Your data, plainly explained.

QuizRun is operated by PowerisTsutsun ("we," "us," "our"). You can reach us at revonvalence@live.com.

This Privacy Policy explains what data we collect when you use QuizRun at quizrun.app, why we collect it, who we share it with, and what choices you have. By using QuizRun you agree to the practices described here.

2.1 Information you give us directly

• Account credentials. Your email address and a password. Passwords are hashed and stored by our auth provider (Supabase); we never see or store the plaintext. Your email address is never shown to other users.
• Username. A public handle you choose at sign-up (3–30 characters, letters/numbers/underscores). This is the only identity information shown to other users — on quizzes, comments, and the share log. You can change it any time in Account settings.
• Two-factor authentication. If you enable TOTP, we store a factor secret in Supabase Auth so we can verify codes you generate from your authenticator app.
• Content you create. Quizzes, questions, descriptions, answers, comments, and stars you create or perform inside QuizRun.
• Files you upload. PDFs, documents, and images uploaded so we can extract their text and generate questions from them. We cache the extracted text on a record we keep until you delete the upload.
• Tip jar URL. If you set a tip link (Ko-fi, Buy Me a Coffee, etc.), we store that URL and show it on your public quizzes. You can remove it at any time.
• Billing information. We hand payment off to Stripe, which collects and stores your card information directly. We only store the resulting Stripe customer/subscription identifiers and the plan you are on.

2.2 Information we collect automatically

• Session cookies. Supabase Auth sets a session cookie so you stay signed in. It identifies you to our servers and is required for the app to work.
• Usage logs.Each time you generate or extract content with AI, we record which feature was used, which model ran, how many tokens were consumed, and what it cost us. We use this to manage pricing and prevent abuse. We do NOT log the content of your prompts or files in this record — your actual content is stored separately on the upload record (see 2.1 "Files you upload").
• Private share log. If someone opens a private or unlisted quiz of yours while signed in, we record their username and the time, and show that record only to you. This does not apply to public quizzes. Anonymous visitors to unlisted quizzes are not tracked.
• Standard request metadata. Our hosting and database providers (Vercel, Supabase) keep short-lived logs of HTTP requests, including IP addresses, for security and operational reasons.

2.3 What we do NOT collect

• We do not run analytics, advertising, or third-party tracking scripts.
• We do not sell your data, ever.
• We do not use your private content to train any AI model.
• We do not expose your email address to other users under any circumstances.

• To run the service: store your quizzes, sign you in, render pages, deliver email.
• To generate AI questions from your uploads, by sending the extracted text or image content to Anthropic for inference. See section 4 for what they do with it.
• To send a small number of transactional emails (signup confirmation, password reset, billing notices).
• To bill you for paid plans via Stripe.
• To investigate suspected abuse or breaches of these terms.

We use the following processors to run QuizRun. None of them sell your data; each one processes it only on our instructions.

• Supabase — stores your account, content, uploads, and session cookies. Database hosted in the United States. Privacy policy: supabase.com/privacy.
• Anthropic— when you generate quizzes from a file, the extracted text (and, for images, the image itself) is sent to Anthropic's API for inference. Per Anthropic's API terms, inputs and outputs are not used to train their models, and they retain content briefly only for abuse-prevention purposes. See: anthropic.com/privacy.
• Vercel — hosts the web application and keeps standard request logs. Privacy: vercel.com/legal/privacy-policy.
• Stripe — handles card data directly. We never see or store your full card information. Privacy: stripe.com/privacy.

You choose the visibility of every quiz you create:

• Private — only you can see it.
• Unlisted— accessible to anyone who has the share URL, but not listed on the public home page. Each signed-in opening is recorded in your private share log, showing the viewer's username (not their email).
• Public — listed on the public home page and visible to anyone, including unauthenticated visitors. Stars and comments on public quizzes are visible to everyone. Your username appears as the author; your email is never shown.

You can change a quiz's visibility at any time. Switching from public/unlisted back to private clears the share link, so previously-shared URLs stop working. Comments and stars persist across visibility changes; if you want them removed, delete the parent quiz.

Other users can fork your public or unlisted quizzesinto their own library. A fork is a separate copy; edits to your original do not flow into other people's forks.

We keep your data for as long as your account is active. When you delete your account (Account settings → Danger zone), we immediately delete your profile, quizzes, questions, attempts, uploads (including extracted text), comments, stars, share-view logs, usage records, two-factor factors, and any subscription mapping. Backups may retain residual data for up to 30 days before being overwritten.

When you delete an individual quiz, all of its questions, attempts, comments, stars, and fork-relationship records are cascaded automatically. Other users' existing forks of your quiz are not deleted — they are independent copies — but their back-reference to your original is cleared.

You can:

• Access and export your data — most of it is visible inside the app; email us if you want a machine-readable dump.
• Correct your username and account email through Account settings.
• Delete individual quizzes anytime, or your entire account from Account settings → Danger zone. Account deletion is permanent and removes everything we hold about you (see section 6 for the cascade).
• Object to specific processing by emailing us.

If you're in the European Economic Area, the UK, or California, you have additional rights under the GDPR / UK GDPR / CCPA — including the right to lodge a complaint with your local data protection authority.

All connections to QuizRun are encrypted with TLS. Passwords are hashed by Supabase Auth. Two-factor authentication (TOTP) is available and recommended. Sensitive server-side keys (Anthropic API key, Supabase service role key, Stripe webhook secret) are stored in Vercel environment variables and never exposed to your browser.

We do our best, but no online service is bulletproof. If we ever discover a breach that affects your data, we'll notify you by email and update this page within 72 hours of confirming it.

QuizRun is not intended for children under 13 (or under 16 in the European Economic Area). If you are under that age, please don't create an account. If we learn we've collected data from a child without parental consent, we'll delete it.

Our database and AI infrastructure are hosted in the United States. If you are accessing QuizRun from outside the US, your data is transferred and processed there. The processors listed in section 4 maintain Standard Contractual Clauses or equivalent mechanisms for international transfers.

When we make a material change, we'll update the "Last updated" date at the top of this page and, where the change is significant, send a notice to your account email. Continued use of QuizRun after a change means you accept the updated policy.

Questions, deletion requests, or data-protection issues: email us at revonvalence@live.com.