quizbase
Get API key

Privacy Policy

Last updated: 2026-05-14 · v2026-05-14

Read in Polish (binding version)

QUIZBASE PRIVACY POLICY

Version 1.0 — effective from May 8, 2026

Important notice. This document is an English translation of the Polish-language original "Polityka prywatności QuizBase", provided for the convenience of non-Polish-speaking users. We have made our best effort to ensure accuracy, but in the event of any discrepancy or interpretation issue, the Polish-language version prevails. The Polish original is the only legally binding version and is available at https://quizbase.runriva.com/legal/privacy?lang=pl.

§ 1. Introductory Information

  1. This privacy policy (hereinafter: "Policy") sets out the rules for the processing of personal data of Customers of the QuizBase service, available at https://quizbase.runriva.com (hereinafter: "Service").
  2. The Policy is an annex to the Service Terms, available at https://quizbase.runriva.com/legal/terms. Capitalized terms not defined in the Policy have the meaning given to them in the Terms.
  3. The Policy fulfils the information obligation arising from Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter: "GDPR").

§ 2. Data Controller

  1. The controller of personal data of the Customers of the Service (hereinafter: "Controller") is Maciej Dzierżek, a sole proprietor entered in the Polish CEIDG, with the place of business at: ul. Cieszyńska 1a/57, 02-716 Warsaw, Poland, Tax ID (NIP): PL7411885009, Statistical ID (REGON): 280016640.
  2. The Controller may be contacted on all matters concerning the processing of personal data:
    1. via electronic mail at: [email protected];
    2. via traditional mail at the address indicated in section 1.
  3. The Controller has not appointed a Data Protection Officer (DPO), as it is not obliged to do so under Article 37 GDPR.

§ 3. What Personal Data We Process

The Controller processes the following categories of personal data:

  1. Account data:

    1. email address;
    2. password (stored only as a non-reversible cryptographic hash);
    3. Customer name or company name;
    4. optionally — Tax ID (NIP) (for Customers who are Entrepreneurs and Entrepreneurs with Consumer Rights) and invoice address;
    5. status of the declaration of non-professional character of the Agreement (Entrepreneur with Consumer Rights);
    6. registration IP address and timestamp of acceptance of the Terms and the Policy;
    7. language preferences and interface settings.

  2. Billing and payment data:

    1. order and transaction history;
    2. electronic invoices;
    3. payment card data, limited to: the last 4 digits of the card number, the country of card issue, transaction status. Full card data is processed only by the Payment Operator (Stripe) and is not stored by the Controller;
    4. subscription status, including payment dates, amounts, and currency.

  3. Service usage data:

    1. log of every API request: timestamp, endpoint URL, response status, API Key identifier (secured hash), request IP address, User-Agent header;
    2. aggregated usage statistics, used for billing and protection against abuse;
    3. security logs (attack attempts, suspicious traffic patterns, failed logins).

  4. Communication data with the Controller:

    1. content of email messages sent to the Controller and the Controller's responses;
    2. communication metadata (date, email address).

  5. Marketing data (newsletter) — processed only if separate consent has been given:

    1. email address;
    2. consent status (date of giving, date of double opt-in confirmation, date of any withdrawal);
    3. delivery metadata (opens, link clicks — to the extent provided by the email service provider).

  6. Cookies and similar technologies — detailed in § 7 of the Policy.

The Controller does not process special categories of data within the meaning of Article 9 GDPR (data on health, racial or ethnic origin, political views, religious beliefs, trade union membership, genetic, biometric, sexual orientation data).

§ 4. Purposes and Legal Bases of Processing

The Controller processes personal data for the following purposes and on the following legal bases:

  1. Performance of the Agreement — Article 6(1)(b) GDPR:

    1. creation and operation of the Account;
    2. provision of the Service (access to API, management panel, documentation);
    3. management of API Keys, the Plan, Usage Limits, Spend Cap;
    4. handling of payments and settlements;
    5. communication related to performance of the Agreement (confirmations, invoices, billing alerts).

