Privacy Policy
Effective date: April 28, 2026
This Privacy Policy describes how QuantegyAI ("QuantegyAI," "we," "us," or "our") collects, uses, discloses, and protects information that we receive when you visit, sign up for, or use our test-preparation services (the "Services"). This Policy applies to information collected through our website, the QuantegyAI application, and related communications.
By creating an account or using the Services, you confirm that you have read this Policy and agree to the practices it describes. If you do not agree, please do not use the Services.
1. Who we are and how to contact us
QuantegyAI is operated by Dr. Mienie de Kock at 118 Harvest Loop, Harker Heights, TX 76548. For privacy-related questions, requests, or complaints, contact us at support@quantegyai.com or by phone at 903-705-9703 (Mon–Fri, 9am–6pm CT).
2. Categories of information we collect
We collect information in three broad categories: information you give us, information we collect automatically when you use the Services, and information we receive from institutional partners when you participate in a cohort.
2.1 Information you provide
- Account information: your email address, a password (stored only as a salted bcrypt hash; we never see or store your plaintext password), the display name you choose, and an attestation timestamp confirming that you are eighteen years of age or older or are signing up under institutional sponsorship.
- If you are a teacher, the redemption record of your single-use teacher-invite code.
- If you join a cohort, the cohort invite code you redeemed and the resulting cohort membership.
- If you choose to upgrade to a paid tier, billing information you provide to our payment processor (see Section 5).
- If you contact us by email or via support channels, the content of your message and any information you choose to share.
2.2 Information we collect automatically
- Learning interactions: the items you are administered, your responses, the time you take to respond, the skill and competency tags associated with each item, the calculated probability that you would have answered correctly under our Item Response Theory model, and per-skill mastery estimates produced by our Bayesian Knowledge Tracing engine. This information is the substantive content of the Services and is necessary for the adaptive coaching to function.
- Session and authentication metadata: a signed session cookie (with no third-party tracking purpose), session start and end timestamps, the IP address from which you accessed the Services, and the browser user-agent string. We use this information to authenticate you, to enforce session-expiry rules, and to defend against credential-stuffing and other automated abuse.
- Audit events: timestamped records of sensitive actions including login successes and failures, account lockouts, signups, teacher-invite creation and redemption, cohort creation, viewing of student detail by a teacher, profile export, profile deletion, and tier changes. Audit records carry the actor, the target (if any), the source IP, and a request correlation ID. They support security investigations, institutional access reviews, and the access and erasure obligations described in Section 8.
- Server-side performance and error telemetry: structured JSON logs with per-request correlation identifiers, and (when configured) reports to an error-monitoring vendor.
We do not use behavioural advertising cookies, third-party analytics scripts, or cross-site tracking pixels.
2.3 Information from institutional partners
If you join a cohort created by a teacher, the teacher's institution may provide us with information necessary to establish your cohort membership. The categories and uses of that information are governed by the data-processing addendum negotiated with the institution; the categories typically include the cohort roster, optional internal student identifiers, and (where the institution requests it) limited demographic information for institutional reporting.
3. How we use information
We use information collected through the Services for the following purposes:
- To deliver the adaptive learning experience: present items, estimate ability and per-skill mastery, schedule spaced review, generate readiness assessments, and produce student-facing dashboards.
- To deliver teacher-facing tools: cohort rosters, drill-down on individual student progress (within a teacher's own cohorts), the audit-log view scoped to that teacher's reach, content-governance dashboards, and CSV roster exports.
- To authenticate users, enforce rate limits, and defend against credential-stuffing, signup flooding, and other automated abuse.
- To send transactional communications: account verification, password reset, billing notices (when applicable), and security or service-availability notices.
- To improve item quality: aggregate exposure rates, classical test-theory difficulty (p-values), and discrimination (point-biserial correlations) inform item retirement and editorial review.
- To comply with legal obligations and to protect the rights, property, and safety of QuantegyAI, our users, and others.
We do not sell your information. We do not use your responses to train models for any party other than QuantegyAI itself, and only in the service of improving the adaptive engine and content.
4. Legal bases (for users in jurisdictions where required)
Where the General Data Protection Regulation, the United Kingdom GDPR, or a similar regime applies, we rely on the following legal bases: performance of a contract with you (delivering the Services you signed up for); our legitimate interests in operating, securing, and improving the Services; and your consent (for any optional processing where consent is the relevant basis).
