Privacy and Cookie Policy – Quezmo

Last updated: February 7, 2026

At Quezmo we are committed to protecting your privacy. This Policy explains what data we collect, how we use it, and what rights you have as a user, in compliance with the General Data Protection Regulation (GDPR) and the Spanish Organic Law on Data Protection and Guarantee of Digital Rights (LOPDGDD).

---

Table of Contents

1. Data Controller
2. Data we collect
3. Purpose of processing
4. Legal basis
5. Data recipients
6. Retention period
7. User rights
8. Data security
9. Content Moderation and Control
10. Minors
11. Cookies
12. Profiling and automated decision-making
13. Service and Feature Modifications
14. Modifications to this Policy
15. Contact and Data Protection Officer

---

1. Data Controller

Trading name: Quezmo
Owner: Albert Pérez Monfort
Tax ID: 39180247T
Address: Terrassa
Contact email: info@quezmo.com

---

2. Data we collect

a) Data provided by the user

• Registration data: Name, surname, email and password (encrypted).
• Profile data: User role (student, teacher, administrator).
• Generated content: Created quizzes, questions, quiz answers.
• Payment data: Billing and subscription information (processed by Stripe, we do not store card data).

b) Data generated by service usage

• Technical data: Session identifier, IP address, device and browser type, operating system.
• Activity data: Access dates and times, features used, error logs.
• Performance data: Quiz results, scores, response time.
• Gymkhana data: GPS coordinates when you participate in gymkhanas (only during the activity and with your explicit consent).

c) Data obtained from third parties

• AI generation: When you use the question generation feature, content processed by AI providers (Gemini, Groq) follows their respective privacy policies.

d) Data for advertising (Basic users only)

Users of the Basic (free) plan will see advertising within the application.

To show relevant ads, we may collect and process:

Advertising profile data:

• User role (student, teacher)
• Preferred language
• General educational interests (based on app usage)
• Topics of quizzes completed or created

Ad interaction data:

• Ads viewed
• Ad clicks
• Viewing time
• Viewing frequency

Technical data for advertising:

• Device advertising identifier (IDFA on iOS, AAID on Android)
• Device type and operating system
• Screen resolution
• Network information (not exact IP)

Advertising provider:
We use Google AdMob (Google LLC) to manage and display ads. AdMob may use its own cookies and tracking technologies according to its privacy policy.

Important:

• We DO NOT share personally identifiable data (name, email, etc.) with advertisers
• Advertisers receive only aggregated and anonymized data
• We DO NOT use minors' data for personalized advertising (COPPA compliance and child protection regulations)
• Gymkhana geolocation data is NEVER used for advertising

Advertising control:

• You can limit ad tracking from your device settings:
  • iOS: Settings > Privacy > Advertising > Limit Ad Tracking
  • Android: Settings > Google > Ads > Opt out of Ads Personalization
• You can remove advertising by subscribing to a Pro plan
• More information about AdMob: https://policies.google.com/technologies/ads

Legal basis:
Processing of data for advertising is based on your explicit consent (art. 6.1.a GDPR), which you can withdraw at any time from the app settings.

e) Data obtained through cookies

See the Cookies section below.

---

3. Purpose of processing

We use data for:

3.1 Main purposes (necessary for the service - legal basis: contract execution)

These purposes are essential to provide the service. If you do not accept processing for these purposes, you will not be able to use Quezmo:

• Account management: Create, maintain and manage your user account
• Authentication and security: Verify your identity and protect your account
• Platform features:
  • Allow creation, editing and management of quizzes
  • Process responses and calculate scores
  • Display results and statistics
  • Manage gymkhanas with geolocation (with separate consent)
• Subscriptions and payments: Manage subscriptions, process payments and issue invoices
• Technical support: Provide technical support and resolve incidents
• Essential communications: Send mandatory communications about the service:
  • Changes to Terms and Conditions or Privacy Policy
  • Scheduled maintenance or service interruptions
  • Security alerts or incidents on your account
  • Payment confirmations and invoices
  • Quiz expiration notifications
  • Responses to your support requests

3.2 Purposes based on legitimate interest

These purposes are justified by our legitimate interest in improving the service and ensuring its security:

• Service improvement: Analyze how Quezmo is used to detect problems and implement improvements
• Statistical analysis: Generate anonymized usage statistics (number of users, most popular quizzes, average time, etc.)
• Security and fraud prevention:
  • Detect and prevent fraudulent or inappropriate uses
  • Prevent cyber attacks and malicious activities
  • Identify and block infringing accounts
  • Monitor suspicious activities
• Content moderation: Review and remove content that violates usage rules
• Legal defense: Retain data necessary to defend ourselves against claims or disputes
• Technical optimization: Improve platform performance, speed and stability

Right to object: You can object to these processing activities at any time (except when necessary to comply with legal obligations or defend ourselves legally).

