Privacy Policy

1. General Information

This Privacy Policy explains how Kwizie Oy (“Kwizie”, “we”, “us”, or “our”) processes personal data in connection with the Kwizie platform, websites, and related applications (collectively, the “Service”). It describes what data we collect, how we use it, on what legal bases, and how you can exercise your rights.

Kwizie is a Software-as-a-Service (SaaS) platform that allows users to transform videos, audio, slides, or documents into micro-credentialing courses with built-in assessments, certificates, and analytics. The Service is built for individuals and teams that need an end-to-end solution to create courses, generate tests, and certify skills in minutes.

This Privacy Policy applies to all personal data processed by Kwizie in connection with the Service, whether you are an individual user, a business customer, or an institutional partner.

Kwizie is committed to processing personal data lawfully, fairly, and transparently in accordance with the EU General Data Protection Regulation (GDPR) and other applicable data-protection laws.

2. Controller and Contact Information

Controller
Kwizie Oy
Business ID: 3344169-7
Address: Hämeentie 31, 00500 Helsinki, Finland
Email: support@kwizie.ai

All privacy inquiries should be directed to the above email address.

3. Roles and Responsibilities

• Kwizie as Controller: Kwizie acts as the data controller for user-identification data, platform-usage data, billing data, and other information needed to operate and improve the Service.
• Kwizie as Processor: When an organization (e.g. a teacher, employer, or institution) uses Kwizie to manage learner or employee data, that organization acts as the data controller and Kwizie acts as the data processor under the Data Processing Addendum (DPA).

4. Eligibility and Children’s Privacy

Kwizie is not directed to children under 16 in the EEA or UK (or the lower age permitted by local law, never below 13), and under 13 elsewhere, in line with YouTube and COPPA requirements. If you are under the applicable age, you may only use the Service with verifiable parental or guardian consent or under a school-managed institutional account.

5. Purposes and Legal Bases of Processing

We process personal data only when necessary and on one or more of the following legal bases:

• Account creation, authentication, billing, and customer relationship management — processed on the performance of a contract.
• Platform operation, analytics, service improvement, and security monitoring — processed under legitimate interests of Kwizie. Kwizie also analyses aggregated usage and engagement data to understand how users interact with the Service, improve functionality, and ensure reliability. This may include limited behavioural analytics and cookie-based tracking as described in our Cookie Policy. We do not use this data for automated decision-making or profiling that produces legal effects.
• Marketing communications (e.g., newsletter opt-in) — processed on consent.
• Compliance with tax, accounting, and other legal obligations — processed under legal obligation.
• AI-assisted test and content generation — processed on the performance of a contract and/or consent.

Kwizie does not process special-category (sensitive) personal data (e.g., health, political opinions, religious beliefs) and asks users not to upload such data.

6. Categories of Personal Data

We collect and process the following categories of personal data:

• Account data: E.g. name, email address, password (hashed), organization, and role
• Usage data: IP address, device type, browser, access times, and interactions with the Service
• Content data: uploaded or linked files (videos, documents, audio, slides), manually entered questions and answers, assessments, results, certificates, and related metadata
• Billing data: subscription details and payment method (processed by Stripe), and transaction records
• Marketing data: preferences, newsletter subscriptions, and campaign engagement
• Cookies and analytics: see our separate Cookie Policy

We collect data directly from you, automatically through the Service, or from third-party services you integrate (e.g. YouTube, Google, or Stripe).

Data Sources: In addition to data you provide directly, we may also receive limited information from publicly available sources, our service providers (e.g., analytics or marketing partners), or institutional partners that integrate with Kwizie. Such data are used only for legitimate business or educational purposes in connection with the Service.

7. AI Features and Transparency

Kwizie provides AI-assisted tools that generate assessments, summaries, and metadata from your selected content.

• We only share the specific content you choose to process with third-party AI model providers to generate outputs at your request.
• We do not use your content or personal data to train AI models without your consent.
• Outputs may be inaccurate or incomplete; users remain responsible for reviewing and validating AI-generated results.
• Kwizie does not make automated decisions that produce legal or similarly significant effects.

