Legal
Privacy Policy
Last updated: 1 April 2026
1. Who we are
Foundry Apps Ltd(“we”, “us”, “our”) is the data controller for personal data collected through QuizForge (https://quiz.foundryapps.co.uk). We are registered in England and Wales.
This policy explains what personal data we collect, why we collect it, how we use it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Data we collect
We collect the following categories of personal data:
Account data
- Email address (required to create an account)
- Display name (optional, set by you)
- Password (stored as a salted hash — we never see it in plain text)
- Account creation date and last sign-in time
Usage data
- Quiz answers, scores, and session timestamps
- Streak counts and XP totals
- Category performance statistics
- Feature interactions (e.g. which leaderboards you view)
Payment data
- If you subscribe to QuizForge Pro, billing is handled entirely by Paddle. We receive a customer ID and subscription status from Paddle but never see your full card number, sort code, or bank details.
- Paddle's privacy policy applies to data processed during checkout.
Technical data
- IP address (used for rate-limiting and fraud prevention)
- Browser type and version
- Device type and operating system
- Pages visited and time on page (via PostHog analytics)
- Referring URL
3. Legal basis for processing
| Purpose | Legal basis |
|---|---|
| Providing the QuizForge service | Contract performance (Art. 6(1)(b) UK GDPR) |
| Processing payments and managing subscriptions | Contract performance |
| Sending transactional emails (e.g. password reset) | Contract performance |
| Product analytics and improvement | Legitimate interests (Art. 6(1)(f) UK GDPR) |
| Security, fraud prevention, and abuse detection | Legitimate interests |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c) UK GDPR) |
| Marketing emails (opt-in only) | Consent (Art. 6(1)(a) UK GDPR) |
4. How we use your data
- To create and maintain your account
- To deliver the quiz service and track your progress
- To display leaderboards (using your display name, not email)
- To process subscription payments via Paddle
- To send you transactional emails (account confirmation, password reset, billing receipts)
- To analyse usage and improve the product using aggregate, anonymised data where possible
- To detect and prevent fraud, abuse, and security incidents
- To comply with our legal obligations
We do not sell your personal data. We do not use your data for automated profiling that produces legal or similarly significant effects.
5. Third-party processors
We share data only with trusted processors who are contractually bound to protect it:
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting, authentication | EU (AWS eu-west-2) |
| Vercel | Application hosting and CDN | EU / UK edge nodes |
| Paddle | Payment processing and billing | UK / US |
| PostHog | Product analytics | EU |
We do not transfer your data to countries outside the UK/EEA without appropriate safeguards (Standard Contractual Clauses or adequacy decisions).
6. Data retention
- Account data: Retained for as long as your account is active, plus 90 days after deletion to allow recovery if requested.
- Quiz and performance data: Retained for the duration of your account. Anonymised aggregate statistics may be retained indefinitely.
- Payment records: Retained for 7 years to comply with HMRC requirements.
- Server logs: Retained for 30 days, then automatically deleted.
7. Cookies
| Cookie | Purpose | Duration |
|---|---|---|
| sb-auth-token | Supabase authentication session | Session / 1 week |
| ph_* | PostHog analytics (anonymised) | 1 year |
We do not use advertising or third-party tracking cookies. You can disable cookies in your browser settings, but some features (such as staying signed in) will not work without session cookies.
8. Your rights
Under UK GDPR you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — ask us to correct inaccurate or incomplete data
- Erasure— request deletion of your data (“right to be forgotten”)
- Restriction — ask us to pause processing in certain circumstances
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent, you may withdraw it at any time
To exercise any of these rights, email us at privacy@foundryapps.co.uk. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).
9. Security
We implement appropriate technical and organisational measures to protect your personal data, including TLS encryption in transit, encrypted database storage, row-level security policies, and access controls limiting who can view production data.
10. Children
QuizForge is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
11. Changes to this policy
We may update this policy from time to time. We will notify you of material changes by email or by displaying a notice in the app. Continued use of QuizForge after the effective date constitutes acceptance of the updated policy.
12. Contact us
For any privacy-related questions or requests, contact us at:
Foundry Apps Ltd
privacy@foundryapps.co.uk