3.3 Purposes based on legal obligations

We process data when the law requires us to:

• Tax and accounting obligations: Retain invoices, payment data and other documents for legal periods (minimum 6 years)
• Court orders: Provide data when legally required (court orders, police requests)
• Child protection: Comply with child data protection regulations
• Security breach notification: Report security breaches to AEPD when required

3.4 Optional purposes (require your explicit consent)

We only process data for these purposes if you give us your explicit consent, which you can withdraw at any time:

• Geolocation in gymkhanas: Record your GPS location during gymkhanas (only when you actively participate)
• Promotional communications: Send you information about:
  • New Quezmo features or improvements
  • News and usage tips
  • Satisfaction surveys
  • Events or contests (if applicable)
• Personalized advertising (Basic plan only): Display relevant ads based on your educational interests
• Non-essential cookies: Use analytical, functional or advertising cookies (see Cookies section)
• Detailed analytics: Advanced analysis of behavior within the app to optimize user experience

Consent management:
You can manage your consents at any time from:

• Settings > Privacy within the app
• Contacting us at info@quezmo.com

Effects of withdrawing consent:

• Withdrawal does NOT affect the legality of processing prior to consent
• Some features may no longer be available (e.g., gymkhanas without geolocation)
• Promotional communications will cease immediately

3.5 Purposes we do NOT carry out

For transparency, we DO NOT use your data to:

• Sell or transfer personal data to third parties for commercial purposes
• Create discriminatory profiles or that may harm you
• Make automated decisions with significant legal effects without human intervention
• Continuous geolocation or tracking outside gymkhanas
• Send spam or unsolicited communications (beyond essential service communications)

---

4. Legal basis

Processing of your data is based on:

• Contract execution: Use of the application, account creation and subscription management (art. 6.1.b GDPR).
• Explicit consent: Geolocation in gymkhanas, non-essential cookies, optional communications (art. 6.1.a GDPR).
• Legitimate interest: Service improvement, technical security, fraud prevention (art. 6.1.f GDPR).
• Legal obligation: Retention of tax and accounting data (art. 6.1.c GDPR).
• Explicit consent: Personalized advertising for Basic users (art. 6.1.a GDPR).

---

5. Data recipients

Data is not sold or transferred to third parties for commercial purposes.

It may be communicated to:

5.1 Service providers (data processors)

These providers act under our supervision and only process data according to our instructions. All have contracts that guarantee confidentiality and security:

Infrastructure and hosting:

• Hetzner Online GmbH (Germany, EU)
  • Server and database hosting
  • Backup storage
  • Location: Data centers in Germany
  • Data processed: All application data
  • Guarantees: GDPR compliance (European provider)

Payment processing:

• Stripe, Inc. (USA, with operations in Europe)
  • Secure payment and subscription processing
  • Billing data storage
  • Data processed: Payment information, cards (tokenized), billing
  • Guarantees: PCI-DSS Level 1 certified, EU standard contractual clauses
  • Important: Stripe maintains card data; Quezmo NEVER stores it
  • Privacy policy: https://stripe.com/privacy

Email sending:

• Resend (USA)
  • Sending transactional emails (confirmations, notifications, support)
  • Data processed: Email, name, content of sent emails
  • Guarantees: EU standard contractual clauses
  • We do NOT use email for unsolicited advertising

Artificial intelligence (question generation):

• Google LLC - Gemini API (USA, with global servers)
  • AI question generation
  • Data processed: Text entered by user to generate questions (topics, contexts)
  • Guarantees: Google privacy policy, possible standard contractual clauses
  • Policy: https://policies.google.com/privacy
  • Important: Google may use API usage data to improve its services according to its policy
• Groq, Inc. (USA)
  • AI question generation (secondary provider)
  • Data processed: Text entered by user to generate questions
  • Guarantees: Groq privacy policy
  • Policy: https://groq.com/privacy-policy/

Note about AI: Content you enter to generate questions with AI may be processed by providers according to their policies. DO NOT enter sensitive personal data in AI requests.

