features. This does not produce legal effects or similarly significantly affect you.
You have the right to:
- Opt out of automated recommendations
- Request human review of automated decisions
- Express your point of view and contest the decision
14. Supervisory Authority
You have the right to lodge a complaint with a supervisory authority if you believe we have violated GDPR:
EU Data Protection Authorities:
Find your local data protection authority at:EDPB Members List
We encourage you to contact us first at [email protected] so we can address your concerns directly.
15. Cookies and Tracking Technologies
We use cookies in compliance with ePrivacy Directive and GDPR. See our full cookie policy for details:
You can manage your cookie preferences at any time through your account settings or browser settings. Withdrawing consent for non-essential cookies will not affect essential site functionality.
16. Updates to This Policy
We may update this GDPR compliance statement from time to time. We will notify you of significant changes:
- By email to your registered email address (for material changes)
- By prominent notice on our website
- Through in-app notifications
- Update the "Last Updated" date at the top of this page
Your continued use of our services after changes indicates acceptance of the updated policy.
Contact Us
For any questions about our GDPR compliance, to exercise your rights, or to lodge a complaint:
Email: [email protected]
Data Protection Officer: [email protected]
Contact Form: Visit our contact page
Response Time: Within 72 hours for urgent matters, 30 days maximum for all requests