Search topic…

Search topic…

Introduction

Introduction

Create Quizzes, Forms and Surveys

Create Quizzes, Forms and Surveys

Question Types

Question Types

AI Funnel Builder

AI Funnel Builder

Funnel Results

Funnel Results

Logic Jumps

Logic Jumps

Integrations

Integrations

Design

Design

Languages

Languages

Publish Quiz

Publish Quiz

Security & Compliance

Security & Compliance

GDPR Compliance and Data Processing

GDPR Compliance and Data Processing

Product Updates & Release Notes

Product Updates & Release Notes

Search topic…

Search topic…

GDPR Compliance and Data Processing

Last updated September 19, 2025

Introduction

This page explains how Quizify handles personal data under the EU General Data Protection Regulation. It describes Quizify’s role and responsibilities, what our customers who create quizzes and forms must do, and what people who fill out forms need to know. If you are a Quizify customer building and sending forms please read this page so you can meet your obligations as the data controller. For questions contact support@quizify.io.

Scope

This page applies to the following categories of data and processing activities:
• Responses collected through quizzes, forms, and surveys built with Quizify.
• Account, billing, and support data that Quizify collects to operate the service.
• Integrations, exports, and synchronizations customers configure to send data to third party tools.

Roles and responsibilities

Quizify role summary
• Processor for form response data: When a customer uses Quizify to create and send a quiz, form, or survey, that customer is the data controller for the collected responses. Quizify acts as the processor and only processes response data on the controller’s documented instructions.
• Controller for account data: Quizify is the data controller for personal data we collect to manage customer accounts, subscriptions, billing, and support.

What this means in practice
• Customers decide the purposes and lawful basis for collecting responses and must inform respondents.
• Quizify implements technical and organizational measures to protect data while acting as processor.
• Customers are responsible for their compliance obligations as controllers including providing privacy notices, obtaining lawful bases, and responding to data subject requests related to responses.

Data we process on behalf of customers
Examples of personal data Quizify may process as a processor on behalf of a customer:
• Answers and form responses including free text, selections, scores, and computed results.
• Files and media uploaded by respondents.
• Respondent metadata such as IP address, timestamp, user agent, and submission identifiers.
• Any additional personal data fields the controller chooses to collect in a questionnaire.

Data we control as controller
When Quizify is the controller we collect and process:
• Customer account records such as contact names, emails, company information, and billing records.
• Support and communications logs used for troubleshooting and assistance.
• Platform usage and analytics necessary to operate and improve the service.

Subprocessors and their roles
We engage subprocessors to provide hosting, email, chat, billing, and related services. Current subprocessors include:
• Cloudways for application hosting and infrastructure.
• Brevo for email marketing communications.
• Zeptomail for transactional and notification emails.
• Charla for in-app chat and support.
• Paddle for subscription management and billing.

A full and up-to-date subprocessors list and their roles will be included in our DPA and is available on request via support@quizify.io. We will notify customers of new subprocessors where required by contract or law.

International transfers
Data processed by Quizify may be transferred and stored outside the European Economic Area. Transfers are protected using appropriate safeguards such as Standard Contractual Clauses or other lawful transfer mechanisms. Specific transfer locations and safeguards are documented in the DPA and available on request via support@quizify.io.

Lawful basis and controller obligations
• For responses collected by a customer, that customer is responsible for selecting the lawful basis for processing (consent, contract, legitimate interests, legal obligation, or vital interests) and for informing respondents.
• For account and billing data, Quizify processes personal data where necessary to perform the contract with the customer and to meet legal obligations.

Data Processing Addendum

What a DPA is
A Data Processing Addendum is a contract between a data controller (your customer) and a data processor (Quizify). It documents how the processor will handle personal data on the controller’s behalf, lists subprocessors, identifies security measures, and sets out terms for transfers, breach notification, and audit support.

Why controllers need a DPA
Controllers should have a written contract with any processor that handles personal data on their behalf to meet GDPR obligations. The DPA is the document that provides this contractual assurance.

How to get Quizify’s DPA
Quizify provides a DPA to customers. Customers can request it or sign it from their account, or request a copy from support@quizify.io. Enterprise customers may request tailored contractual terms and additional controls.

Data retention and deletion

Customer control over retention: Customers control retention for response data. Use your Quizify settings to configure retention periods, export schedules, or automatic deletion where available.
Account data retention: Quizify retains account, billing, and support data for as long as necessary to provide services and to comply with legal obligations.
Deletion on request: Customers can delete submissions from the dashboard or via API. If a customer requests deletion of data that Quizify controls, we will act according to our policies and applicable law.

Exporting syncing and integrations
• Export options: Customers can export response data via CSV, JSON, API, webhooks, or native integrations.
• Responsibility for recipients: Exports, syncs, and integrations are initiated by the customer. The customer is responsible for the lawful basis and contractual relationship with any receiving party. Quizify supplies the integration tools but does not control how receiving services handle that data.
• Guidance: Customers should review the privacy and security terms of third party integrations and record subprocessors used in their own privacy notices.