Advertising (Basic users only):

• Google LLC - AdMob (USA, with global servers)
  • Management and display of ads within the app
  • Data processed: Advertising identifier, ad interaction data, general preferences
  • Guarantees: Google privacy policy
  • Policy: https://policies.google.com/privacy
  • Control: You can limit tracking from your device settings

5.2 Competent authorities

Only when legally required:

• Spanish Data Protection Agency (AEPD): Security breach notification when required
• Tax Agency: Tax and billing data (legal obligation to retain for 6 years)
• Law enforcement: Only in case of valid court or police request
• Courts and tribunals: In case of legal proceedings

In these cases:

• We will verify the legitimacy of the request
• We will only provide strictly necessary data
• We will inform you unless the law prohibits us

5.3 International data transfers

Some providers may process data outside the European Economic Area (EEA), especially USA. In these cases, we apply adequate safeguards:

Protection mechanisms used:

• Standard Contractual Clauses (SCC) approved by the European Commission
• Adequacy decisions: Some countries have EU adequacy recognition
• Additional security measures: Encryption, pseudonymization, access limitation

Main international transfers:

• USA: Stripe, Resend, Google (Gemini, AdMob), Groq
  • Guarantees: Standard contractual clauses, provider privacy commitments
  • Possible server locations: USA, Europe (depending on provider)

Right to information: You can request more information about specific guarantees applied to each international transfer by contacting us at info@quezmo.com.

5.4 We do not share data with

For transparency, we DO NOT share your data with:

• Data analysis companies for resale
• Data brokers or intermediaries
• Advertising agencies (beyond AdMob for Basic users with consent)
• Other educational apps or competitors
• Social networks (unless you do so yourself)
• Direct marketing companies

5.5 Security in communication with third parties

When we communicate data to service providers:

• We use encrypted connections (HTTPS/TLS)
• We apply minimization principle: only strictly necessary data
• We periodically review data processing agreements
• We will audit compliance with security measures when possible

---

6. Retention period

We retain your personal data only for the time necessary for the purposes for which it was collected, complying with GDPR retention limitation principles.

6.1 Active account

While your account is active and you use the service:

• We retain all data necessary to provide you with the service
• Data is kept updated according to your modifications
• There is no time limit while you continue using Quezmo

6.2 Inactive account

After 2 years of total inactivity (without logging in or using the service):

• We will send you an email notice 60 days before deleting the account
• We will offer you the possibility to export your data
• If you do not respond or access the account, we proceed with deletion
• You can reactivate the account by accessing before deletion

Exception: Accounts with active paid subscriptions are NOT considered inactive.

6.3 Account deletion (at your request)

When you request to delete your account:

Immediate deletion (maximum 30 days):

• Profile data (name, surname, email)
• Passwords and authentication tokens
• Personal preferences and settings
• Gymkhana geolocation data
• Active sessions (immediate closure)

Temporary retention (90 additional days):

• Partial responses from expired instances: Retained for technical recovery and backups
• Backups: Data may remain in automatic backups for up to 90 days
• After this period, they are automatically permanently deleted

Mandatory retention by law:

• Tax and billing data: Retained for 6 years (legal accounting and tax obligation)
  • Issued invoices
  • Payment and subscription data
  • Transaction history
• Legal basis: Article 30 of the Commercial Code and tax legislation

Retention for legal defense:

• Data necessary to defend ourselves against possible legal claims
• Retained until applicable legal actions prescribe:
  • Civil claims: up to 5 years
  • Administrative claims: according to specific regulations
• Only if there is an open litigation, threat of claim or justified need
• We do not retain data indefinitely "just in case"

6.4 Expired quiz instances

Started but not completed quizzes:

When a quiz automatically expires due to inactivity (30 days without completion):

• Partial responses are retained for 90 additional days
• Purposes of temporary retention:
  • Enable technical recovery in case of system error
  • Maintain backups
  • Comply with possible technical support requirements
• After 90 days: Automatic permanent deletion
• Not accessible by user once expired

6.5 Anonymized data

Fully anonymized data (without any possibility of re-identification):

• We can retain them indefinitely for statistical purposes
• Examples: Total number of users per month, most popular quizzes (without identifying authors), average response time
• Not personal data according to GDPR, therefore not subject to rights of access, rectification or deletion

6.6 Moderation and incident logs

Moderated or deleted content:

