PRIVACY POLICY FOR MCQEXAM.COM
1. Introduction & Legal Basis
Welcome to MCQexam.com, a scientific research platform. We process personal data for archiving purposes in the public interest, scientific/historical research, and statistical purposes under GDPR Article 89(1).
Unlike standard commercial services, our primary purpose is to study automated MCQ generation, benchmark AI systems, and analyze educational data. This legal basis allows us to retain and analyze data longer than typical commercial services, subject to strict safeguards (pseudonymization, access controls).
2. What Data We Collect
We collect the following categories of personal data:
| Category | Specific Data | Source |
|---|---|---|
| Account Data | Name, email address, institutional affiliation (optional), phone number (optional) | Provided during registration |
| Uploaded Educational Content | PDFs, presentations, documents, papers (your “Original Uploads”) | Uploaded by you |
| Generated Data | MCQs, answers, distractors, exam results, question difficulty metrics | Automatically generated by our plugin |
| Student Data | Email addresses (for exam invitations), aggregated exam scores (no names attached to answers unless you choose) | Provided by teacher-contributors |
| Usage & Technical Data | IP address, browser type, access times, pages visited | Automatically collected via cookies/logs |
| HelloSign Data | Electronic signature, signed document copies, timestamp | Via HelloSign API |
3. How We Use Your Data (Purposes)
Under GDPR Art. 89, we process data for:
- Research & Benchmarking: Training/testing AI systems, publishing academic papers with aggregated results.
- Platform Operation: Converting PDFs to MCQs, hosting exams, sending invites, displaying results.
- Dataset Creation: Building a shared research dataset (see Section 4 of our Research Agreement).
- Communication: Sending platform updates, research developments, and (with opt-out) commercial offers.
- Legal Compliance: Responding to lawful requests, enforcing our agreements.
4. Legal Bases for Processing (GDPR Art. 6)
We rely on multiple legal bases:
| Processing Activity | Legal Basis |
|---|---|
| Account creation, file uploads, exam generation | Contract performance (Art. 6(1)(b)) – necessary to provide the service you requested |
| Scientific research, AI benchmarking, dataset sharing | Public interest / scientific research (Art. 6(1)(e) & Art. 89) – as stated in our Research Agreement |
| Sending commercial offers | Legitimate interest (Art. 6(1)(f)) – with opt-out right |
| Student exam invitations | Consent (Art. 6(1)(a)) – obtained from the teacher who holds the relationship with students |
Special Note on Student Data: We process student email addresses and exam results at the direction of teacher-contributors. Teachers are responsible for obtaining any necessary consent from students under applicable law. We act as a processor for student data unless/until a student creates their own account.
5. Data Sharing & Disclosures
We share data only as described below:
5.1 Within the Research Platform
- Other contributors may access versions of your Original Uploads and Generated MCQs strictly within MCQexam.com for non-commercial research (per Section 4.3 of the Research Agreement).
- They may not export, redistribute, or use your content outside MCQexam.com without written permission.
5.2 Service Providers (Processors)
We use third-party processors who sign GDPR-compliant agreements:
- HelloSign (electronic signatures) – Privacy policy: https://www.hellosign.com/privacy
- Cloud Hosting (e.g., AWS)
- Email Services (for invitations and notifications)
5.3 Academic Publication
We may publish aggregated outputs (e.g., “average accuracy of GPT-4 on medical MCQ generation is 78%”) that contain no identifiable personal data. We may credit you by name/institution if we choose, but never against your will.
5.4 Legal Disclosures
We will disclose data if required by law, court order, or to protect our rights.
5.5 No Sale to Third Parties
We never sell your personal data or Original Uploads to third parties for their own marketing or commercial purposes.
6. Safeguards under GDPR Chapter V:
We provide appropriate safeguards under GDPR Chapter V:
- EU-US Data Privacy Framework (if certified) or
- Standard Contractual Clauses (SCCs) with additional technical measures (pseudonymization, encryption)
7. Data Retention
We retain different categories of data for different periods:
| Data Category | Retention Period | Legal Basis / Exception |
|---|---|---|
| Original Uploads | As long as you don’t request deletion | Deletion available upon request (30 days) |
| Generated MCQs & Aggregated Outputs | Perpetual in anonymized/pseudonymized form | GDPR Art. 17(3)(d) – scientific research purposes |
| Account Data | Until account deletion + 1 year for legal/administrative purposes | |
| Student Exam Data | As long as you don’t request deletion | Anonymized after 90 days |
| HelloSign Contracts | Indefinitely + offline archiving with SSH-2 verification. | |
| Server Logs (IP addresses) | 90 days | Security & debugging |
Withdrawal Request: You may request deletion of your Original Uploads at any time via privacy@MCQexam.com. We will remove them within 30 days. However, Generated MCQs and aggregated statistics already incorporated into research datasets may be retained permanently in anonymized form (per GDPR Art. 17(3)(d)).
