Privacy Policy

Last updated: April 26, 2026

1. Data Controller

The data controller responsible for your personal data is:

Julius Schröder
Eppendorfer Baum 34, 20249 Hamburg, Germany
Email: hello@quizcamapp.com

2. Overview

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Quizcam mobile application ("App") and the website at quizcamapp.com ("Website"), collectively the "Service." We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and other applicable data protection laws.

3. What Data We Collect

3.1 Account Data (optional)

If you choose to sign in, we collect:

• Apple Sign-In: Your Apple-provided user identifier and, if you choose to share it, your name and email address.
• Google Sign-In: Your Google-provided user identifier, name, and email address.

You may also use the App anonymously. Even in anonymous mode, a technical user identifier (Firebase UID) is created to enable the core functionality of the Service. This identifier is not linked to any personal information unless you choose to sign in.

3.2 User-Provided Content

When you create quizzes, we process:

• Photos captured via the camera for text extraction.
• PDF documents you upload for text extraction.
• Text you provide directly (e.g., pasted or typed content).

Files are uploaded via short-lived signed URLs directly to Google Cloud Storage. The extracted text and generated quiz data are stored in Google Cloud Firestore. Additionally, OCR processing may produce temporary output artifacts in Cloud Storage, which are deleted after processing is complete.

3.3 App Usage and Diagnostic Data

As of version 1.0.4, the App uses the following services to collect pseudonymous usage and diagnostic data:

• Firebase Analytics (Google LLC): App usage patterns, session data, screen views, funnel events (e.g. "quiz created", "quiz completed"), device type, operating system version, app version, language, and approximate geographic region (country/city). Data is processed by Google LLC.
• Firebase Crashlytics (Google LLC): Crash reports including stack traces, device model, iOS version, app version, and a technical session identifier. Used solely for stability analysis. Data is processed by Google LLC.
• Apple MetricKit: Aggregated performance diagnostics (hangs, energy usage, disk activity). Data is processed exclusively by Apple and only transmitted if you have consented in iOS Settings under "Privacy & Security → Analytics & Improvements".

No identification beyond the device identifier takes place. We do not use app tracking (no IDFA, no cross-app tracking). A separate consent banner is therefore not required; Apple's App Tracking Transparency framework handles user consent at the system level.

3.4 On-Device Data

Certain data is stored locally on your device using UserDefaults (iOS) and does not leave your device. This includes: your display name, streak progress, appearance preferences, layout preferences, cached quiz content (titles, questions, answers), and entitlement/subscription status. This data is not accessible to us.

3.5 Payment Data

All payments are processed by Apple through In-App Purchase. We do not collect, process, or store any payment information such as credit card numbers. Apple's privacy policy governs the processing of your payment data.

3.6 Website Access Data

When you visit the website, our hosting provider may log your IP address and access data for technical and security purposes.

3.7 Contact Inquiries

When you contact us by email, we process your email address and the content of your message to respond to your inquiry. The legal basis is your legitimate interest in having your inquiry processed (Art. 6(1)(f) GDPR) or the performance of pre-contractual measures (Art. 6(1)(b) GDPR).

3.8 Backend Logs

Our backend servers generate technical logs for security and debugging purposes. These logs may contain request identifiers, HTTP method and path, status codes, response times, error codes, and technical metadata. In some cases, file paths containing your technical user identifier may appear in log entries. We apply data minimization principles and do not use log data for profiling.

4. How We Use Your Data

We use your data for the following purposes:

• Service delivery: Processing your uploaded content via OCR (Google Cloud Vision API) and AI (Google Vertex AI) to generate quiz questions. Legal basis: Contract performance (Art. 6(1)(b) GDPR).
• Account management: Managing your user account and syncing quiz data across sessions. Legal basis: Contract performance (Art. 6(1)(b) GDPR).
• Analytics and improvement: Understanding how the App is used, identifying funnel friction, and detecting stability and performance issues to improve features and user experience. Legal basis: Legitimate interest (Art. 6(1)(f) GDPR).
• Technical operation: Maintaining, securing, and debugging the Service, including server logging. Legal basis: Legitimate interest (Art. 6(1)(f) GDPR).
• Contact inquiries: Responding to your emails. Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) or pre-contractual measures (Art. 6(1)(b) GDPR).

5. AI and Automated Processing

We use two Google Cloud services to process your content:

• Google Cloud Vision API: Used for optical character recognition (OCR) to extract text from your uploaded images and PDF documents.
• Google Vertex AI (Gemini): Used to generate quiz questions from the extracted text.