• Incident log: maximum 90 days (for affected user claims)
• Temporarily retained deleted content: maximum 90 days (for internal investigations or legal requirements)
• After 90 days: permanent deletion

Security incidents:

• Security incident logs: 5 years (GDPR article 33 obligation)
• Only data necessary to document the incident and measures adopted

6.7 Logs and technical records

Activity and security logs:

• Server logs (access, errors): maximum 12 months
• Authentication and session logs: maximum 6 months
• Security logs (fraudulent access attempts): maximum 24 months
• Purpose: Security, technical debugging, fraud prevention

6.8 Communications and support

Emails and communications:

• Technical support communications: maximum 2 years from incident resolution
• Sent transactional emails: maximum 1 year
• Newsletters and promotional communications: while you do not withdraw consent

6.9 Minor data

Special protection:

• When deleting a minor's account, data is deleted with maximum priority (maximum 7 days)
• We do not apply retention periods for legal defense in minor accounts without very specific justified cause

6.10 Retention period summary table

Data type	Retention period
Profile data (active account)	While account is active
Inactive account	2 years + 60 days notice
Profile data (after deleting account)	Maximum 30 days
Tax and billing data	6 years (legal obligation)
Expired quiz instances	90 days
Gymkhana geolocation	90 days after completion
Backups	Maximum 90 days
Security logs	12-24 months
Moderated content	90 days
Support communications	2 years
Data for legal defense	Until actions prescribe (max. 5 years)
Anonymized data	Indefinitely

6.11 Deletion certification

If you request it, we can provide you with a deletion certification of your personal data once the mandatory retention period has elapsed.

---

7. User rights

You have the right to:

• Access: Obtain information about the data we process about you.
• Rectification: Correct inaccurate or incomplete data.
• Erasure (right to be forgotten): Request deletion of your data.
• Restriction of processing: Restrict certain data uses.
• Portability: Receive your data in structured format and transmit it to another controller.
• Objection: Object to certain processing based on legitimate interest.
• Consent withdrawal: Withdraw consent at any time for consent-based processing.
• Not to be subject to automated decisions: Right not to be subject to decisions based solely on automated processing.

How to exercise your rights:

Send an email to: info@quezmo.com with subject "Rights exercise - Quezmo" indicating:

• Your full name
• The right you want to exercise
• Copy of ID or identification document

We will respond within a maximum of 30 days.

Claims:

If you consider that your rights have not been adequately addressed, you can file a claim with the Spanish Data Protection Agency (AEPD): www.aepd.es

---

8. Data security

8.1 Implemented Technical Measures

We apply appropriate technical and organizational measures to protect personal data against unauthorized access, loss, destruction or alteration:

Communication security:

• HTTPS/TLS encryption in all communications between your device and our servers
• Updated and valid SSL/TLS certificates
• Passwords encrypted with bcrypt (secure hash algorithm)
• Authentication tokens with expiration and automatic renewal

Access control:

• Mandatory authentication to access the application
• Role-based permission management (admin, teacher, student)
• Sessions with expiration time
• Automatic closure of inactive sessions
• Protection against unauthorized access with login attempt limitation

Server protection:

• Firewall configured to allow only authorized traffic
• Intrusion detection and prevention system
• Regular security updates of operating system and software
• Continuous monitoring of suspicious activities
• Basic DDoS attack protection

Backups:

• Automatic daily database backups
• Encrypted stored copies
• Planned disaster recovery
• Periodic restoration tests

Secure development:

• Protection against SQL injection
• CSRF protection (Cross-Site Request Forgery)
• Validation and sanitization of all user inputs
• Rate limiting to prevent abuse

8.2 Organizational Measures

Limited internal access:

• Only authorized personnel have access to data
• Need-based access (principle of least privilege)
• Access logs and administrative activity auditing

Training and protocols:

• Staff trained in data protection and security
• Security incident response protocols
• Confidentiality agreements with collaborators

8.3 Limitations and Shared Responsibility

Recognition of limitations:

Although we apply robust security measures, no system is completely invulnerable. We cannot guarantee absolute security against:

• Sophisticated cyber attacks or zero-day vulnerabilities
• Third-party compromises (external service providers)
• Human errors or incorrect configurations
• Malicious actions by users with valid credentials

User responsibility:

The security of your data also depends on you:

• Keep your password secure and confidential
• Do not share your credentials with anyone
• Use strong and unique passwords
• Log out when you finish, especially on shared devices
• Keep your device and applications updated
• Do not access Quezmo from public WiFi networks without protection

