Privacy Policy — QuizAI Student (Mobile)
Effective Date: 27 April 2026 Last Updated: 4 May 2026
This notice describes how the QuizAI Student Android app
(net.accessph.quizaistudent) handles personal information. It
supplements the platform-wide
Privacy Policy, which governs all
QuizAI services.
1. Who is responsible
ACCESS Software Solutions ("ACCESS", "we") — DTI Business Name Registration No. 3377044, San Luis, Baguio City 2600, Philippines.
Email: info@accessph.net.
ACCESS is the data controller for personal data processed through the QuizAI Student app, in coordination with your school (the "Institution") that provisioned your account.
2. What we collect
2.1 From your account
- Name and school-issued student ID and email address (email is the canonical login identifier).
- Google profile picture and
google_sub(only if you sign in with Google). - Bcrypt-hashed password — only when local-password fallback is enabled by your administrator.
2.2 From your use of the app
- Quizzes you join, the reference codes you've typed or scanned, and the time at which you started/finished each attempt.
- Your answers, the time you spent on each question, and whether you completed or terminated the attempt.
- Session-integrity events relevant to live quizzes (e.g. focus loss during proctored sessions). These are reported to the teacher whose quiz you are taking.
- Anonymized crash diagnostics if the app crashes.
2.3 Device data
- Device model, OS version, app version.
- Network IP address (used by the backend for rate limiting / audit).
- A stable, randomly-generated device identifier (UUID v4) that is created on first app launch and persists across logouts and reinstalls as long as the Android Keystore data is not wiped. This identifier is used solely for single-device-per-account enforcement (see §7) and is never shared with advertisers.
2.4 What we do not collect
- We do not access your device camera. The scan-to-join feature uses your phone's own camera app to read the QR code; the app itself never requests camera permission.
- We do not collect biometric templates. Fingerprint and Face unlock are handled by the Android Keystore; only a yes/no signal is returned to the app.
- We do not collect precise location.
- We do not read your contacts, microphone, SMS, or call logs.
- We do not use advertising IDs or run ad trackers.
- We do not use your answers or any other content for AI training.
3. Why we use it
| Purpose | Examples |
|---|---|
| Provide the app's features | Sign-in, render the quiz player, submit your answers |
| Maintain academic integrity | Server-side timer enforcement, security-event reporting |
| Score your work and return results | Compute scores, deliver per-question feedback |
| Enforce single-device-per-account policy | Device UUID used to revoke displaced sessions |
| Diagnose and fix issues | Anonymized crash reports |
We do not sell personal data, and we do not use your content for any non-educational purpose.
4. Permissions used by the app
| Permission | Why |
|---|---|
INTERNET |
Make HTTPS API calls to the QuizAI backend. |
USE_BIOMETRIC / USE_FINGERPRINT |
Optional biometric session unlock. The OS handles auth and only returns a success signal. |
The app does not request camera, location, microphone, contacts, or storage permissions. You can revoke biometric access at any time in Android Settings → Apps → QuizAI Student → Permissions.
5. Sharing & disclosure
We share data only with:
- Your teacher and Institution — your teacher sees your answers, score, completion time, and any security-integrity events recorded during a live quiz. Your school's authorized administrators may also access this data for record-keeping and pedagogical purposes.
- Service providers under data-processing agreements:
- Google Sign-In — for OIDC authentication if you choose this option.
- Google Firebase Crashlytics — for anonymized crash reports.
- Authorities, when legally required — pursuant to a valid subpoena, court order, or directive from the National Privacy Commission.
We never share your data with advertisers and never with parties outside the educational chain described above.
6. Data storage on the device
- Bearer API key — stored in
FlutterSecureStorage(Android Keystore-backed). Cleared on logout or when the key is revoked by the server (e.g. because you signed in on another device). - Stable device UUID — stored in
FlutterSecureStorage. This identifier is intentionally not cleared on logout; it is tied to the physical install, not the account. - Last-used reference code — cached so the join screen pre-fills the field. Cleared on logout.
- Theme preference.
The app does not cache your answers locally. Submitted answers travel directly to the backend; if the network drops mid-quiz, you may need to re-submit. Heartbeats are sent every 30 s while a quiz is in progress so the teacher's console can show you as live.
Data in transit is encrypted with TLS 1.2+.
7. Single-device-per-account enforcement
QuizAI allows one active mobile session at a time per student account. When you sign in on a new device, the server immediately revokes all prior active sessions for your account. The displaced device will see a "You've been signed out — your account is in use on another device" banner the next time it contacts the server. No push notification is sent to the displaced device.
The device UUID (§2.3) is used to identify which session to keep and which to revoke. It is never used for any other purpose.
8. Cross-device quiz behavior
You may take a live quiz from this app and the QuizAI web app at the same time (e.g. join from mobile, then switch to a laptop). To protect the integrity of your assessment:
- We treat both devices as the same session keyed on
(quiz_id, student_id). - The first answer for each question is final. A second submission from the other device is rejected as locked, and the player there surfaces a banner explaining this.
This behaviour is required to prevent retroactive answer changes and applies regardless of which device pushed the answer first.
9. Retention & Account Deletion
The mobile app caches a small working set of data for offline resilience; the authoritative copy lives on the QuizAI web backend and follows the retention schedule in the platform Privacy Policy.
The cached copy on your device is cleared:
- on logout;
- on uninstall;
- when you tap Clear data in Android settings.
The stable device UUID (§2.3) persists through logout but is cleared on uninstall or Clear data.
When a Student account is deleted, we apply an anonymizing soft delete: identifying fields (name, email, password, Google identifier) are replaced with non-reversible random values, the account is deactivated, and the student is removed from every class roster. The submitted answers and the wrapping quiz sessions are retained — without identifying information — so the Institution's grade records and item-analysis statistics for past assessments stay intact. See the platform Privacy Policy for the full mechanics.
10. Your rights
You may exercise the rights granted by the Philippine Data Privacy Act (R.A. 10173) — including access, rectification, erasure, and lodging a complaint with the National Privacy Commission — by contacting info@accessph.net or your school's QuizAI administrator. See the platform Privacy Policy for the full list.
11. Children's privacy
Student accounts are provisioned by Institutions whose users may include minors. Student users must be at least 13 years old. By provisioning a student under the age of majority, the Institution warrants that it has obtained any consent required from parents or legal guardians under applicable law and its own policies. Parents or guardians who have questions about their child's account should contact the school directly; we will assist on the school's request.
12. Changes
We will update the "Last Updated" date and, where the change is material, notify users via the app or by email. Continued use after the effective date constitutes acceptance.
13. Contact
ACCESS Software Solutions San Luis, Baguio City 2600, Philippines info@accessph.net · https://accessph.net