TrivAI Privacy Policy
Last updated: 2026-04-30
Effective date: 2026-04-30
1. Who we are
TrivAI ("we", "our", "the app") is operated by _NEEDS_VALUE_, based in Portugal (per the Terms of Service section 12). You can contact us at trivaiapp@proton.me for any privacy-related question.
2. What this policy covers
This policy explains what information the TrivAI mobile and web app, and the TrivAI backend service, collect; why we collect it; how it is stored; and what choices you have about it. It applies to anyone who installs, opens, or uses TrivAI.
3. Information we collect
3.1 Information you provide directly
- Email address and password — only if you choose to register a permanent account. Anonymous play is supported and never requires an email.
- Player names — the names you give to player profiles inside the app.
3.2 Information collected automatically
When you use TrivAI, the backend records:
- A randomly generated account identifier (UUID).
- A randomly generated device identifier (UUID) used to associate the app installation with your account. On web, this is stored in your browser's local storage.
- Device type (mobile / desktop / tablet), operating system name and version, app version, and device model name (for example, "iPhone 13"). We use this to debug issues and to size compatibility decisions. We do not collect IMEI, MAC address, or any other persistent hardware identifier.
- IP address, automatically logged by the server for the duration of each request as part of standard web-server access logs. Logs are retained for 30 days and are not used to build a profile of you.
3.3 Information generated by gameplay
- Quiz topics, languages, and questions generated for you, the answers you submitted, the time you took, and the score you earned.
- Game history linked to the player profile that played each game.
3.4 Information related to purchases
If you make an in-app purchase, we receive from Apple:
- The transaction identifier Apple issued for the purchase.
- The product identifier of the tier you purchased.
- A signed receipt (JWS) which we verify with Apple's App Store Server API.
We do not receive your name, billing address, or payment-card details from Apple. Those stay with Apple.
4. Why we collect it
| Purpose | Data used | Legal basis (GDPR, where applicable) |
|---|---|---|
| Provide the core game (generate quizzes, track scores) | Account ID, player name, gameplay data | Performance of contract |
| Authenticate you and keep you logged in | Email (registered users), account ID, device ID | Performance of contract |
| Enforce daily credit limits and tier benefits | Account ID, purchase records | Performance of contract |
| Debug and improve the app | Device type, OS, app version, server logs | Legitimate interest |
| Process in-app purchases | Apple transaction ID, product ID, receipt | Performance of contract |
| Comply with App Store policies | Purchase records | Legal obligation |
5. Who sees your information
We do not sell, rent, or share personal data with advertisers, data brokers, or any third party for their own marketing.
The following third parties process data on our behalf, only to the extent necessary to operate the service:
- Apple, Inc. — for purchase processing and receipt verification.
- LLM providers (currently Groq, Mistral, OpenAI) — receive the topic and language you choose for each game in order to generate trivia questions. They do not receive your account ID, email, name, or any identifier that links the request back to you. The request is unauthenticated from the LLM's perspective.
- Mistral AI — receives the topics you submit so its content-moderation API can flag inappropriate prompts before they are sent to the question-generating LLM (per Terms of Service section 4.3).
- Hosting provider (OVH Groupe SAS, in the European Union) — operates the server that runs the TrivAI backend. They have access to disk and memory of that server but do not access application data in the normal course of operation.
We will disclose data if compelled by valid legal process. We will resist overbroad requests where lawfully possible.
6. Where data is stored
The TrivAI backend and database run on a OVHcloud-operated server inside the European Union, consistent with the Terms of Service section 8.2 commitment that we use "GDPR-compliant European cloud servers". The exact data-centre location is _NEEDS_VALUE_. Anonymous play data and registered-account data are stored in the same PostgreSQL database. Daily off-site backups are encrypted in transit and at rest. Backups are retained for 30 days.
If you are in the United Kingdom or another non-EU jurisdiction with cross-border data-transfer rules, the legal basis for transferring your data to the EU is the UK adequacy regulations (for UK residents) or Standard Contractual Clauses for other jurisdictions.
7. How long we keep it
| Data | Retention |
|---|---|
| Anonymous account (no email) | Until the account is unused for 180 days, then deleted automatically. |
| Registered account | Until you delete it, or until the account is unused for 730 days. |
| Game history | Same lifetime as the player profile that played the game. |
| Purchase transactions | 7 years, to comply with tax and consumer-protection law. |
| Server logs | 30 days. |
8. Your rights
Depending on where you live, you have some or all of these rights:
- Access — ask what data we have about you.
- Correction — ask us to fix inaccurate data.
- Deletion — ask us to delete your account and all associated data. The app provides a one-tap "Delete account" button in Settings; this deletes the account, its players, its game history, and removes you from all backup tapes within 30 days as backups roll over.
- Portability — ask for an export of your data in a machine-readable format.
- Objection / restriction — ask us to stop or limit certain processing.
- Withdraw consent — where processing is based on consent.
- Lodge a complaint — with your local data-protection authority. In Portugal, that is the Comissão Nacional de Proteção de Dados (CNPD) at https://www.cnpd.pt/. EU residents can also contact their own national authority — full list at edpb.europa.eu.
To exercise any of these rights, email trivaiapp@proton.me. We will respond within 30 days.
9. Children's privacy
In line with the Terms of Service section 2.1, TrivAI is intended for users of all ages, but users under 13 must use it with parental consent and supervision, and users aged 13–16 in the European Union require parental consent before using the App. We do not knowingly collect personal information from children under 13 without parental consent. If you believe a child has created a registered account without parental consent, contact us at trivaiapp@proton.me and we will delete it.
10. Tracking, advertising, and analytics
TrivAI does not use:
- Third-party advertising SDKs.
- Cross-app tracking or the iOS Advertising Identifier (IDFA).
- Third-party analytics SDKs that build user profiles (no Firebase Analytics, no Amplitude, no Mixpanel, no Segment, no PostHog).
The Terms of Service section 8.1 mentions "analytics data for app performance and error tracking". This refers to first-party server-side telemetry only: the TrivAI backend records request paths, response codes, response times, and error messages in its own logs in order to operate and debug the service. This data is processed exclusively on our own servers, never sold or shared with advertisers or data brokers, and is not linked to a third-party identifier.
The only persistent identifiers we use are the random account ID and device ID described in section 3.2.
11. Security
- Passwords are hashed with bcrypt. We never see them in plaintext.
- All connections between the app and the backend use HTTPS (TLS 1.2 or higher).
- Auth tokens are short-lived JWTs (30-minute access tokens, 30-day refresh tokens with rotation on use).
- The server is hardened: SSH key-only access, firewall restricts inbound traffic to ports 80/443/22, automatic OS security updates.
No system is perfectly secure. If you discover a vulnerability, please report it privately to trivaiapp@proton.me and we will treat it confidentially.
12. Changes to this policy
We may update this policy as the app evolves. Material changes will be announced in the app and the "Last updated" date at the top of this document will be revised. Continued use of TrivAI after a change indicates acceptance of the new policy.
13. Contact
trivaiapp@proton.me