8.4 Security Breach Notification

In case of security breach that poses a risk to your rights and freedoms, we will act according to GDPR:

Notification to authority:

• We will report the breach to the Spanish Data Protection Agency (AEPD) within a maximum of 72 hours from knowledge of the breach

User notification:

• If the breach poses a high risk to you, we will inform you without undue delay
• We will explain the nature of the breach, affected data and measures adopted
• We will indicate measures you can take to protect yourself

Incident log:

• We document all security breaches, including those not requiring notification
• We analyze each incident to improve security measures

8.5 Recommendations for Educational Centers

If you are an educational center managing student accounts:

• Implement secure password policies for teachers
• Train staff in security best practices
• Supervise student activity to detect inappropriate uses
• Periodically review permissions and access

---

9. Content Moderation and Control

User-generated content

As an educational platform, Quezmo allows teachers to create quizzes, questions and other content. We reserve the right to review, moderate and remove content that:

• Is illegal or infringes third-party rights.
• Infringes intellectual property rights (copyright, trademarks, patents).
• Constitutes plagiarism or unauthorized copying of third-party content.
• Contains sexual, pornographic or inappropriate material for minors.
• Promotes violence, hate, discrimination or harassment.
• Is offensive, defamatory or threatening.
• Incites illegal or dangerous activities.
• Has no educational purpose and constitutes inappropriate use of the platform.

Data processing in case of moderation

When we review or remove inappropriate content:

• We log the action: We keep a record of the incident (date, content type, involved user).
• Pattern analysis: We may analyze deleted content to improve automatic detection systems.
• Temporary retention: Deleted content may be temporarily retained (maximum 90 days) to:
  • Allow claims by affected user.
  • Internal investigations or legal requirements.
  • Improvement of detection algorithms.

Data processing in intellectual property infringement claims

When we receive an intellectual property infringement claim:

• Claimant data: We keep contact data and documentation provided by claimant.
• Infringing user data: We process data necessary to identify content author and notify them.
• Retention: Claim data is retained for 3 years for possible legal actions.
• Legal basis: Legitimate interest in intellectual property rights protection and legal obligation compliance.

Account suspension or deletion

In serious or repeat cases:

• We may temporarily suspend or permanently delete user accounts.
• Personal data is deleted according to established retention period.
• Incident logs are kept to prevent new fraudulent registrations.

User reports

We provide users with mechanisms to report inappropriate content:

• Data collected in reports: Reported content, reporting user (optional), date and reason.
• Report processing: Reports are reviewed within a maximum of 48-72 hours.
• Confidentiality: Reports are treated confidentially.

Legal basis

Content moderation is based on:

• Legitimate interest: Ensuring a safe and appropriate environment for the educational community (art. 6.1.f GDPR).
• Legal compliance: Legal obligations to prevent illegal content (art. 6.1.c GDPR).
• Contract execution: Terms and Conditions establish acceptable use rules (art. 6.1.b GDPR).

User rights

If your content has been deleted or your account suspended:

• You have the right to request information about the reasons.
• You can file a claim if you consider the action was unjustified.
• Contact us at info@quezmo.com with subject "Moderation claim".

---

10. Minors

Child protection is a priority for Quezmo. We apply specific measures to ensure appropriate processing of minor data.

10.1 Minimum age and parental consent

Minors under 14:

• Require explicit parental consent or legal guardian to register
• The father/mother/guardian must authorize registration and accept the Terms and Privacy Policy on behalf of the minor
• Consent must be obtained verifiably

Minors between 14 and 18:

• Can register themselves according to Spanish legislation (LOPDGDD)
• We recommend that parents/guardians be informed and supervise usage

Over 18:

• Do not require parental consent

10.2 Age verification

Procedures applied:

• We request date of birth during registration
• If user declares being under 14, parental consent is requested before completing registration
• We do not implement exhaustive age verification (we do not request ID or identification documents)

Limitations:

We recognize that minors may provide false age. If we detect a minor under 14 has registered without consent:

• We will immediately suspend the account
• We will contact the provided email address to request parental consent
• If consent is not obtained within 15 days, we will delete the account and data

10.3 Accounts managed by educational centers

Center management model:

When an educational center (school, high school, academy) manages minor student accounts:

Center responsibilities:

• The center acts as data controller for student data
• Must obtain parental consents according to applicable educational regulations
• Must inform parents/guardians about Quezmo usage
• Provides parents/guardians with a copy of Terms and Privacy Policy
• Manages rights exercise requests from minors or their parents/guardians

Quezmo role:

• We act as data processor on behalf of the educational center
• We provide necessary technical tools
• We implement appropriate security measures to protect minor data
• We process data according to center instructions and applicable regulations
• We are NOT responsible for obtaining parental consents (center responsibility)

Data Processing Agreement:

Educational centers wishing to use Quezmo to manage minor student accounts must formalize a Data Processing Agreement establishing data processing conditions.