8. Your Rights (GDPR & California)
Depending on your location (EEA, UK, Switzerland, California), you have the following rights:
| Right | Description | Limitations |
|---|---|---|
| Access (Art. 15) | Obtain confirmation of processing and copy of your data | |
| Rectification (Art. 16) | Correct inaccurate personal data | |
| Erasure (Right to be Forgotten) (Art. 17) | Delete your personal data | Exception: We may retain anonymized research data (Art. 17(3)(d)) |
| Restriction (Art. 18) | Limit processing while disputes are resolved | |
| Portability (Art. 20) | Receive your data in machine-readable format | Only for data you provided based on consent/contract |
| Withdraw Consent (Art. 7) | Withdraw any consent given | Does not affect past processing |
To exercise rights: Email privacy@MCQexam.com. We respond within 30 days (GDPR Art. 12). We may need to verify your identity.
For California residents (CCPA/CPRA): You have the right to know what personal data we collect, request deletion (subject to research exceptions), and opt out of “sales” (we do not sell data). We do not discriminate against you for exercising rights.
9. Children’s Data (Under 16)
MCQexam.com is not directed to children under 16 (or under 13 in the US, where state law applies). We do not knowingly collect personal data from children. If you are a teacher inviting students, you confirm that you have obtained any necessary parental consent where required by law. If we discover data from a child under 16 without proper consent, we will delete it immediately.
10. Security Measures
We implement appropriate technical and organizational measures per GDPR Art. 32:
- Encryption: TLS 1.3 for data in transit; AES-256 for data at rest
- Pseudonymization: Contributor names are replaced with research IDs in analysis datasets
- Access Controls: Strict role-based access to raw uploads
- Regular Testing: Vulnerability scans and penetration testing
However, no system is 100% secure. We cannot guarantee absolute security.
11. Cookies & Tracking
We use essential cookies for authentication, file uploads, and HelloSign integration. We do not use marketing/tracking cookies without consent. For full details, see our separate [Cookie Policy].
12. Changes to This Privacy Policy
We may update this Privacy Policy. Material changes (e.g., new data uses, expanded sharing) will be notified via email (to contributors) and a banner on the website. The “Effective Date” at the top will be updated. Your continued use after 30 days of notification constitutes acceptance.
13. Contact & Data Protection Inquiries
For EU/EEA residents: You have the right to lodge a complaint with your local Supervisory Authority (e.g., ICO in UK, CNIL in France). We ask that you contact us first to resolve any issue.
16. Commercial Activities Statement
- Offering paid subscriptions for premium features (e.g., advanced analytics, larger upload limits, white‑label exams).
- Licensing the MCQexam.com software, plugins, or technology stack to third‑party educational institutions or businesses.
- Providing consulting or custom development services related to automated question generation.
- Running advertising or sponsored content on the platform (subject to your opt‑out rights for data‑driven ads).
Important – Separation of Research and Commercial Tracks:
- Your participation in the research project is voluntary and governed by the Research Participation Agreement (signed via HelloSign). You may opt out of research uses (i.e., request deletion of your Original Uploads from the research dataset) at any time – see Section 12 of that Agreement.
- Commercial activities use only aggregated, anonymized, or pseudonymized data unless you explicitly consent to broader use. If we ever wish to use your personal data or Original Uploads for a purely commercial purpose (e.g., selling your exam questions to a third party), we will ask for your separate, explicit consent.
- Opting out of research does not affect your ability to use the paid commercial services of MCQexam.com, and vice versa. You can be a purely commercial user (no research contribution) or a purely research contributor (no paid commercial features).
We will always provide clear notice and choice before any material change that would transfer your personal data from the research track to a commercial track. If you have questions about whether a specific activity is research or commercial, contact us at privacy@mcqexam.com..
By using MCQexam.com, you acknowledge that you have read and understood this Privacy Policy.