Respondent rights and how to exercise them
If you filled a quiz, form, or survey and want to exercise your GDPR rights (access, rectification, erasure, restriction, objection, portability) note the following:
• Primary contact is the controller: The organization that sent the form is normally the data controller and is responsible for responding to requests about submission data. Check the form or the sender’s privacy notice for controller contact details.
• If you do not know the controller contact: Contact support@quizify.io and we will try to identify the account associated with the form and assist you as allowed by law and to protect our customers’ privacy. Where Quizify is a processor, we will only act on documented instructions from the controller.
• Requests about account data: If your request concerns your data held by Quizify (account or billing information), contact support@quizify.io and we will handle it under applicable law.

How Quizify assists controllers with data subject requests
Quizify will assist controllers in responding to data subject requests to the extent reasonably possible and as required by law and the DPA. We will not independently disclose response data to a data subject without the controller’s instruction unless required by law.

Data breach notification
If Quizify discovers a security incident affecting customer data we will follow our incident response plan and notify affected customers without undue delay and within applicable statutory timeframes. Customers remain responsible for notifying their own respondents where required under their obligations as controllers.

Cookies and tracking
• Quizify uses cookies and similar technologies for authentication, performance, analytics, and preferences. Customers embedding quizzes may also set cookies for their own purposes.
• Respondents should consult the form owner’s privacy notice for information about cookies set by that controller. For details about Quizify cookies see the cookie settings in the admin area.

Audit and compliance support
• Audit assistance: We provide documentation and reasonable assistance for customer compliance needs including subprocessors lists, security summaries, and questionnaire support. Contact support@quizify.io for audit requests.
• Certifications: Any third party certifications and assessment summaries are listed on our security page and included where appropriate in the DPA.

Limitation of Quizify liability for controller decisions
Quizify provides the platform and processes data according to customer instructions. We do not control what customers collect, who they send data to, or how they use the data. Customers are responsible for ensuring their use of Quizify complies with data protection laws. Quizify is not responsible for controller decisions about data collection, lawful basis, retention, or onward sharing.

Changes to this page
We may update this GDPR page and the DPA from time to time. The date of the last update will be shown at the top. Significant changes will be communicated to customers via their account contact email.

Contact and supervisory authority
For questions about this page, to request the DPA, or for assistance contact support@quizify.io. If you believe your GDPR rights have been violated you may lodge a complaint with your local supervisory authority.

Template privacy notice for form creators to place on forms
The organization named on this form is the controller of the personal data collected through this questionnaire. Quizify.io processes your responses on behalf of the controller. The controller is responsible for providing information on the purposes, lawful basis, retention period, and contact details for data subject requests. If you have questions about how your responses are used or wish to exercise your rights please contact the organization that sent you this form. If you cannot find that information contact support@quizify.io and we will assist where possible.

Appendix Data Processing Addendum starter

Data Processing Addendum template
This Data Processing Addendum DPA is an attachment to the Agreement between the Customer controller and Quizify processor.

1 Parties and scope
1.1 This DPA applies when Quizify processes personal data on behalf of the Customer in connection with the provision of the Quizify service.
1.2 The subject matter is processing of questionnaire responses and related metadata. The DPA covers processing during the term of the Agreement and thereafter as required to meet legal obligations.

2 Roles
2.1 Customer is the controller and Quizify is the processor for personal data contained in responses to quizzes, forms, and surveys. Quizify is the controller for Customer account, billing, and support data.

3 Categories of data and data subjects
3.1 Types of personal data include responses, free text, attachments, metadata (IP addresses, timestamps), and other fields supplied by the Customer.
3.2 Data subjects include respondents to Customer forms and Customer account users.

4 Processing instructions and purpose
4.1 Quizify will process personal data only on documented instructions from the Customer unless required to do otherwise by EU law. Processing is limited to providing the service, performing related maintenance, and complying with legal obligations.

5 Security measures
5.1 Quizify will implement appropriate technical and organizational measures including encryption in transit, access controls, logging, secure development practices, backups, and vulnerability management. A detailed security addendum is available on request.

6 Subprocessors
6.1 Quizify may engage subprocessors to provide parts of the service. Current subprocessors include Cloudways, Brevo, Zeptomail, Charla, and Paddle.
6.2 Quizify will maintain a list of subprocessors and will notify the Customer of additions. Customers may review subprocessors via the DPA or by contacting support@quizify.io.

7 International transfers
7.1 Transfers of personal data outside the EEA will be subject to appropriate safeguards such as Standard Contractual Clauses or equivalent lawful mechanisms.

8 Data subject rights assistance
8.1 Quizify will assist the Customer in responding to data subject requests to the extent reasonably possible and as required by law and this DPA.

9 Breach notification
9.1 Quizify will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer data and will provide reasonable information and assistance.

10 Deletion and return
10.1 On termination of the Agreement Quizify will, at the Customer’s choice, delete or return Customer personal data in accordance with the Agreement and applicable law unless retention is required by law.

11 Audit and compliance
11.1 Quizify will make available information necessary to demonstrate compliance and will allow audits subject to confidentiality and reasonable notice.

12 Liability and indemnity
12.1 Liability will be handled as set out in the Agreement except where mandatory law provides otherwise.

13 Contact details
13.1 Controller contact: Customer details as provided in the Agreement.
13.2 Processor contact: support@quizify.io