Contact info@quezmo.com to formalize the agreement before starting.

10.4 Minor data processing

Data we collect from minors:

Same as adult users, but with additional protections:

• Name, surname, email (or parent/guardian email for under 14)
• Educational quiz responses
• Scores and results
• Geolocation data (gymkhanas only, with additional explicit consent)

Data we DO NOT collect from minors:

• Sensitive data (health, ethnic origin, religion, etc.)
• Personal photographs or images of the minor
• Financial data (minors cannot contract paid subscriptions)

Specific protections:

• We DO NOT use minor data for personalized advertising (COPPA compliance and child protection regulations)
• We do NOT profile minors for commercial purposes
• We DO NOT share minor data with third parties beyond strictly necessary for educational service
• Minor geolocation data has reduced retention (maximum 30 days)

10.5 Minor and parent/guardian rights

Parents/guardians have the right to:

• Access minor's data
• Rectify inaccurate data
• Request deletion of minor's account and data
• Object to certain processing
• Limit processing
• Withdraw consent at any time

Minors (14-18 years) can exercise their own rights, but we recommend that parents/guardians be informed.

How to exercise rights:

Send an email to info@quezmo.com with subject "Minor rights - Quezmo" including:

• Minor's name
• Relationship to minor (father/mother/legal guardian)
• Right to be exercised
• Copy of parent/guardian identification document and family book or document proving relationship

We will respond within a maximum of 30 days (priority for minor requests: 15 days).

10.6 Parental responsibility and supervision

It is the responsibility of parents/guardians to:

• Supervise minors' use of Quezmo
• Review content they access
• Ensure they use the application safely and responsibly
• Properly configure privacy of devices used by minors
• Teach minors good digital and privacy practices

Quezmo provides educational tools, but does NOT replace parental supervision.

10.7 Detection and deletion of minor accounts without consent

If we detect a minor under 14 has registered without consent:

1. Immediate account suspension until consent verification
2. Contact provided email address to request parental consent
3. If consent not obtained within 15 days: account and data deletion
4. Data is deleted with maximum priority (maximum 7 days)

Parents/guardians can request deletion of a minor's account at any time, without need for justification.

10.8 Notification to parents/guardians

When the educational center manages minor accounts, it is the center's responsibility to adequately inform parents/guardians about:

• Use of Quezmo for educational purposes
• Data to be processed
• Rights they can exercise
• How to contact the center and Quezmo for privacy matters

10.9 Training and awareness

We recommend to educational centers:

• Train teachers in minor data protection
• Establish clear protocols for Quezmo use with students
• Regularly inform parents/guardians about digital activities
• Educate students on responsible technology use

10.10 International regulatory compliance

In addition to GDPR and LOPDGDD, we take into account:

• COPPA (Children's Online Privacy Protection Act, USA): We do not collect data from minors under 13 without verifiable parental consent
• Local educational regulations: We respect specific minor protection regulations in educational environments

---

11. Cookies

Quezmo uses cookies to ensure correct service operation and improve user experience.

11.1 What are cookies

Cookies are small text files stored on your device (computer, tablet, phone) when you visit the platform. Cookies allow the website to remember your actions and preferences over a period of time.

Similar technologies:

In addition to cookies, we may use similar technologies such as:

• Local Storage: Local browser storage
• Session Storage: Temporary session storage
• Device identifiers: In mobile apps (IDFA, AAID)

In this section, when we say "cookies" we refer to all these technologies.

11.2 Types of cookies we use

11.2.1 Strictly necessary cookies (DO NOT require consent)

They are essential for basic Quezmo operation. They cannot be disabled because without them the service would not work:

Cookie name	Purpose	Duration	Owner
session_id	Maintain user session logged in	Session (until closing browser)	Quezmo
auth_token	Verify authenticated user identity	7 days	Quezmo
csrf_token	Protection against CSRF attacks	Session	Quezmo
cookie_consent	Remember your cookie preferences	1 year	Quezmo

Legal basis: These cookies are exempt from consent according to article 22.2 of LSSI (Information Society Services Law).

