PRIVACY POLICY

QVault-Assessments Privacy Policy

Effective date: 2026-03-10

Last updated: 2026-04-21

QVault-Assessments ("QVault", "we", "our", "us") provides quiz and assessment tooling for teachers and students.

This Privacy Policy explains how we collect, use, store, and protect personal data when you use QVault-Assessments.

1. Scope

This policy applies to:

- teacher and student use of QVault-Assessments

- online and offline app modes

- related documentation and support interactions

2. Data We Collect

2.1 Account and identity data

- teacher authentication identifiers (in online mode)

- student name, roll number, and student ID (if configured)

- class tags and session join details

2.2 Assessment and usage data

- quiz attempts, answers, scores, timing data

- adaptive routing metadata and decision trails

- manual grading entries and moderation records

- result-access tokens (secure result retrieval)

2.3 Integrity and security data

- app-switch violation counts

- integrity diagnostics (for configured anti-cheat modes)

- optional geofence checks when enabled by teacher or session policy

2.4 Device and technical data

- basic operational metadata required for app performance and troubleshooting

2.5 Plan, entitlement, and delivery data

- plan tier and entitlement state (for example Free Explorer, Creator Pro Lifetime, workspace tiers)

- live-credit balance and related usage events

- session-start, join, and upload metering events used to operate the live assessment service

2.6 Notifications and interoperability data

- result-release notification payload metadata

- TeachVault class or sync payload data when interoperability features are used

2.7 Teacher-owned storage and provider data

- metadata needed to send or restore backups to teacher-owned destinations such as Google Drive (Android) or iCloud Drive (iOS); the encrypted backup payload itself is uploaded directly from the teacher's device to the teacher's own cloud account, and we do not host or proxy those bytes in the default consumer build

- optional third-party provider configuration when a teacher chooses to connect their own provider account, such as Mathpix or AI APIs

- generated output returned from those optional providers when the teacher actively uses those workflows

Note on backup destinations in the default app:

The default Play Store and App Store builds do NOT upload teacher backups to QVault's own cloud storage. Backups stay on the device or go to the teacher's own Google Drive or iCloud account. A managed institutional build may opt in to a workspace-hosted snapshot path; that variant is shipped under a separate distribution and consent flow.

3. How We Use Data

We use data to:

- provide and operate assessments

- authenticate users and secure sessions

- calculate and publish results

- support adaptive sequencing and analytics

- detect abuse, policy violations, and misuse

- enforce plan entitlements, live-credit usage, and related operational limits

- support teacher-owned backup and export flows and optional suite interoperability

- improve reliability, quality, and feature performance

- comply with legal obligations

We do NOT sell personal data.

4. Legal Bases (where applicable)

Depending on region, we process data based on:

- contract performance (service delivery)

- legitimate interests (security, quality, abuse prevention)

- consent (where required)

- legal obligation (where required)

5. Data Sharing

We may share data with:

- infrastructure and service providers used to run the platform (including Google Firebase / Google Cloud for authentication, database, storage, cloud functions, crash reporting, and performance monitoring)

- authorized institution or admin users (teacher and school workflows)

- teacher-selected third-party providers or teacher-owned destinations when the user explicitly activates those flows

- legal or regulatory authorities when required by law

We do NOT share data for third-party advertising resale.

6. Data Retention

Retention depends on operational needs and configuration.

- Assessment data is retained for as long as the teacher account is active, or until the teacher or institution requests deletion.

- Account identity data is retained for the lifetime of the account, then deleted within 30 days of a verified deletion request.

- Operational logs and security diagnostics are retained for a rolling window not longer than 90 days, except where law requires longer.

To request deletion, see the Account Deletion page at https://drdishantpandya.com/qvault/account-deletion.

7. Security

We use technical and organizational safeguards, including:

- role-based access controls

- secure result token workflows

- configurable integrity checks

- protected handling for optional provider credentials and sensitive configuration data

- transport (TLS) and storage protections provided by platform infrastructure

- crash and performance monitoring (Firebase Crashlytics, Firebase Performance Monitoring) for reliability

No method is absolutely secure; users should follow secure credential practices.

8. Children and Educational Context

QVault is designed for educational use and may be used by minors under institutional or teacher supervision. Institutions and teachers are responsible for lawful authority and parental or guardian permissions where required, including under COPPA (United States), FERPA (United States), GDPR-K (European Union), and equivalent local laws.

QVault is not directed to children under the age of 13 outside an institutional or teacher-supervised context.

9. Cross-Border Processing

If cloud services are used, data may be processed in countries where providers operate (including India, the European Union, and the United States via Google Cloud regions). Controllers and admins are responsible for regional compliance requirements.

Optional teacher-selected providers such as AI APIs, Mathpix, or teacher-owned cloud destinations may also process data under their own regional footprint and terms. Teachers and institutions are responsible for choosing configurations that fit their compliance obligations.

10. User Rights

Depending on jurisdiction, users may request:

- access to personal data

- correction of inaccurate data

- deletion of eligible data

- restriction or objection to certain processing

- data portability (where applicable)

Submit requests through the data controller / institution or by emailing drdishantpandya@gmail.com. We will respond within 30 days, or sooner where required by law.

11. Third-Party Services Used

QVault relies on the following third-party services, which have their own privacy policies:

- Google Firebase (Authentication, Firestore, Storage, Cloud Functions, Crashlytics, Performance, Cloud Messaging) — https://firebase.google.com/support/privacy

- Google Sign-In — https://policies.google.com/privacy

- Google Drive API (only when a teacher chooses Google Drive as a backup destination on Android) — https://policies.google.com/privacy

- Apple iCloud Drive (only when a teacher chooses iCloud as a backup destination on iOS) — https://www.apple.com/legal/privacy/

- Optional teacher-selected providers (for example Mathpix, AI providers) — only used when the teacher explicitly enables them

We do not embed any third-party advertising SDKs or analytics SDKs that profile users for advertising.

12. Changes to this Policy

We may update this policy from time to time. The "Last updated" date at the top of this page reflects the latest version. Material updates will be communicated in release notes or administrative channels.

13. Contact

For privacy or legal requests:

- Legal and operational owner: Dr. Dishant Pandya

- Support email: drdishantpandya@gmail.com

- Website: https://drdishantpandya.com

- Contact region: Gandhinagar, Gujarat, India

- Account deletion: https://drdishantpandya.com/qvault-assessment-account-deletion

- Terms of Service: https://drdishantpandya.com/qvault-assessments-terms-of-service