QuizMyBrainz Portal
Privacy Policy
Who We Are
QuizMyBrainz Portal ("the Portal," "the Service") is operated by mar&mar ideas products & more, LLC ("we," "us," or "our"), a company based in Texas, United States, that builds multilingual educational activities for children in PreK through 6th grade (roughly ages 4–12).
For all privacy matters, the operator and the entity responsible for the information described in this policy (the "data controller" for purposes of EU law) is:
mar&mar ideas products & more, LLC
Attn: Privacy
9133 Silver Dollar Dr.
Fort Worth, TX 76131
Privacy contact: privacy@quizmybrainz.com
Principal contact: Mario Oscar Pureco-Razo — oscarpureco@quizmybrainz.com
What This Policy Covers
This policy applies to the QuizMyBrainz consumer activity portal at quizmybrainz.com/qmbportal/quizzes/ and every activity page within it.
It does not apply to:
- Third-party websites we may link to (their policies govern them);
-
The QuizMyBrainz marketing website at
quizmybrainz.com; or - Any separate partner or institutional platform.
Our Core Commitments
These are not aspirations. They are constraints we have built into how the Portal actually works:
We do not sell or share your personal information for money or for cross-context behavioral advertising.
We do not advertise to children. There are no ad networks, ad SDKs, or tracking pixels anywhere in the Portal.
We do not use children's activity to train artificial intelligence or machine-learning systems. Children's interactions are never transmitted to, used by, or retained for any such system. This is a permanent design rule.
We collect the least information possible to make an activity work, and we keep it for the shortest time that is useful.
There are no accounts, logins, or profiles. Nothing follows a child from one visit to the next beyond two optional preference cookies.
The Information the Portal Handles
4.1 Information a Child or Parent Enters
| Data | Why | How Collected | Where It Lives | How Long |
|---|---|---|---|---|
| First name or nickname | To greet the child by name during an activity | Typed into the name prompt (optional — a child can play without it) | Temporary server session only | Until the browser tab/session closes |
| Grade level (K–6) | To show activities at the right level | Selected in the grade chooser | Session + optional preference cookie | Session, or up to 30 days if the cookie is kept |
| Language (EN/ES/FR/DE) | To show the Portal in the chosen language | Selected in the language chooser | Session + optional preference cookie | Session, or up to 30 days if the cookie is kept |
We do not ask for, and the Portal is not built to collect, any of the following from a child:
- Last names
- Email addresses, phone numbers, or postal addresses
- Photographs, audio, video, or any image of the child
- Precise geolocation
- Persistent device identifiers or advertising IDs
- Biometric identifiers (fingerprints, face scans, voice scans)
- Government-issued identifiers
- Social-media handles or logins
The last two categories (biometric and government identifiers) are listed expressly because the amended COPPA Rule now treats them as "personal information." The Portal collects neither.
4.2 Information Collected Automatically
Like virtually every website, our hosting server automatically records basic technical information in its access logs when any page is requested. We also run our own first-party analytics — described below — to understand how the Portal is used and which activities families choose. No third-party analytics service is involved.
| Data | Source | Why We Have It |
|---|---|---|
| IP address | Server log | Security, abuse prevention, approximate region (country/city level) |
| Browser type and version | Server log | To serve a page that works on the visitor's device |
| Operating system | Server log | Technical compatibility |
| Referring page | Server log | To understand, in aggregate, how people reach us |
| Date and time of the request | Server log | Security and troubleshooting |
| Page visited, language selected | First-party analytics | To count visits and understand which languages our families use |
| Time spent on page (seconds) | First-party analytics | To understand engagement and improve activity design |
| Activity clicked, grade filter, language filter active at click time | First-party analytics | To understand which activities families choose at each grade level |
Server logs and first-party analytics data are not tied to a child's name or to any profile. We do not combine them with the Section 4.1 information to identify or track an individual child. The analytics system uses a one-way daily fingerprint (hashed IP + browser + date) solely to distinguish visits within a single day — it cannot identify a person across days or sessions. All data is deleted on a rolling 90-day cycle (see Section 9).
4.3 Cookies — and Why There Is No Tracking Cookie
The Portal uses three cookies, and only these three. All are first-party (set by us, readable only by us) and none track you across other websites:
| Cookie name | Type | Purpose | Lifetime | HttpOnly |
|---|---|---|---|---|
PHPSESSID |
Strictly necessary | Keeps your visit secure (CSRF protection). Without this the site cannot function safely. | Deleted when the browser closes | Yes |
user_language |
Functional / preference | Remembers the language you chose so you do not have to re-select it | Up to 365 days | Yes |
cookie_consent |
Functional / consent record | Records whether you accepted or rejected preference cookies | 365 days | No |
We do not use advertising cookies, cross-site tracking pixels, third-party analytics services, "fingerprinting," or behavioral-profiling cookies. There are no third-party cookies. Our analytics are first-party only — data stays on our server and is never shared with or sold to any external service.
You can refuse or delete cookies in your browser at any time. The Portal will still work; it simply will not remember your language between visits.
For visitors in the EU/EEA and UK: The PHPSESSID session cookie is strictly necessary and exempt from prior consent under the ePrivacy rules. The user_language cookie is set only in direct response to your own choice and stores nothing but that preference — we treat it as functional. We do not set any cookie that requires opt-in advertising consent.
