How we handle your data

TheQuizMaster SAS is the data controller for the personal data of company users (HR managers, team members) who access the platform.

For candidate personal data, TheQuizMaster acts as a data processor on behalf of the company that sent the assessment (the data controller). See section 5 for details.

Contact: team@thequizmaster.io

We collect the minimum data necessary to operate the service.

Company users (admins, team members): - Name and email address - Account credentials (stored as hashed values — we never store plaintext passwords) - Company name, industry, and team size provided at registration - Usage data: assessments created, invitations sent, logins, feature interactions - Billing information processed via Stripe (we do not store card numbers)

Candidates invited to assessments: - Email address (provided by the hiring company) - Assessment responses: code submissions, answers, time taken per question - Execution logs from sandboxed code runs (ephemeral, used for scoring only) - Completion timestamp and score

Technical data (all users): - IP address and browser/device metadata (for security and fraud prevention) - Session tokens (httpOnly cookies, not accessible to JavaScript) - Error and performance logs (anonymized within 30 days)

Company user data is used to: - Operate and maintain your account and team access - Send transactional emails (invitation confirmations, billing receipts, security alerts) via Brevo - Enforce plan limits and usage quotas - Provide customer support when you contact us - Improve the platform through aggregate, anonymized usage analytics

Candidate data is used to: - Deliver the assessment experience (serve questions, execute submitted code, return results) - Generate and display scores to the hiring company - Allow candidates to resume interrupted assessments within the allowed time window

We do not use candidate data to train machine learning models. We do not sell any personal data to third parties. We do not send marketing emails to candidates.

We process personal data under the following legal bases:

Contract performance (Art. 6(1)(b)): Processing your account data and billing information to fulfil our service agreement with you.

Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, and product analytics. Our legitimate interest is maintaining a safe and functional platform. This processing does not override your rights.

Legal obligation (Art. 6(1)(c)): Retaining billing records for the period required by French accounting law (10 years).

Candidate data: TheQuizMaster processes candidate data on behalf of the hiring company (the data controller). The hiring company is responsible for establishing its own lawful basis (typically legitimate interest in the hiring process) and providing candidates with appropriate privacy notices before sending assessments.

We use the following sub-processors to operate the platform:

Google Firebase / Google Cloud — Infrastructure, authentication, database (Firestore), and file storage. All data stored in europe-west1 (Belgium). Privacy policy: policies.google.com/privacy

Brevo (formerly Sendinblue) — Transactional email delivery (invitation emails, billing receipts, security alerts). Data center in EU. Privacy policy: brevo.com/legal/privacypolicy

Stripe — Payment processing and subscription management. Stripe is PCI DSS Level 1 certified. We share your billing email and company name with Stripe. Privacy policy: stripe.com/privacy

JDoodle — Sandboxed code execution for candidate assessment submissions. Code submitted by candidates is sent to JDoodle's API for execution and immediately discarded after results are returned. Privacy policy: jdoodle.com/privacy-policy

Railway — AI assessment generation backend. Used only when AI-assisted assessment creation features are invoked. Privacy policy: railway.app/legal/privacy

All sub-processors are bound by data processing agreements and are prohibited from using your data for any purpose other than providing services to TheQuizMaster.

Company user data: Retained for the duration of your active subscription, plus 90 days after termination to allow data export. You may request immediate deletion.

Candidate data: Retained as long as the assessment record exists in your account. When you delete an assessment or your account, associated candidate data is deleted within 30 days.

Billing records: Retained for 10 years as required by French accounting law (Code de commerce, Art. L123-22).

Security logs: Retained for 90 days, then anonymized.

You can request deletion of your data at any time by emailing team@thequizmaster.io. We will action deletion requests within 30 days.

If you are located in the European Economic Area, you have the following rights:

Right of access — Request a copy of the personal data we hold about you.

Right to rectification — Request correction of inaccurate or incomplete data.

Right to erasure — Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.

Right to data portability — Receive your data in a structured, machine-readable format (JSON or CSV).

Right to restrict processing — Request that we limit how we use your data while a dispute is resolved.

Right to object — Object to processing based on legitimate interests. We will cease unless we can demonstrate compelling legitimate grounds.

Right to withdraw consent — Where processing is based on consent, you may withdraw at any time without affecting prior processing.

To exercise any of these rights, email team@thequizmaster.io. We will respond within 30 days. You also have the right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés) at cnil.fr.

Candidates: If you received an assessment from a company using TheQuizMaster and wish to exercise your rights, contact the company that invited you directly — they are the data controller for your assessment data. You may also contact us at team@thequizmaster.io and we will direct your request accordingly.

We use cookies and similar technologies for the following purposes:

Essential (required): - Session authentication: an httpOnly, Secure cookie that maintains your login session. Cannot be disabled without breaking login. - CSRF protection: a token to prevent cross-site request forgery attacks.

No analytics or advertising cookies. We do not use Google Analytics, Facebook Pixel, or any third-party tracking scripts on the authenticated dashboard.

On the marketing site (thequizmaster.io), we may use privacy-first analytics (no personal data, no cross-site tracking, EU-hosted). A cookie consent banner is displayed on first visit.

We implement appropriate technical and organizational measures to protect your data:

- All data in transit is encrypted via TLS 1.2 or higher - Passwords are never stored — authentication is handled by Firebase Auth using industry-standard hashing - Firestore security rules enforce row-level isolation: companies cannot access each other's data - Invitation tokens are cryptographically generated (192 bits of entropy) and expire after 7 days - Admin SDK access is server-only — client-side code cannot access admin-level Firestore operations - Access to production systems is restricted to authorized personnel only

In the event of a personal data breach affecting your data, we will notify you without undue delay and no later than 72 hours after becoming aware, in accordance with GDPR Art. 33.

We may update this policy to reflect changes in our practices or applicable law. We will notify you by email at least 14 days before material changes take effect. The "last updated" date at the top of this page reflects the most recent revision.

Continued use of the platform after the effective date of changes constitutes acceptance of the updated policy.

For any privacy-related question, data request, or concern:

Email: team@thequizmaster.io Website: thequizmaster.io

We aim to respond to all privacy enquiries within 5 business days and to formal data subject requests within 30 days as required by GDPR.