Data Processing Addendum
This DPA was last updated on February 4, 2025.
This Data Processing Addendum ("DPA") forms part of the Terms of Service and Privacy Policy between:
Version Zero Limited trading as Quizgecko ("Processor", "we", "us", or "our")
86-90 Paul Street
London, United Kingdom
EC2A 4NE, United Kingdom
and
The Customer ("Controller") using our Services.
1. Definitions
The terms "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Special Categories of Personal Data" and any other specific terms have the meanings given to them in the UK GDPR and EU GDPR (collectively, "Applicable Data Protection Law").
2. Scope and Purpose
This DPA applies to the Processing of Personal Data by us on behalf of the Controller when providing our Services. We will Process Personal Data only:
- In accordance with the Controller's documented instructions
- For the purpose of providing our Services
- As required by applicable laws
2.1 Controller Obligations and Lawful Basis
The Controller acknowledges and agrees that they are solely responsible for:
- Determining and documenting the lawful basis for Processing under Applicable Data Protection Law (including consent, contractual necessity, legitimate interests, or other valid grounds)
- Providing clear and comprehensive information to Data Subjects about the Processing of their Personal Data
- Obtaining and maintaining valid consent where required by Applicable Data Protection Law,
particularly for:
- Processing of Special Categories of Personal Data
- Processing Personal Data of minors
- Direct marketing activities
- International data transfers
- Responding to and managing Data Subject rights requests
- Maintaining records of Processing activities under their responsibility
- Implementing appropriate technical and organizational measures to ensure and demonstrate compliance
3. Nature and Purpose of Processing
We will Process Personal Data as necessary to provide our Services, including:
- Creating and managing user accounts
- Processing content uploaded or created by users
- Providing AI-powered quiz and educational content generation
- Managing sharing and collaboration features
- Providing customer support
- Processing payments and managing subscriptions
4. Types of Personal Data
The Personal Data Processed may include:
- Basic profile information (name, email)
- Authentication data
- Payment information (processed by our payment providers)
- User-generated content
- Usage data and analytics
5. Categories of Data Subjects
The Personal Data Processed concerns the following categories of Data Subjects:
- Customer's employees and authorized users
- Customer's students (if applicable)
- Other individuals whose data is included in content uploaded to our Services
6. Duration of Processing and Data Retention
We will Process Personal Data for the duration of our Service provision to the Controller, unless otherwise required by applicable law or agreed between the parties.
6.1 Specific Retention Periods
We apply the following retention periods to Personal Data:
- Active Accounts: Personal Data is retained for the duration of the service provision
- Inactive Accounts: After 12 months of inactivity, we may suspend or delete the account if no response is received within 30 days
- Deleted Accounts: Upon account deletion or contract termination:
- Primary systems: Data is deleted within 30 days
- Backup systems: Data is automatically deleted after 30 days following the primary deletion
- Log files and audit trails: Retained for up to 90 days for security and debugging purposes
- Third-party Retention: Some subprocessors may retain certain data for longer periods where legally required (e.g., payment processors for financial records)
7. Security Measures
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of data in transit
- Access controls and authentication mechanisms
- Incident response procedures
8. Subprocessors
The Controller provides general authorization for us to engage subprocessors, provided that we:
- Maintain an up-to-date list of subprocessors in our Privacy Policy
- Impose data protection obligations on subprocessors through written agreements
- Remain liable for subprocessors' compliance with this DPA
| Subprocessor | Purpose | DPA/Privacy Link |
|---|---|---|
| Hetzner | Primary hosting provider | DPA |
| Cloudflare | Content delivery and security | DPA |
| Google Cloud | Cloud infrastructure & AI services | DPA |
| Solarwinds (Papertrail) | Log management and analysis | DPA |
| OpenAI | AI services | DPA |
| Sign in with Google | DPA | |
| Apple | Sign in with Apple | Privacy Policy |
| Mailgun | Email delivery | DPA |
| Intercom | Customer support | DPA |
| Stripe | Payment processing | DPA |
| RevenueCat | Mobile subscription management | DPA |
| Google Analytics | Web analytics | DPA |
This list may be updated from time to time. We will provide notice of any significant changes to our use of subprocessors through updates to this DPA.
9. Data Subject Rights
We will:
- Assist the Controller in responding to Data Subject requests
- Forward any Data Subject requests to the Controller
- Not respond to Data Subject requests without the Controller's authorization
10. Personal Data Breaches
In the event of a Personal Data breach, we will:
- Notify the Controller without undue delay
- Provide information about the nature and impact of the breach
- Cooperate in breach investigation and remediation
- Document all breaches and remedial actions
11. Data Protection Impact Assessments
We will provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with supervisory authorities.
12. Audit Rights
We will:
- Make available information necessary to demonstrate compliance with this DPA
- Allow for and contribute to audits and inspections by the Controller
- Inform the Controller if any instruction infringes data protection laws
13. International Transfers
We will not transfer Personal Data outside the UK/EEA except:
- To countries with adequate protection levels as determined by relevant authorities
- Subject to appropriate safeguards (e.g., Standard Contractual Clauses)
- With the Controller's prior written consent
13.1 Transfer Mechanisms
For international transfers of Personal Data, we rely on the following mechanisms:
- Primary Transfer Mechanism: We use the European Commission's Standard Contractual Clauses (2021 version) together with the UK International Data Transfer Addendum to the EU Commission SCCs for all transfers outside the UK/EEA
- Subprocessor Transfers: Our subprocessors are contractually bound by:
- Standard Contractual Clauses (SCCs)
- UK Addendum where applicable
- Additional safeguards as required by Schrems II decision
- US Transfers: For transfers to the United States, we ensure our subprocessors:
- Are certified under the EU-U.S. Data Privacy Framework (DPF) where applicable
- Have implemented appropriate supplementary measures as required by the Schrems II decision
- Maintain transparency about government access requests
The Controller acknowledges that these transfer mechanisms are necessary for the provision of our Services and consents to such transfers subject to the safeguards described above.
14. Return or Deletion of Data
Upon termination of Services, we will:
- Return or delete all Personal Data as requested by the Controller
- Delete existing copies unless required by law to retain them
- Ensure secure deletion of data from all systems
15. Liability
Each party's liability shall be subject to the limitations set out in the Terms of Service, except where prohibited by applicable law.
16. Contact Information
For privacy-related inquiries:
Email: [email protected]