11.2.2 Functionality cookies (require consent)

They improve experience by remembering your preferences:

Cookie name	Purpose	Duration	Owner
user_language	Remember selected language	1 year	Quezmo
ui_preferences	Display settings (theme, text size, etc.)	1 year	Quezmo
quiz_draft_*	Save quizzes being edited	30 days	Quezmo

Effect of not accepting them: You will have to reconfigure preferences each time you access.

11.2.3 Analytical cookies

They help us understand how the application is used to improve it:

Cookie name	Purpose	Duration	Owner
_ga	Distinguish unique users (Google Analytics)	2 years	Google
_gid	Distinguish unique users (Google Analytics)	24 hours	Google
_gat	Limit request rate	1 minute	Google
analytics_session	Aggregate session tracking	Session	Quezmo

Data collected:

• Pages visited and time spent
• Most used features
• Device type, browser, operating system
• Traffic origin (how you arrived at Quezmo)
• Anonymized IP (last digits removed)

We DO NOT collect:

• Names or emails
• Quiz or response content
• Personally identifiable data

Provider: Google Analytics (Google LLC)

• Location: USA (international transfer with adequate guarantees)
• Privacy policy: https://policies.google.com/privacy
• Opt-out: https://tools.google.com/dlpage/gaoptout

Effect of not accepting them: Does not affect functionality, but makes it difficult for us to improve the service.

11.2.4 Advertising cookies (Basic users only, require consent)

They show relevant ads to free plan users:

Cookie name	Purpose	Duration	Owner
_gcl_au	Store and track conversions	3 months	Google
IDE	Show personalized ads	1 year	Google (DoubleClick)
test_cookie	Verify if browser accepts cookies	15 minutes	Google
Various AdMob cookies	Advertising targeting	Variable	Google AdMob

Data collected:

• Device advertising identifier (IDFA/AAID)
• Ad interactions
• Inferred advertising preferences

We DO NOT use for advertising:

• Minor data
• Gymkhana geolocation data
• Quiz or response content

Provider: Google AdMob (Google LLC)

• Privacy policy: https://policies.google.com/privacy
• Personalized ad management: https://adssettings.google.com

Effect of not accepting them: You will continue seeing ads, but not personalized (generic ads).

How to completely remove advertising: Subscribe to a Pro plan.

11.3 Cookie management and configuration

11.3.1 Cookie configuration panel (within Quezmo)

On first access to Quezmo, a cookie configuration panel is shown where you can:

• Accept all: Activate all cookies (functionality, analytics, advertising)
• Reject non-essential: Only activate strictly necessary cookies
• Configure: Choose individually which categories you accept

You can change your preferences at any time at:

• Settings > Privacy > Cookie management within the app

11.3.2 Configuration from browser

You can manage or delete cookies directly from your browser:

Google Chrome:

1. Menu (3 dots) > Settings > Privacy and security > Cookies and other site data
2. You can block all cookies, only third-party ones, or delete them
3. More information: https://support.google.com/chrome/answer/95647

Mozilla Firefox:

1. Menu > Settings > Privacy and security > Cookies and site data
2. You can manage exceptions and delete cookies
3. More information: https://support.mozilla.org/en-US/kb/cookies

Safari (macOS):

1. Preferences > Privacy > Manage website data
2. You can delete individual or all cookies
3. More information: https://support.apple.com/en-us/guide/safari/sfri11471/mac

Microsoft Edge:

1. Settings > Cookies and site permissions > Manage and delete cookies and site data
2. More information: https://support.microsoft.com/en-us/microsoft-edge

Safari (iOS):

1. Settings > Safari > Block cookies
2. Settings > Safari > Advanced > Website data > Remove all data

Chrome/Firefox (Android):

1. App settings > Privacy > Clear browsing data

11.3.3 Limit advertising tracking (mobile devices)

iOS (iPhone/iPad):

1. Settings > Privacy & Security > Tracking
2. Disable "Allow Apps to Request to Track"
3. Settings > Privacy & Security > Apple Advertising > Personalized Ads (disable)

Android:

1. Settings > Google > Ads
2. Enable "Opt out of Ads Personalization"
3. You can reset advertising identifier

11.4 Effects of disabling cookies

If you disable all cookies (including necessary ones):

• You will NOT be able to use Quezmo (you will not be able to log in)
• It's like trying to enter home without keys