Kwizie’s use and transfer of any information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

8. Retention of Personal Data

We retain personal data only for as long as necessary for the purposes described in this Policy:

• Educational / user data — stored while the account is active and deleted after 12 months of inactivity or upon user request.
• Marketing data — retained for up to 24 months after the last interaction or until the user opts out.
• Backups — limited backup copies are retained for up to 90 days after deletion for disaster-recovery purposes.
• Legal / billing data — retained as required by Finnish accounting and tax laws, typically for 6–10 years.

After these periods expire, all personal data are securely deleted or anonymized.

9. Recipients and International Transfers

We share personal data only with trusted third-party service providers who support our operations. These providers act as data processors under written agreements ensuring adequate protection.

Approved Sub-processors (as of this version):

• Amazon Web Services Oy, Hirsalantie 11, 02420 Jorvas, Finland – Hosting
• Stripe Payments Europe Ltd, 1 Grand Canal Street Lower, Dublin 2, Ireland – Payments

Additional sub-processors may be engaged with at least 7 days’ prior notice; an up-to-date list is available upon request.

International transfers:
Primary data storage is in the EU (AWS Finland). Limited transfers outside the EEA or UK (e.g. to Stripe US) occur under lawful safeguards such as EU Standard Contractual Clauses (SCCs) or the UK Addendum.

10. Security and Confidentiality

Kwizie applies appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include encrypted communications (HTTPS), access-control systems with individual credentials, monitored cloud infrastructure, firewalls, and routine vulnerability assessments. Access to personal data is strictly limited to authorized personnel and processors who require it for their duties.

Access to personal data is limited to authorized personnel and service providers who need it to perform their duties and are bound by confidentiality obligations.

If a personal-data breach occurs, Kwizie will notify the relevant authorities and affected users in accordance with GDPR.

11. Your Rights

As a data subject, you have the following rights under applicable data-protection law:

• Access – Obtain confirmation and a copy of your personal data.
• Rectification – Correct inaccurate or incomplete data.
• Erasure (“Right to be forgotten”) – Request deletion of your data where permitted by law.
• Restriction – Request limited processing in certain circumstances.
• Portability – Receive your data in a structured, machine-readable format.
• Objection – Object to processing based on legitimate interest or to direct marketing.
• Withdrawal of Consent – Withdraw any consent at any time (does not affect prior lawful processing).

To exercise your rights, contact support@kwizie.ai.
We may verify your identity before fulfilling requests. We aim to respond within one (1) month.

Where requests are manifestly unfounded, excessive, or repetitive, Kwizie may charge a reasonable fee or refuse to act on the request in accordance with GDPR.

If you believe your rights have been infringed, you have the right to lodge a complaint with your local data-protection authority.
In Finland, the supervisory authority is the Data Protection Ombudsman (tietosuoja.fi).

12. Marketing Communications

You may subscribe to Kwizie newsletters or product updates. These are sent based on consent (opt-in) or, for existing customers, under legitimate interest for similar services. You can unsubscribe at any time via the link in each email or by contacting us. We do not sell or rent personal data to third parties for marketing purposes.

13. Institutional and Educational Accounts

When Kwizie is provided through an institution (e.g. a school or employer), the institution is responsible for:

• Obtaining any required parental or guardian consent for minors;
• Providing appropriate privacy notices to its users; and
• Acting as the data controller for personal data processed through its institutional account.

Kwizie acts as a data processor for such data, subject to the Data Processing Addendum (DPA) referenced in the Terms of Use.

14. Data Transfers in Business Transactions

If Kwizie undergoes a merger, acquisition, reorganization, or asset sale, personal data may be transferred as part of that transaction under appropriate confidentiality and data-protection safeguards. You will be notified of any such change where required by law.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in technology, law, or our business practices.
Material changes will be announced via email or in-app notice before taking effect.
The latest version will always be available at kwizie.ai/privacy. For information about how we use cookies and similar technologies, please also refer to our Cookie Policy.

16. Change History

• 31 May 2023: First publication.
• 6 Mar 2024: Added Google API Services User Data Policy compliance.
• 16 Jul 2024: Clarified AI data-use limitations and document processing scope.
• 12th December 2024: Change of company address.
• 13 Nov 2025: Fully aligned with updated Terms of Use and Data Processing Addendum; clarified AI Transparency, age clarification, retention-period alignment, and controller/processor distinction.