Last updated: December 12, 2025
This document maps every technical reality of QuestGen to legal requirements. We disclose data handling patterns that traditional privacy policies miss. Every API endpoint, database field, and third-party integration is accounted for here.
By using QuestGen, you acknowledge that you have read, understood, and agree to be bound by these terms. If you do not agree, do not use our service.
When you sign in with Google OAuth, we collect and store the following in our PostgreSQL database:
When you generate question papers, we store:
Authentication is handled by Google OAuth 2.0. When you sign in, Google shares your profile information (name, email, profile image) according to their privacy policy. We store OAuth tokens in our database to maintain your session. These tokens grant us access to your basic Google profile information only. We do not access your Google Drive, Gmail, or any other Google services.
Question papers and solutions are generated using Google Gemini Flash. When you upload files, they are temporarily uploaded to Gemini's servers for processing. File URIs are stored in memory during generation, then immediately deleted after processing completes. File metadata (name, size, MIME type) persists in our database even after Gemini deletion, as it is needed for paper history and export functionality. The actual file content is never stored in our database.
Gemini processes your uploaded materials according to Google's AI Principles and their API terms of service. Generated content is derived solely from your uploaded materials. We do not train models on your content, but Google may use API interactions for service improvement per their terms.
Vercel Analytics is embedded in our application layout and automatically collects anonymized usage metrics. This includes page views, performance data, and error rates. No personal identification information is included in analytics data. This service operates without explicit consent banners as it is considered essential infrastructure.
All data is stored in PostgreSQL databases. Database connection strings are configured via environment variables. Your database provider's privacy policy applies to data storage and backup procedures.
User accounts, papers, solutions, and associated data are retained indefinitely while your account is active. Sessions expire after 7 days of inactivity. Verification tokens expire according to their expiration timestamps. Rate limit records are reset according to their resetAt timestamps.
When you delete your account, Prisma cascade rules automatically delete all associated data: sessions, OAuth accounts, papers, solutions, paper files, paper tags, and user preferences. This deletion is permanent and cannot be undone.
The GenerateFormDraft table intentionally omits a foreign key relationship to User. This architectural decision means draft data may persist if user accounts are deleted through database operations that bypass Prisma's cascade rules. We do not automatically clean up orphaned drafts. Additionally, the PaperTag table exists for future filtering features but is currently unused. Tags may accumulate without active business logic to manage them.
You can delete individual papers and solutions through the application interface. Deletion is immediate and permanent. File metadata associated with deleted papers is also deleted via cascade rules. However, if files were previously uploaded to Gemini, they are already deleted from Gemini's servers immediately after generation completes.
Our API endpoints use console.error() for error logging. Error messages are generic and do not intentionally include personal information. However, error objects may contain stack traces or context that could inadvertently expose user data if logged to external services. We do not currently sanitize error logs before output.
Session tokens are stored in HTTP-only cookies with a 5-minute cache duration. Better Auth handles token generation and validation. OAuth tokens are stored in plaintext in our database (this is standard practice for OAuth token storage). All API endpoints require authentication via session validation.
Rate limiting is enforced at the database level using the RateLimit table. Request counts and timestamps are stored to prevent abuse. Paper generation endpoints are limited to 2 requests per minute. All other endpoints are limited to 100 requests per minute. Rate limit keys may include user identifiers or IP addresses.
You can access all your data through the application interface. Papers, solutions, files, and preferences are visible in your account. To request a complete data export, contact us at the email address provided below.
You can update your user preferences (theme, view mode) at any time. Paper and solution content can be regenerated or deleted. User profile information (name, email, image) is managed through Google OAuth and cannot be modified directly in our system.
You can delete individual papers and solutions at any time. Account deletion triggers cascade deletion of all associated data. Note that orphaned GenerateFormDraft records may persist if deletion occurs outside normal application flows.
You can export papers and solutions as PDF files through the application interface. For machine-readable data exports, contact us.
You can object to processing of your data by deleting your account. Note that Vercel Analytics operates automatically and cannot be disabled without modifying the application code.
We process authentication data, session data, and content data as necessary to provide the QuestGen service. Without this data, we cannot generate papers, maintain your account, or preserve your work.
We process IP addresses and user agent strings for security and rate limiting. We use Vercel Analytics for service improvement. These activities are necessary for service operation and security.
By signing in with Google OAuth, you consent to sharing your Google profile information with QuestGen. By uploading files, you consent to temporary processing by Google Gemini API. By using the service, you consent to Vercel Analytics collection.
You agree not to use QuestGen to generate content that violates copyright, contains illegal material, or infringes on third-party rights. You are responsible for ensuring uploaded materials are used in compliance with applicable laws and licenses.
Paper generation is limited to 2 papers per minute per user. All API endpoints are limited to 100 requests per minute globally. Exceeding these limits results in HTTP 429 responses with retry-after headers.
QuestGen is provided "as is" without warranties. We do not guarantee uninterrupted service availability. Generation may fail due to third-party API limitations, network issues, or invalid input. We are not liable for lost work or data.
You retain ownership of uploaded materials and generated content. By using QuestGen, you grant us a license to store and process your data as necessary to provide the service. We do not claim ownership of your papers or solutions.
We may update this policy to reflect changes in our data handling practices or legal requirements. Material changes will be communicated through the application interface or via email. The "Last updated" date at the top of this page indicates when changes were last made. Continued use of QuestGen after changes constitutes acceptance of the updated policy.
For questions about this policy, data access requests, or privacy complaints, contact us through the application interface or your preferred communication channel. We will respond to requests within 30 days as required by applicable privacy laws.
If you are located in the European Economic Area, you have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.