Privacy Policy

The data controller responsible for your personal data is:

• Platform: mcchimp.com
• Contact: multiplechoicechimp@gmail.com
• Supervisory Authority: Depending on where you are located within the EU, your lead supervisory authority may be the Autoriteit Persoonsgegevens (Netherlands) or the Gegevensbeschermingsautoriteit (Belgium).

We only collect data that is necessary to provide or improve the service. We do not collect your full name, address, phone number, or government-issued ID.

Account data

• Email address — used for login and account recovery
• Password (hashed) — stored as a bcrypt hash; we never see or store your plaintext password
• Display name / username — an alias you choose; this is not your real name
• Account creation date

Game & progress data

• Sport selection, game mode, win/loss/draw records
• Career progress, rankings, and session scores
• Question banks you create or upload

Usage & technical data (if analytics consent given)

• Pages visited, session duration, features used
• Browser type and approximate country (not precise location)
• Crash and error reports (personal identifiers stripped before logging)

Data you submit for AI generation (optional feature)

• Text you paste or upload (e.g. notes, book excerpts) to generate quiz questions
• This content is sent to Anthropic's API for processing and is not stored on our servers beyond the active session unless you explicitly save the output

• Provide the service: Authenticate your account, save game progress, and store question banks
• Improve the platform: Understand how features are used to fix bugs and prioritise development (only with analytics consent)
• Communicate with you: Send account-related emails (password reset, security notices) — never marketing without separate opt-in
• Ensure security: Detect abuse, prevent fraud, enforce our terms of service
• AI question generation: Pass your submitted text to our AI provider solely to return generated questions to you

We do not sell your data to third parties, use it for advertising, or share it with data brokers.

Under GDPR Article 6, every category of data we process must have a lawful basis. The table below maps each data type to its basis:

When you delete your account, all associated personal data is permanently removed from our systems within 30 days. Some anonymised aggregate data (e.g. total platform question counts) may be retained as it cannot be linked back to you.

We do not sell or trade your personal data. We share data with the following third-party processors under data processing agreements:

Supabase (database & authentication)

• Hosts our database and manages authentication
• Data is stored in Frankfurt, Germany (EU) — never transferred outside the EEA
• Privacy policy: supabase.com/privacy

Vercel (hosting & infrastructure)

• Hosts the mcchimp.com web application
• Server-side processing of personal data is configured to run in EU regions
• Privacy policy: vercel.com/legal/privacy-policy

Anthropic (AI question generation — optional feature)

• Receives text content you submit when using the AI question generation feature
• Content is processed solely to return generated questions; it is not used to train Anthropic's models under our API agreement
• Privacy policy: anthropic.com/legal/privacy

We use two categories of cookies:

Strictly necessary (no consent required)

• sb-auth-token — Supabase session cookie; keeps you logged in. Duration: session / up to 7 days. Essential for the service to function.

Analytics (opt-in only)

• Only set after you click "Accept" on our cookie banner. You can withdraw consent at any time from the footer cookie settings link.
• Analytics data is anonymised where possible and never combined with your account identity.

We do not use advertising, tracking, or third-party marketing cookies. You can manage all cookie preferences via the cookie settings link in the site footer.

Under GDPR, you have the following rights regarding your personal data. You can exercise most of them directly from your account settings, or by emailing multiplechoicechimp@gmail.com.

How to exercise your rights

• Account deletion & data export — available directly in Account Settings without contacting us
• Withdraw analytics consent — click "Cookie Settings" in the site footer at any time
• All other requests — email multiplechoicechimp@gmail.com with the subject line "Data Rights Request"

We will respond to all rights requests within 30 days. If your request is complex or there are multiple requests, we may extend this by a further 60 days and will notify you in advance. We will not charge a fee for reasonable requests. We may ask you to verify your identity before acting on a request to protect your account.

You also have the right to lodge a complaint with your national data protection authority at any time, without first contacting us — though we would always appreciate the opportunity to resolve concerns directly.

mcchimp.com offers an optional feature allowing you to submit text (such as notes or reading material) to generate custom quiz questions using Anthropic's Claude AI.

• What is sent: The text content you submit to the generation tool
• Where it goes: Anthropic's API, processed in their infrastructure
• What we store: Only the generated questions (output), not your submitted text (input)
• Model training: Under our API agreement with Anthropic, submitted content is not used to train their models
• Your choice: This feature is entirely optional. You can use mcchimp.com without ever submitting content to the AI tool

We take the security of your data seriously. Our technical measures include:

• Encryption in transit: All data is transmitted over HTTPS/TLS
• Encryption at rest: Database storage encrypted by Supabase
• Password hashing: Passwords stored using bcrypt — we never store or see your plaintext password
• Row-level security: Database-level access controls ensure your data can only be accessed by your authenticated session
• EU data storage: All personal data stored in Frankfurt, Germany

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected users without undue delay.

mcchimp.com is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has created an account, please contact us at multiplechoicechimp@gmail.com and we will delete the account and associated data promptly.

If you are between 13 and 16, please ask a parent or guardian to review this policy and create an account on your behalf.

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you, as described under Article 22 of the GDPR.

Game outcomes on mcchimp.com are determined by your quiz answers and are part of the core product experience — they are not decisions about you as a person and carry no legal, financial, or significant practical consequence outside the platform.

If we ever introduce automated decision-making that does produce significant effects, we will update this policy, notify affected users, and provide a mechanism to request human review of any such decision.

We have assessed our processing activities against the criteria set out in Article 37 of the GDPR. As mcchimp.com does not carry out large-scale systematic monitoring of individuals, does not process special category data on a large scale, and is not a public authority, we are not currently required to appoint a Data Protection Officer.

We keep this assessment under review as the platform grows. All data protection enquiries are handled directly by the team at multiplechoicechimp@gmail.com.

If mcchimp.com is involved in a merger, acquisition, asset sale, or similar transaction, your personal data may be transferred to the successor entity as part of that transaction. In such circumstances:

• We will notify you by email and via a prominent notice on the platform before your data is transferred and becomes subject to a different privacy policy
• The successor entity will be required to honour the commitments made in this policy or obtain fresh consent from you for any materially different processing
• You will retain all rights described in Section 08, including the right to request deletion of your data prior to any transfer

We may update this Privacy Policy from time to time. When we do:

• The "Effective" date at the top of this page will be updated
• For material changes, we will notify registered users by email and display a notice on the platform
• Continued use of mcchimp.com after the effective date constitutes acceptance of the updated policy

We encourage you to review this page periodically. Previous versions are available on request.

For any questions, requests, or complaints relating to this Privacy Policy or how we handle your personal data:

You also have the right to lodge a complaint directly with your national data protection authority:

• Netherlands: autoriteitpersoonsgegevens.nl
• Belgium: gegevensbeschermingsautoriteit.be
• EU-wide directory: edpb.europa.eu