Privacy Policy

The data controller for personal data processed via PluQuiz AI is [COMPANY LEGAL NAME], CUI [CUI], registered office at [ADDRESS], Romania.

For any privacy question or to exercise your rights, contact our privacy team at privacy@pluquiz.ai. Where a Data Protection Officer is appointed, you can reach them at dpo@pluquiz.ai.

We collect only what we need to run the service, bill you fairly, keep the platform safe, and improve it over time. Here's the full catalogue:

We do notprocess special-category data (health, biometric, political, religious) as part of our service. We do not knowingly collect the Romanian CNP (personal numerical code) or national ID numbers. If a quiz or uploaded document contains such data, it's your responsibility to remove it first.

Each processing activity has a specific purpose and legal basis:

Where legitimate interest is the basis, you have the right to object. For direct marketing, the objection is absolute.

We share data with trusted sub-processors who help us operate the service. Each is bound by a GDPR-compliant data-processing agreement and may only process data on our instructions. We disclose the categories of recipients below, as permitted by GDPR Article 13(1)(e).

A detailed list of specific sub-processors, together with the applicable safeguards, is available on request by emailing privacy@pluquiz.ai. We do not sell your personal data, and we do not share it with third parties for their own marketing.

We do not train machine-learning models on your personal data. Your prompts, inputs, AI outputs, quizzes, courses, and account data are not used to train PluQuiz models or third-party foundation models.

Our AI service providers operate on API-tier terms under which customer API traffic is not used to train their models. We minimise personal data in prompts and rely on contractual non-training commitments plus appropriate international-transfer safeguards.

Anonymised, aggregated statistics may be used internally to improve the service. These statistics cannot be linked back to you.

Your primary data stays in the EU. Some sub-processors are based outside the EEA — most commonly the United States, and, for optional features you enable, other jurisdictions.

We protect those transfers using:

• EU-US Data Privacy Framework (adequacy decision of 10 July 2023) for US recipients certified under the Framework.
• Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914) for recipients not covered by an adequacy decision.
• Transfer Impact Assessments and supplementary measures (encryption in transit, access controls, data minimisation) where the recipient country lacks essentially equivalent data-protection law.

A copy of the relevant SCCs is available by emailing privacy@pluquiz.ai. Transfers under Article 49 derogations (for example to enforce legal claims) are used only where appropriate and are always documented.

We don't keep personal data longer than we need it. Retention periods by category:

You have extensive rights over your personal data. All requests are free (unless manifestly unfounded or excessive) and answered within one month — extendable by two further months for complex requests, with notice.

To exercise any right, email privacy@pluquiz.ai from the address on your account (or provide another verification). You can also delete your account directly from your account settings.

You have the right to lodge a complaint with a supervisory authority, in particular in the EU country of your habitual residence, place of work, or place of the alleged infringement. In Romania:

We protect your data with the technical and organisational measures expected of a modern SaaS:

• Encryption in transit (TLS 1.2+) and at rest.
• Row-level access controls, so one user's data cannot be accessed by another.
• Optional multi-factor authentication (TOTP authenticator apps) for your account.
• Principle-of-least-privilege access for our staff, with logging and audit.
• Card numbers are handled by a PCI-DSS-compliant payment processor and never stored by us.
• Regular security reviews, dependency scanning, and incident-response procedures.

No system is perfectly secure. If you discover a vulnerability, please report it to security@pluquiz.ai — we operate a good-faith disclosure policy.

PluQuiz AI is not intended for children under 16. Romanian Law 190/2018 does not derogate from the GDPR Article 8 default, so the age of digital consent in Romania is 16. We do not knowingly collect personal data from children under 16.

If you believe a child under 16 has created an account, please contact privacy@pluquiz.ai and we will delete the account.

PluQuiz AI uses automated processing to generate quizzes, grade quiz attempts, recommend content, and calculate credit costs. These decisions are not solely automated decisions with legal or similarly significant effects under GDPR Article 22 — their purpose is to produce study materials for your review, and a human can always override them.

We do not engage in any AI practice prohibited by the EU AI Act (Regulation (EU) 2024/1689), including emotion recognition in educational contexts, social scoring, manipulative exploitation, or biometric categorisation.

If a personal data breach occurs and is likely to pose a risk to your rights and freedoms, we will notify the Romanian DPA (ANSPDCP) without undue delay and, where feasible, within 72 hours of becoming aware, as required by GDPR Article 33.

Where the breach is likely to result in a high risk to you, we will notify you directly without undue delay and in plain language explaining what happened, what data was affected, what we're doing about it, and what you can do (Art. 34).

We may update this Privacy Policy to reflect changes in the service, law, or our processing. If a change has a material impact on your rights, we will give you at least 30 days' notice by email and in-app. Previous versions are archived — email privacy@pluquiz.ai to request one.

For postal correspondence: [COMPANY LEGAL NAME], Privacy Team, [ADDRESS], Romania.