Your content is sent to these services on our backend servers hosted in the United States (region: us-central1). Google processes this data as a data processor on our behalf. We do not use your content to train AI models. The processing is solely for extracting text and generating your quiz questions. The generation pipeline includes safety checks that may reject content deemed inappropriate.

6. Data Sharing and Third-Party Services

We share data with the following service providers, who act as data processors:

• Google Cloud Platform (Google LLC): Backend infrastructure (Cloud Run), Cloud Firestore (database), Cloud Storage (file storage), Cloud Vision API (OCR), and Vertex AI (quiz generation). Data is processed in the United States (us-central1) under EU Standard Contractual Clauses and the EU-US Data Privacy Framework.
• Firebase (Google LLC): Authentication (including anonymous accounts, Apple Sign-In, and Google Sign-In linking), analytics (Firebase Analytics), and crash reporting (Firebase Crashlytics).
• Apple Inc.: Authentication (Sign in with Apple), payment processing (In-App Purchase), and — only with your system-level consent — anonymized performance diagnostics via MetricKit.

We do not sell your personal data. We do not share your data with advertisers.

7. International Data Transfers

Our backend infrastructure is hosted in the United States (Google Cloud, region us-central1). Personal data is therefore transferred from the EU/EEA to the United States. We ensure appropriate safeguards are in place, including:

• EU Standard Contractual Clauses (SCCs) with our service providers.
• Google's certification under the EU-US Data Privacy Framework (DPF).
• Additional technical measures including encryption in transit (TLS/SSL) and at rest.

8. Data Retention

• Account data and quiz data are retained as long as you maintain an active account.
• Uploaded files (photos, PDFs) are retained in Cloud Storage as long as your account is active. Upon account deletion, all uploaded files are permanently removed.
• Temporary OCR processing artifacts (vision-output files) are deleted after processing is complete.
• Backend logs are retained for a limited period for security and debugging purposes, typically no longer than 30 days.
• Firebase Analytics data is retained per Google's default retention policy for up to 14 months.
• Firebase Crashlytics reports are retained for up to 90 days.
• MetricKit diagnostics are stored exclusively on Apple's servers; we have no control over their retention.
• Upon account deletion, your personal data, quiz data, and uploaded files are permanently deleted from our servers, subject to any legal retention obligations.

9. Your Rights Under GDPR

As a data subject, you have the following rights:

• Right of access (Art. 15 GDPR): You may request confirmation of whether we process your data and obtain a copy.
• Right to rectification (Art. 16 GDPR): You may request correction of inaccurate personal data.
• Right to erasure (Art. 17 GDPR): You may request deletion of your personal data. You can delete your account directly in the App's Settings.
• Right to restriction (Art. 18 GDPR): You may request restriction of processing in certain circumstances.
• Right to data portability (Art. 20 GDPR): You may request your data in a structured, machine-readable format.
• Right to object (Art. 21 GDPR): You may object to processing based on legitimate interests, including analytics.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at hello@quizcamapp.com. We will respond within one month as required by law.

10. Additional Rights for California and Other US Residents

If you are a resident of California, Virginia, Colorado, Connecticut, or other US states with comprehensive privacy laws, you may have additional rights:

• Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to delete: You may request deletion of your personal information. You can delete your account directly in the App's Settings, or contact us to request deletion.
• Right to correct: You may request correction of inaccurate personal information.
• Right to opt-out of sale/sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. If this changes in the future, we will provide an opt-out mechanism.
• Non-discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact us at hello@quizcamapp.com. We will verify your identity before processing requests. You may also designate an authorized agent to submit requests on your behalf.

11. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. The competent authority for our business is:

Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
Ludwig-Erhard-Straße 22, 20459 Hamburg, Germany
Website: https://datenschutz-hamburg.de

12. Children's Privacy

The App is suitable for users of all ages. We do not knowingly collect personal data from children under 16 without parental consent. If you believe we have inadvertently collected data from a child without proper consent, please contact us immediately and we will take steps to delete such data.

13. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encrypted data transmission (TLS/SSL), short-lived signed upload URLs, secure cloud infrastructure, access controls, and safety checks in our content processing pipeline. However, no method of electronic storage or transmission is 100% secure.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes — including the activation of analytics services — we will notify you through the App or by other reasonable means. The "Last updated" date at the top indicates the most recent revision. Your continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

15. Contact

For any questions or concerns about this Privacy Policy or our data practices, please contact:

Julius Schröder
Email: hello@quizcamapp.com