If you disable only non-essential cookies:

• Quezmo will work correctly
• You will have to reconfigure preferences each time
• You will not contribute to usage statistics (anonymous)
• You will see generic ads (Basic users) instead of personalized

11.5 Cookie duration and expiration

Cookies have different durations:

Session cookies:

• Automatically deleted when closing browser or app
• Example: csrf_token, analytics_session

Persistent cookies:

• Remain on device until they expire or you manually delete them
• Maximum duration: 2 years (according to European regulations)
• Examples: auth_token (7 days), user_language (1 year), _ga (2 years)

11.6 Update of this section

This cookie section may be updated if:

• We add new features requiring cookies
• We change service providers (analytics, advertising)
• Applicable regulations change

We will notify significant changes through the cookie panel and this updated Policy.

11.7 Third-party cookies

Some cookies are set by third parties (service providers we use):

Third parties that may set cookies:

• Google Analytics: Web analytics
• Google AdMob: Advertising (Basic users only)
• Stripe: Payment processing (only during payment process)

Important: These third parties have their own privacy and cookie policies. Quezmo does NOT control third-party cookies.

11.8 More information about cookies

External resources:

• Spanish Data Protection Agency (AEPD): https://www.aepd.es
• Cookie information (allaboutcookies.org): https://www.allaboutcookies.org
• EU cookie guide: https://ec.europa.eu/info/cookies_en

Contact:

If you have any questions about the cookies we use, contact us at: info@quezmo.com with subject "Cookie inquiry".

---

12. Profiling and automated decision-making

Quezmo does NOT perform automated decisions with legal or similar effects on users based solely on automated processing.

AI features (question generation) are assistance tools requiring human review and validation. Teachers maintain full control over generated content and are responsible for its validation before using it with students.

---

13. Service and Feature Modifications

Right to modify service

Quezmo reserves the right to:

• Modify features: Add, modify or remove application features.
• Update platform: Implement technical improvements, design changes or new modules.
• Change subscription conditions: Modify plans, prices or usage quotas with adequate notice.
• Temporarily suspend service: For maintenance, updates or technical problem resolution.
• Discontinue features: Remove features that are no longer viable or appropriate.

Notification of significant changes

For modifications that substantially affect service use:

• Minimum 30 days notice for paid subscription changes.
• Minimum 15 days notice for removal of main features.
• Immediate notification within app for minor changes or improvements.

Notifications will be made through:

• Email to registered address.
• Prominent notice within app.
• Publication on website (if applicable).

Data processing in case of modifications

When features affecting data processing are modified:

• Update of this Policy: Changes in data processing will be reflected.
• New consent: If new consents are required, they will be explicitly requested.
• Data migration: Existing data will be adapted to new systems maintaining security and integrity.
• Data deletion: If a feature is removed, associated data will be processed according to established retention periods.

User cancellation right

If you do not agree with modifications:

• You can cancel your subscription without penalty.
• You can delete your account before changes take effect.
• Annual subscriptions will maintain contracted conditions until renewal.

Legal basis

Service modifications are based on:

• Legitimate interest: Continuous service improvement and technological adaptation (art. 6.1.f GDPR).
• Contract execution: Terms and Conditions allow these modifications (art. 6.1.b GDPR).

---

14. Modifications to this Policy

This Policy may be updated for:

• Changes in applicable legislation.
• New service features.
• Privacy practice improvements.
• Incorporation of new service providers.
• Changes in data processing performed.

Notification of modifications

Any significant change will be communicated through:

• Prominent notification within app.
• Email to registered address.
• Publication on this page with update date.

Acceptance of modifications

Continued use of service after publication of changes implies acceptance of updated Policy. If you do not agree with modifications, you can delete your account before they take effect.

---

15. Contact and Data Protection Officer

For any privacy and data protection questions:

Email: info@quezmo.com
Subject: "Privacy - Quezmo"

Data Protection Officer (DPO)

Quezmo is not required to appoint a Data Protection Officer according to article 37 of GDPR, as:

• We are not a public authority or body
• Data processing does not require large-scale regular and systematic monitoring
• We do not process special categories of data on a large scale

For any privacy and data protection queries, contact directly at info@quezmo.com.

Response time

We will respond to your queries within a maximum of 30 days from receipt of request.

---

Related documents:

• Terms and Conditions of Use

Last updated: February 7, 2026
Version: 1.0

---

Thank you for trusting Quezmo!