    Retention period: until termination of the Agreement and during 90 days of Account archiving thereafter.

  2. Compliance with legal obligations — Article 6(1)(c) GDPR:

    1. issuance and storage of invoices (5 years under tax law);
    2. handling of complaints and withdrawals from the Agreement;
    3. response to requests of authorized authorities (court, prosecutor, tax authority, law enforcement).

    Retention period: in accordance with the legal obligation (5 years for invoices and accounting documents; shorter for other data).

  3. Legitimate interest of the Controller — Article 6(1)(f) GDPR:

    1. protection against abuse, fraud, AUP breaches, attacks on the Service (including fingerprinting and traffic pattern analysis);
    2. monitoring of Service security and detection of incidents;
    3. pursuing and defending against claims;
    4. handling correspondence and contact with the Customer;
    5. aggregated analytics for the development of the Service (without identifying individual Customers);
    6. marketing of the Controller's own products and services to existing Customers (without using the newsletter channel, for which separate consent is required).

    Retention period: API and security logs — 90 days; attack attempt logs — 12 months; other data for the period necessary to realize the legitimate interest, no longer than 5 years from the last activity of the Customer.

  4. Customer consent — Article 6(1)(a) GDPR and Article 10(1)-(2) of the Electronic Services Act and Article 172 of the Telecommunications Law:

    1. sending of the newsletter and commercial information of the Controller by electronic means;
    2. optional non-essential cookies (if the Controller introduces such a mechanism in the future).

    Retention period: until withdrawal of consent. Withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal.

§ 5. Newsletter and Marketing Communication

  1. The Controller sends Customers information about new functionalities of the Service, changes to the Terms, important operational events, and occasionally commercial information (new Plans, promotions, product content).
  2. Transactional communication related to performance of the Agreement (registration confirmations, invoices, billing alerts, notifications of changes to the Terms) is sent regardless of consent to the newsletter — it constitutes performance of the Agreement.
  3. The newsletter (commercial information, marketing) is sent only after the Customer has given separate consent in a double opt-in process:
    1. checking the newsletter consent checkbox during registration or in the management panel (checkbox unchecked by default, optional);
    2. confirmation of consent by clicking the link sent to the Customer's email address.
  4. The Customer may at any time withdraw consent to the newsletter:
    1. by clicking the "unsubscribe" link in the footer of every message — withdrawal of consent does not require login;
    2. by disabling the newsletter option in the management panel;
    3. by sending a request to withdraw consent to the address indicated in § 2 section 2.
  5. Withdrawal of consent is free of charge for the Customer and does not entail consequences for further use of the Service.

§ 6. Sub-processors (Processors)

  1. The Controller entrusts the processing of personal data to the following entities (Sub-processors), only to the extent necessary for the provision of the Service:
Sub-processor Purpose of processing Location of processing Basis of transfer outside the EEA
Railway Corp. (USA) Application hosting, Postgres database (Accounts, API Keys, billing, logs), Redis Servers in the EU region (europe-west4); access from the USA Standard Contractual Clauses (SCC)
Backblaze, Inc. (USA) Remote backup of the database USA SCC
Microsoft Corporation (USA, EU) — OneDrive service Local backup of the Controller's database USA / EU SCC
Stripe Payments Europe, Limited (Ireland) and Stripe, Inc. (USA) Payment handling, billing, invoices, card data Ireland, USA SCC + EU-U.S. Data Privacy Framework
Resend, Inc. (USA) Sending of email messages (transactional and newsletter) USA SCC
Cloudflare, Inc. (USA) CDN, DDoS protection — processes IP address and HTTP request headers Global Edge network, access from the USA SCC
Functional Software, Inc. (Sentry) (USA) Application error monitoring and in-app user feedback collection — error logs may contain Customer identifier, IP address, fragments of requests; user feedback submitted via the in-app "Report a problem" button includes the comment text and, if voluntarily provided by the Customer, a name and email address USA SCC
  1. The Controller maintains the current list of Sub-processors at https://quizbase.runriva.com/legal/subprocessors. The Controller undertakes to inform Customers of the addition of a new Sub-processor with at least 14 days' advance notice, via email and by updating the list.
  2. Some Sub-processors are based in third countries (outside the European Economic Area), in particular in the United States. Transfer of data to these countries takes place on the basis of Standard Contractual Clauses (SCC) approved by the European Commission and, in the case of Stripe, on the basis of the EU-U.S. Data Privacy Framework. The Controller takes care that Sub-processors provide an adequate level of protection of personal data.

