← Back to Qwizy!

Privacy Policy

Last updated: February 21st, 2026

Introduction

This privacy policy explains how Qwizy! ("the Service", "we", "us") collects, uses, and protects your personal data when you use our website. We are committed to protecting your privacy and processing your data in compliance with the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) and applicable national legislation.

Data Controller

Data Controller: Julien L***

Email: contact@soleilvermeil.ch

Address: ***, SWITZERLAND

What Data We Collect

We collect and process the minimum amount of data necessary to provide the Service. Specifically:

Account Data

  • Username — chosen by you during registration, used to identify your account
  • Password — stored only as a secure, irreversible hash (bcrypt); we never store your password in plain text
  • Account creation date
  • Learning preferences — such as the number of new cards per day

Learning Progress Data

  • Your review history for each flashcard (dates, intervals, ratings)
  • Spaced repetition parameters (stability, difficulty, review state, due dates)

Education Accounts

This application supports education accounts that are created and managed by the instance administrator on behalf of students. If you are using an education account, the following applies:

  • Your account was created by the instance administrator. Your username and initial password were set by them.
  • Administrators can view your learning progress — including mastery levels, review history, due dates, and statistics across all enrolled decks.
  • Administrators can reset your password, manage your account settings (such as the number of new cards per day), and control which settings you can modify.
  • Education accounts may have restricted access to certain features (e.g., browsing public decks) as configured by the administrator.
  • Your account may be assigned to one or more student groups. Group membership determines which decks are visible to you.

What We Do Not Collect

We do not use any analytics, tracking, or advertising services. In particular:

  • No third-party analytics (Google Analytics, etc.)
  • No advertising trackers or pixels
  • No social media tracking scripts
  • No email address (unless the data controller chooses to add this field)
  • No IP address logging beyond standard server access logs
  • No text or learning content is sent to third parties — text-to-speech processing is performed entirely in your browser

Purpose and Legal Basis

PurposeData UsedLegal Basis (GDPR)
Account creation and authenticationUsername, password hashContract performance (Art. 6(1)(b))
Providing spaced repetition learningLearning progress, preferencesContract performance (Art. 6(1)(b))
Maintaining your sessionSession cookie (JWT)Contract performance (Art. 6(1)(b))
Managing education accounts and monitoring student progressAccount data, group membership, learning progressLegitimate interest (Art. 6(1)(f)) / Contract (Art. 6(1)(b))

Client-Side Storage

In addition to the session cookie described below, the application may store the following data locally in your browser. This data never leaves your device and is not sent to our servers.

  • TTS engine preference — your choice of text-to-speech engine is saved in your browser's local storage
  • AI voice models — if you enable the high-quality voice option (Piper), AI voice models (~15–60 MB each) are downloaded on demand and cached in your browser's Origin Private File System (OPFS). You can clear these cached models at any time from the Settings page

Third-Party Connections

The database that stores all user data is hosted by a third-party provider. This provider acts as a data processor and receives all personal data described in this policy.

Database host: Neon Inc.

Address: 2128 Sand Hill Road, Menlo Park, CA 94025, UNITED STATES

Website: https://neon.com

When the high-quality voice option (Piper) is enabled, your browser downloads AI voice model files directly from the following third-party services. No personal content (such as text you are learning) is sent to these services, but your IP address may be visible to them as part of the download request.

  • HuggingFace (huggingface.co) — hosts the voice model files
  • jsDelivr (cdn.jsdelivr.net) — hosts the WebAssembly phonemizer runtime

These connections only occur when Piper voices are used for the first time for a given language. Once a model is cached locally, no further third-party requests are made for that language. If you use the "Browser default" voice option, no third-party connections are made.

Cookies

We use a single, strictly necessary cookie to maintain your authenticated session:

Cookie NamePurposeDurationType
sessionAuthentication (contains a JSON Web Token with your user ID, username, admin status, and expiration date)7 daysStrictly necessary

This cookie is essential for the Service to function and does not require consent under the ePrivacy Directive (Art. 5(3) of Directive 2002/58/EC). We do not use any non-essential, analytics, or advertising cookies.

Data Storage and Security

  • All data is stored in a PostgreSQL database. Depending on the deployment, the database may be hosted on the same server as the application or by a separate database hosting provider
  • Passwords are hashed using bcrypt (12 salt rounds) and cannot be recovered
  • Session tokens are signed using cryptographic keys and transmitted over HTTPS in production
  • Cookies are set with HttpOnly, Secure (in production), and SameSite=Lax flags

Data Sharing and Transfers

We do not share, sell, or transfer your personal data to any third party. Your data is only accessible to the instance administrator(s) who operate the Service. When the database is hosted by a separate provider, your personal data is transmitted between the application server and the database server; in such cases, the database hosting provider acts as a data processor. No data is transferred outside of the European Economic Area (EEA) unless the hosting or database infrastructure is located outside the EEA, in which case the data controller is responsible for ensuring appropriate safeguards (such as Standard Contractual Clauses or an adequacy decision).

Data Retention

Your data is retained for as long as your account exists. When you delete your account, all associated data (account information and learning progress) is permanently removed from the database.

Your Rights Under GDPR

Under the General Data Protection Regulation, you have the following rights:

  • Right of access (Art. 15) — You can request a copy of all personal data we hold about you. You can download your data from the Settings page.
  • Right to rectification (Art. 16) — You can update your account information from the Settings page.
  • Right to erasure (Art. 17) — You can delete your account and all associated data from the Settings page.
  • Right to data portability (Art. 20) — You can export your data in a machine-readable format from the Settings page.
  • Right to restriction (Art. 18) — You can request that we restrict processing of your data under certain circumstances.
  • Right to object (Art. 21) — You can object to the processing of your personal data under certain circumstances.

To exercise any of these rights, you may use the self-service options available in the application or contact the data controller at the email address listed above.

Right to Lodge a Complaint

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. You may contact the supervisory authority in the EU member state of your habitual residence, your place of work, or the place of the alleged infringement.

Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or for legal reasons. The "last updated" date at the top of this page indicates when the policy was last revised. We encourage you to review this page periodically.