5. Payment information
Paid tiers (Self-Study at $29 per month and Pass-Sprint at $99 per sprint) are processed through Stripe, Inc. We do not see, store, or transmit your full payment card number, your card verification value, or any other element of your payment card data. We retain only the processor's customer and subscription identifiers needed to apply your entitlements and process refunds.
6. How we share information
We share information only as described in this Section. We do not sell information.
- Service providers ("subprocessors"): we use a small set of vendors to host the Services, send transactional email, process payments, and (optionally) collect error telemetry. The current list of subprocessors is published at /legal/subprocessors.html and is updated when material changes occur. Each subprocessor is bound by a written agreement that requires the protection of information at a level no less stringent than this Policy.
- Institutional partners: if you participate in a cohort, your cohort progress is visible to the teachers within that cohort's institution to the extent described in the data-processing addendum signed by that institution. We do not share your information with other institutions.
- Legal and safety: we may disclose information when required by law, when responding to validly served legal process, or when we have a good-faith belief that disclosure is necessary to protect the rights, property, or safety of QuantegyAI, our users, or others.
- Business transactions: if QuantegyAI is involved in a merger, acquisition, financing, reorganisation, or sale of assets, information may be transferred as part of that transaction. The receiving party will be bound by a privacy notice no less protective than this one.
7. How long we keep information
We retain account information and learning records for as long as your account is active. If you delete your account (see Section 8), the email, display name, and password hash on your account row are scrubbed and the row is marked deleted; your responses, mastery estimates, and audit records are retained in de-identified form to support content-governance statistics and to satisfy institutional record-retention obligations consistent with the Family Educational Rights and Privacy Act and Texas state record-retention requirements.
8. Your rights
Every authenticated user has the following rights, exercisable directly within the Services:
- Access. You can download a JSON file containing your complete record, including your profile, subscription, sessions, responses, per-skill mastery estimates, and the audit events you are the actor of, by visiting your profile settings and clicking "Download my data." This export is rate-limited to one per hour per user, is scoped strictly to your account, and is itself audited.
- Erasure. You can soft-delete your account from your profile settings. Soft deletion scrubs your email, display name, and password hash, sets a deleted_at timestamp on the row, invalidates your current session, and bounces any other live sessions on your next request. Deleted accounts cannot sign back in.
- Rectification. You can update your display name and email address via your profile settings. To correct other categories of information, contact us at the privacy contact email above.
- Additional regime-specific rights. If you are a resident of California, the European Economic Area, the United Kingdom, or another jurisdiction with a comprehensive privacy law, you may have additional rights including the right to restrict processing, the right to object, and the right to data portability. You can exercise these rights by contacting us at support@quantegyai.com; we will respond within the period required by applicable law.
9. Security
We protect information in transit and at rest using industry-standard practices, including transport-layer security with HTTP Strict Transport Security in production deployments; nonce-based Content Security Policy that prohibits inline scripts and inline styles; cross-site request forgery protection on every state-changing form; per-IP rate limits and per-email login lockout; bcrypt-hashed passwords with constant-time comparison; X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy, and Cross-Origin-Resource-Policy headers; trusted-host enforcement against host-header injection; and append-only audit records of sensitive actions. No system can be made fully secure, but we work to keep our security posture aligned with current best practice.
10. Breach notification
In the event of a data breach that affects your personal information, we will notify affected users by email within seventy-two hours of confirming the incident, consistent with applicable law.
11. Children
The Services are intended for users who are at least eighteen years of age, or who are signing up under institutional sponsorship for an educator-preparation or related programme. We require an explicit attestation at signup. We do not knowingly collect personal information from children under thirteen years of age. If we learn that we have collected information from a child under thirteen, we will delete that information and terminate the associated account. Parents or guardians who believe a child under thirteen has submitted information can contact us at support@quantegyai.com.
12. Changes to this Policy
We may update this Policy from time to time. When we make material changes, we will notify you by email or by posting a prominent notice within the Services at least fourteen days before the change takes effect. Continued use of the Services after the effective date of an updated Policy constitutes your acceptance of the updated terms.
13. Contact
Questions, requests, or complaints regarding this Policy or our handling of your information should be directed to:
- Email: support@quantegyai.com
- Phone: 903-705-9703 (Mon–Fri, 9am–6pm CT)
- Web: quantegyai.com/contact.html
- Mail: 118 Harvest Loop, Harker Heights, TX 76548