Data Processing Agreement

Last updated: March 16, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between McQuizzy Inc. ("Processor", "we", "us", or "our") and the user ("Controller", "you", or "your") for the use of the McQuizzy website at mcquizzy.com (the "Service").

This DPA applies where and only to the extent that McQuizzy processes Personal Data on behalf of the Controller in the course of providing the Service, and such Personal Data is subject to data protection laws and regulations, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the California Consumer Privacy Act ("CCPA").

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller in connection with the Service.
"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction.
"Sub-processor" means any third party appointed by the Processor to process Personal Data on behalf of the Controller.
"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.

2. Scope of Processing

The Processor shall process Personal Data only for the purposes of providing the Service as described in our Terms of Service and Privacy Policy, and in accordance with the Controller's documented instructions.

Categories of Data Subjects

Users of the Service (account holders)
Team members invited by organizational accounts

Types of Personal Data

Account information (name, email address)
Authentication data
Payment and billing information
Usage and learning data (quiz responses, scores, progress)
Content created or uploaded by the user
Device and browser information
IP addresses

Purpose of Processing

Providing and maintaining the Service
User authentication and account management
Processing payments and managing subscriptions
Generating personalized learning content using AI (quiz questions, study plans, insights)
Analytics and service improvement
Customer support

3. Obligations of the Processor

The Processor shall:

Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law.
Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in our Security Policy.
Not engage another processor (Sub-processor) without prior specific or general written authorization of the Controller.
Assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection laws.
Assist the Controller in ensuring compliance with obligations related to the security of processing, notification of personal data breaches, and data protection impact assessments.
At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage.
Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA.

4. Sub-processors

The Controller acknowledges and agrees that the Processor may engage the following categories of Sub-processors:

Sub-processor	Purpose	Location
Supabase	Database hosting and storage	United States
Railway	Application hosting	United States
Clerk	Authentication services	United States
Stripe	Payment processing	United States
Anthropic	AI content generation	United States

The Processor shall notify the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes.

5. International Transfers

The Processor shall not transfer Personal Data to a country outside of the European Economic Area (EEA) unless appropriate safeguards are in place, such as:

Standard Contractual Clauses approved by the European Commission
The recipient country has been deemed to provide an adequate level of data protection
Binding Corporate Rules
Other legally recognized transfer mechanisms under applicable data protection laws

6. Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach. The notification shall include:

A description of the nature of the personal data breach
The categories and approximate number of Data Subjects concerned
The categories and approximate number of Personal Data records concerned
A description of the likely consequences of the breach
A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

7. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligation to respond to Data Subject requests, including requests to:

Access their Personal Data
Rectify inaccurate Personal Data
Erase their Personal Data
Restrict processing of their Personal Data
Receive their Personal Data in a portable format
Object to the processing of their Personal Data

8. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set forth in this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

9. Term and Termination

This DPA shall remain in effect for the duration of the Controller's use of the Service. Upon termination of the Service, the Processor shall, at the Controller's choice, delete or return all Personal Data processed on behalf of the Controller within 30 days, unless applicable law requires continued storage.

10. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the United States, without regard to its conflict of law provisions. Where GDPR applies, the relevant provisions of GDPR shall take precedence.

11. Contact Us

If you have any questions about this Data Processing Agreement, please contact us at legal@mcquizzy.ai.

Data Processing Agreement

Last updated: March 16, 2026

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller in connection with the Service.
"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction.
"Sub-processor" means any third party appointed by the Processor to process Personal Data on behalf of the Controller.
"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.

2. Scope of Processing

Categories of Data Subjects

Users of the Service (account holders)
Team members invited by organizational accounts

Types of Personal Data

Account information (name, email address)
Authentication data
Payment and billing information
Usage and learning data (quiz responses, scores, progress)
Content created or uploaded by the user
Device and browser information
IP addresses

Purpose of Processing

Providing and maintaining the Service
User authentication and account management
Processing payments and managing subscriptions
Generating personalized learning content using AI (quiz questions, study plans, insights)
Analytics and service improvement
Customer support

3. Obligations of the Processor

The Processor shall:

Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law.
Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in our Security Policy.
Not engage another processor (Sub-processor) without prior specific or general written authorization of the Controller.
Assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection laws.
Assist the Controller in ensuring compliance with obligations related to the security of processing, notification of personal data breaches, and data protection impact assessments.
At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage.
Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA.

4. Sub-processors

The Controller acknowledges and agrees that the Processor may engage the following categories of Sub-processors:

Sub-processor	Purpose	Location
Supabase	Database hosting and storage	United States
Railway	Application hosting	United States
Clerk	Authentication services	United States
Stripe	Payment processing	United States
Anthropic	AI content generation	United States

The Processor shall notify the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes.

5. International Transfers

The Processor shall not transfer Personal Data to a country outside of the European Economic Area (EEA) unless appropriate safeguards are in place, such as:

Standard Contractual Clauses approved by the European Commission
The recipient country has been deemed to provide an adequate level of data protection
Binding Corporate Rules
Other legally recognized transfer mechanisms under applicable data protection laws

6. Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach. The notification shall include:

A description of the nature of the personal data breach
The categories and approximate number of Data Subjects concerned
The categories and approximate number of Personal Data records concerned
A description of the likely consequences of the breach
A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

7. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligation to respond to Data Subject requests, including requests to:

Access their Personal Data
Rectify inaccurate Personal Data
Erase their Personal Data
Restrict processing of their Personal Data
Receive their Personal Data in a portable format
Object to the processing of their Personal Data

8. Audit Rights

9. Term and Termination

10. Governing Law

11. Contact Us

If you have any questions about this Data Processing Agreement, please contact us at legal@mcquizzy.ai.

Legal

Data Processing Agreement

1. Definitions

2. Scope of Processing

Categories of Data Subjects

Types of Personal Data

Purpose of Processing

3. Obligations of the Processor

4. Sub-processors

5. International Transfers

6. Data Breach Notification

7. Data Subject Rights

8. Audit Rights

9. Term and Termination

10. Governing Law

11. Contact Us

Legal

Data Processing Agreement

1. Definitions

2. Scope of Processing

Categories of Data Subjects

Types of Personal Data

Purpose of Processing

3. Obligations of the Processor

4. Sub-processors

5. International Transfers

6. Data Breach Notification

7. Data Subject Rights

8. Audit Rights

9. Term and Termination

10. Governing Law

11. Contact Us