Privacy Policy

1. About this policy

This Privacy Policy applies to quizlix.io and pubquiztool.com (together, "Quizlix"), operated by RPG Welten UG (haftungsbeschränkt), Stolzestraße 10, 44139 Dortmund, Germany ("we", "us"). It applies to anyone who visits our website, signs up for an account, hosts a quiz, or joins a quiz as a player. We are based in the EU and process data under the EU General Data Protection Regulation (GDPR) — this policy also describes specific rights for visitors from California (CCPA).

3. What we collect

• Account data: email address, password hash, display name (nickname), language preference, marketing-consent flag, and your IP address at the time of registration.
• Usage data: quizzes and questions you create, events you host, join codes you generate, players who join your events, scores, and event timestamps.
• Billing data: company name, billing address (street, city, country, VAT-ID where provided), invoice records, and a payment-method token issued by Mollie. We do not store credit-card numbers.
• Server logs: IP address, user-agent (browser), URL, timestamp, response code. Used for security, abuse prevention, and debugging. Kept 14 days, then deleted.
• Session cookie: a single first-party cookie named PQTSESSID, used to keep you logged in. No tracking cookies are set without your explicit consent.
• Analytics: Matomo, self-hosted by us in the EU, with IP-anonymization enabled. Page views are aggregated; we do not build personal profiles.
• Email events: opens / clicks of transactional emails (welcome, trial reminders, billing) for delivery diagnostics.

4. Where the data comes from

Most of the data we hold about you comes directly from you — you type it into a form (sign-up, quiz builder, billing). Some data is collected automatically when you use the service (server logs, session cookie, page views). A small amount comes from our sub-processors as part of providing the service: payment status from Mollie, mail-delivery status from Mailgun.

5. Why we process your data (purposes & legal bases)

• Run your account & deliver the service — Art. 6(1)(b) GDPR (contract performance).
• Process subscriptions and invoices — Art. 6(1)(b) GDPR (contract) + Art. 6(1)(c) GDPR (legal obligation, German tax law).
• Send transactional emails (welcome, trial reminders, payment confirmations, cancellations) — Art. 6(1)(b) GDPR (contract).
• Send marketing emails (only if you opted in) — Art. 6(1)(a) GDPR (consent). You can withdraw consent any time.
• Security, fraud and abuse prevention (server logs, rate-limiting) — Art. 6(1)(f) GDPR (legitimate interest in keeping the service safe).
• Aggregate product analytics (Matomo, self-hosted, IP-anonymized) — Art. 6(1)(f) GDPR (legitimate interest in product improvement).

6. Payments & billing

Subscriptions are processed by Mollie B.V. (Keizersgracht 313, 1016 EE Amsterdam, Netherlands), a regulated EU payment institution. When you upgrade, your card or PayPal data is entered directly on Mollie's servers — we never see it. Mollie returns a tokenized payment reference, which we store to charge subsequent renewals.

We retain invoices and billing records for 10 years, as required by §147 AO (German tax law). This applies even if you delete your account — billing records cannot be erased before that period for legal reasons.

7. Cookies & tracking

• Strictly necessary: PQTSESSID — first-party session cookie for login. No consent required.
• Analytics: Matomo, self-hosted by us, IP-anonymized. Set only if you give consent.
• Marketing / advertising: Meta Pixel (Facebook/Instagram), loaded only after you opt in via the cookie banner. We do not use Google Analytics, Google Ads, LinkedIn Insight, or any other third-party tracking pixels.

If you give marketing consent, the following cookies may be set:

You can change your consent choice at any time using the "Cookie settings" link in the footer. Withdrawing consent stops the Meta Pixel immediately; existing _fbp / _fbc cookies can be deleted in your browser settings.

8. Sub-processors & international transfers

We use the following sub-processors to run the service:

Cloudflare may process metadata (IP, request headers) on US infrastructure. Meta Pixel data is collected by Meta Platforms Ireland Ltd. as joint controller for the collection step and transferred to Meta Platforms, Inc. in the USA. Both transfers are covered by the EU–U.S. Data Privacy Framework (DPF) — Cloudflare and Meta Platforms, Inc. are DPF-certified — and by Standard Contractual Clauses as a fallback. Meta Pixel is loaded only after your explicit consent (Art. 6(1)(a) GDPR + Art. 49(1)(a) GDPR for the US transfer). All other personal data is stored in EU data centres.

9. How long we keep data

• Account & usage data: until you delete your account.
• Database backups: up to 30 days, then overwritten.
• Server logs: 14 days, then deleted.
• Invoices & billing records: 10 years (§147 AO).
• Marketing-consent flag & email-event log: until you withdraw consent or unsubscribe (then 3 years for proof of consent).
• Support tickets & emails: 3 years from closure.

10. Your rights (GDPR)

If you live in the EU/EEA, you have the right to:

• Access the personal data we hold about you (Art. 15 GDPR).
• Rectify inaccurate data (Art. 16).
• Erase your data (Art. 17) — subject to billing-record retention required by law.
• Restrict processing (Art. 18).
• Receive a copy of your data in a portable format (Art. 20).
• Object to processing based on legitimate interest (Art. 21).
• Withdraw consent for marketing emails any time (Art. 7(3)).

To exercise any right, email rezeption@pubquiztool.com. We respond within 30 days. We may ask you to confirm identity to prevent abuse.

11. California residents (CCPA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA / CPRA):

• Right to know what personal information we collect about you, why, and with whom we share it (covered above).
• Right to delete personal information we hold about you, subject to legal exceptions (e.g. tax records).
• Right to opt out of sale: We do not sell or share personal information with third parties for cross-context behavioural advertising. There is nothing to opt out of.
• Right to non-discrimination when you exercise any of these rights.

Email rezeption@pubquiztool.com to make a CCPA request. We respond within 45 days.

12. Emails we send you

Transactional emails — sent to all users as part of running the service, no consent required:

• Welcome email at sign-up
• Trial reminders on day 7 and day 13
• Subscription confirmation after payment
• Failed-payment notification (so you can update your card)
• Cancellation confirmation

Marketing emails (product updates, tips, promotions) are only sent if you actively opted in at sign-up or in account settings. Every marketing email contains a one-click unsubscribe link.

13. Security measures

• TLS 1.2+ for all data in transit (Cloudflare + Hetzner).
• Passwords stored as bcrypt hashes — we cannot read them.
• Database on private network, encrypted backups, daily snapshots.
• Access control: SSH-CA-based admin access, no password logins, 2FA where supported.
• Rate-limiting on login, registration, password-reset endpoints.
• Monitoring for unusual error rates and intrusion attempts.

No system is 100% secure. If we ever discover a breach affecting your data, we'll notify you within 72 hours as required by Art. 33–34 GDPR.

14. Automated decisions & profiling

We do not make automated decisions with legal or significant effects on you (no automated credit scoring, no shadow-banning, no AI-based account suspensions). The only automation that touches you is operational: scheduled trial reminders, failed-payment notifications, and abuse-prevention rate-limiting. A human reviews any account action with consequences (chargeback, abuse complaint).

15. Contact & complaints

Privacy questions or requests: rezeption@pubquiztool.com · RPG Welten UG (haftungsbeschränkt), Stolzestraße 10, 44139 Dortmund, Germany.

You also have the right to lodge a complaint with a supervisory authority. Our competent authority is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), Kavalleriestr. 2–4, 40213 Düsseldorf — ldi.nrw.de.