§ 7. Cookies and Similar Technologies

  1. The Service uses cookies and similar technologies (localStorage, sessionStorage) only to the extent necessary for the provision of the Service.
  2. The Controller uses the following types of cookies:
Type Purpose Lifetime Category
qb_session Session of the logged-in Customer Browser session / 30 days (with "remember me" option) Essential
qb_csrf Protection against CSRF attacks Browser session Essential
qb_lang Memorizing the chosen interface language 1 year Preference
qb_theme Memorizing the chosen theme (light/dark) 1 year Preference
qb_consent Recording cookie preferences 1 year Essential
  1. Essential cookies are used without the Customer's consent, on the basis of Article 173(3) of the Telecommunications Law (cookies necessary for the provision of telecommunications service).
  2. At the time of entry into force of the Policy, the Controller does not use analytical or marketing cookies of third parties (e.g. Google Analytics, Meta Pixel). The Service uses only Cloudflare Web Analytics, which is cookie-less.
  3. The Service displays a cookie consent banner on the first visit, allowing the Customer to accept or reject non-essential categories. The "Analytics" category is currently empty (zero third-party cookies). In the future, in the event of introduction of analytics or marketing cookies, they will require the Customer's opt-in consent, and the Policy will be updated with at least 14 days' advance notice.
  4. The Customer may at any time change their cookie preferences by clicking the "Cookie preferences" link in the Service footer, or in the settings of their browser (delete existing cookies and block new ones). Blocking essential cookies may make it impossible to use the Account functionalities.

§ 8. Data Retention Periods

Data category Retention period
Active Account (email, password, settings) Until termination of the Agreement
Account after termination of the Agreement 90 days of archiving, then permanent deletion
Invoices and accounting documents 5 years from the end of the tax year (tax obligation)
API request logs 90 days
Security logs (attack attempts, failed logins) 12 months
Email communication (messages and responses) 3 years from the last exchange
Newsletter consent Until withdrawal; after withdrawal — 12 months retention of withdrawal record (proof)
Database backups Rotation of 30 daily + 12 monthly snapshots; full cycle 12 months
Disputed data (proceedings, claims) Until final conclusion of the case + claim limitation period

After the retention period has elapsed, the data is permanently deleted or anonymized.

§ 9. Customer Rights

  1. The Customer has the following rights, arising from the GDPR:

    1. Right of access (Article 15) — the Customer may request information on what data concerns them and obtain a copy of this data.
    2. Right to rectification (Article 16) — the Customer may request the correction of inaccurate or incomplete data.
    3. Right to erasure ("right to be forgotten", Article 17) — the Customer may request the erasure of their data in cases provided for by law (including withdrawal of consent, data no longer needed).
    4. Right to restriction of processing (Article 18) — the Customer may request restriction of processing in specific cases.
    5. Right to data portability (Article 20) — the Customer may receive their data in a structured, commonly used format (JSON or CSV) and transmit it to another controller.
    6. Right to object (Article 21) — the Customer may object to processing based on legitimate interest (for reasons relating to their particular situation) and always to direct marketing.
    7. Right to withdraw consent (Article 7(3)) — the Customer may withdraw consent given at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
    8. Right not to be subject to a decision based solely on automated processing (Article 22) — the Controller does not apply solely automated decisions with significant legal effect for the Customer.

  2. The exercise of rights is carried out through:

    1. management panel functionalities (export, editing, Account deletion, consent management);
    2. a request sent to the email address indicated in § 2 section 2.

  3. The Controller responds to a request within one month of its receipt. In the case of complex requests, the deadline may be extended by a further two months, of which the Controller will inform the Customer.

  4. The exercise of rights is free of charge for the Customer. The Controller may refuse to comply with the request or charge a reasonable fee only in the case of manifestly unfounded or excessive requests (Article 12(5) GDPR).

  5. Right to complain — the Customer has the right to lodge a complaint with the supervisory authority, which in Poland is the President of the Personal Data Protection Office:

    • address: ul. Stawki 2, 00-193 Warsaw;
    • website: https://uodo.gov.pl.

    A Customer residing in another European Union Member State may lodge a complaint with the supervisory authority competent for their place of habitual residence.

§ 10. Data Security

  1. The Controller applies technical and organizational measures ensuring the security of personal data appropriate to the identified risks, in particular:
    1. encryption of transmission (TLS 1.2+);
    2. non-reversible hashing of passwords and API Keys (bcrypt);
    3. access control based on the principle of least privilege;
    4. isolation of databases and applications;
    5. periodic backups with restore verification;
    6. monitoring of security incidents;
    7. security updates of dependencies and infrastructure.
  2. The Controller does not hold ISO 27001, SOC 2, or similar certifications. The security of the Service is based on measures proportionate to the scale and nature of the activity of a sole proprietorship.
  3. In the event of a personal data breach incident likely to result in a risk to the rights and freedoms of Customers, the Controller will notify the supervisory authority of the incident in accordance with Article 33 GDPR and, in the case of high risk, will notify the affected Customers in accordance with Article 34 GDPR.

§ 11. Automated Decisions and Profiling

  1. The Controller does not take, in relation to Customers, decisions based solely on automated processing, including profiling, producing legal effects on Customers or significantly affecting them in a similar way.
  2. The automated mechanisms applied by the Controller (Usage Limits, Spend Cap, rule-based fraud detection, IP blocking in the event of attacks) are based on deterministic rules, not on profiling within the meaning of Article 4(4) GDPR.

§ 12. Children

  1. The Service is not directed to persons under the age of 16.
  2. The Controller does not knowingly process personal data of children under the age of 16. Upon obtaining information about the processing of a child's data without the consent of the legal representative, the Controller will immediately delete such data.

§ 13. Customers Outside the European Union

  1. The Service is available globally. A Customer using the Service from a third country (outside the EEA) is subject to this Policy and to Polish law and the provisions of the GDPR to the extent that the Controller is the responsible entity (Article 3 GDPR).
  2. A Customer from a third country has the same rights as a Customer from the European Union, described in § 9.
  3. Notwithstanding the above, in the case of mandatory provisions on personal data protection in the country of habitual residence of the Customer, the Controller will make every effort to take them into account.

§ 14. Changes to the Policy

  1. The Controller may make changes to the Policy for important reasons, in particular:
    1. changes in the law;
    2. changes of Sub-processors or scope of processing;
    3. introduction of new functionalities of the Service;
    4. technical changes in infrastructure.
  2. The Controller informs Customers of changes to the Policy via email with at least 14 days' advance notice before the date of entry into force of the changes, and by publishing the amended version of the Policy at https://quizbase.runriva.com/legal/privacy.
  3. A Customer who does not agree with a change to the Policy may terminate the Agreement in accordance with the Terms.

§ 15. Final Provisions

  1. The Policy constitutes an annex to the Service Terms.
  2. In matters not regulated in the Policy, the provisions of the Terms and generally applicable law apply, in particular the GDPR, the Polish Personal Data Protection Act of 10 May 2018, the Electronic Services Act, and the Telecommunications Law.
  3. This Policy enters into force on May 8, 2026. Version: 1.0.

End of Privacy Policy.