Why We Are Allowed to Process This Information (Legal Bases)
For visitors in the EU/EEA and UK, the General Data Protection Regulation (GDPR) requires us to identify a lawful basis for each processing activity:
| Processing Activity | GDPR Lawful Basis (Art. 6) |
|---|---|
| Running the activity in the chosen name, grade, and language during a session | Performance of the service the user requested (Art. 6(1)(b)), with parental involvement for children (see Section 7) |
| Keeping the session secure (session cookie, CSRF protection) | Legitimate interests in operating a secure service (Art. 6(1)(f)) |
| Remembering language in a preference cookie | The user's own request (functional), supported where required by consent (Art. 6(1)(a)) withdrawable by clearing the cookie |
| Short-lived server security logs | Legitimate interests in security and abuse prevention (Art. 6(1)(f)) |
| First-party analytics (page visits, duration, activity clicks — no cookies, no third parties) | Legitimate interests in understanding and improving the service (Art. 6(1)(f)) — data is aggregate, non-identifying, and deleted after 90 days |
| Meeting legal obligations | Legal obligation (Art. 6(1)(c)) |
We do not rely on any basis that would let us profile children or make automated decisions about them. We do not carry out automated decision-making or profiling that produces legal or similarly significant effects on any user (GDPR Art. 22).
How We Use, and Do Not Use, Information
We use the limited information above only to:
- Run and personalize the educational activity the visitor asked for;
- Show content at the right grade level and in the right language;
- Keep the session and the site secure;
- Understand, in aggregate only, how the Portal is used so we can improve it;
- Meet our legal obligations.
We do not use information to:
- Show advertising of any kind;
- Build a behavioral profile of any individual;
- Train, fine-tune, test, or evaluate any artificial-intelligence or machine-learning system;
- Make automated decisions that affect a child; or
- Contact a child directly.
Children's Privacy — United States (COPPA)
The Portal is directed to children, and we treat all users as if they may be children under 13. We comply with the Children's Online Privacy Protection Act and the amended COPPA Rule (16 C.F.R. Part 312).
7.1 What We Collect From Children, and the "Internal Operations" Limit
The only information a child enters is a first name or nickname and a grade level, used solely to run the activity in front of them during that visit. Under COPPA, collecting and using personal information strictly to support the internal operation of a child-directed service — and not for any other purpose — is permitted, provided we do not use it to contact the child or for behavioral advertising. We rely on that principle for the in-session use of a nickname and grade, and we use the information for nothing else.
7.2 We Do Not Disclose Children's Information to Third Parties
We do not disclose children's personal information to third parties for any purpose that is not integral to running the Portal. Because we make no such disclosures, we do not seek the separate parental consent the amended COPPA Rule requires for such disclosures. If that ever changes, we will obtain that separate consent first and update this policy.
7.3 Parental Rights
A parent or legal guardian has the right to:
- Review the personal information we have collected from their child;
- Refuse to permit any further collection or use of their child's information;
- Direct us to delete their child's information.
Because the Portal keeps nothing after a session ends (other than two optional preference cookies you control on your own device), there is usually nothing stored to review or delete once the browser is closed. To exercise any of these rights, write to privacy@quizmybrainz.com. We may need to take reasonable steps to verify that you are the child's parent or guardian before acting.
7.4 Verifiable Parental Consent — Future Features
If and when a feature is added that would require verifiable parental consent under COPPA (for example, saving a child's progress, creating an account, or any disclosure to a third party), we will obtain consent before that collection. No such feature exists today.
7.5 If We Ever Learn We Collected Too Much
If we discover we have collected personal information from a child beyond what is described here, or without a required consent, we will delete it promptly.
7.6 Schools and Teachers
When a teacher or school directs students to use the Portal in a classroom, the school may, under COPPA, provide consent on parents' behalf for collection used solely for the educational context. By using the Portal in a classroom, the teacher/school represents that it has the authority to do so and has met any applicable notice or consent obligations.
The Portal is a direct-to-consumer product. It does not collect data on a school's behalf, maintain student records, or act as a school's data processor. See Section 8 for FERPA.
Schools, Classrooms, and Student Records (FERPA)
The Family Educational Rights and Privacy Act (FERPA) governs schools and the vendors that act as a school's "school official." Because the Portal is a direct consumer product that keeps no student records and creates no accounts, we are not, by default, a FERPA-regulated party. In a classroom setting, the school remains responsible for its FERPA obligations and for any consents it must obtain.
If a school or district wishes to adopt the Portal formally as a vendor, we ask that this be arranged through a written agreement so that FERPA roles and responsibilities are clearly defined. Requests: privacy@quizmybrainz.com.
How Long We Keep Information (Retention Policy)
The amended COPPA Rule requires us to publish our retention practices and to keep children's information no longer than is reasonably necessary. We do not retain children's personal information indefinitely:
| Information | Retention | Then |
|---|---|---|
| Name/nickname, grade, language (in session) | Held only for the active session | Deleted automatically when the browser session ends |
user_language user_language preference cookie |
Up to 365 days on the user's own device | Expires automatically, or when the user clears cookies |
| Server access logs (IP, browser, OS, referrer, time) | 90 days | Purged on a rolling basis |
| First-party analytics (page visits, duration, activity clicks) | 90 days | Purged on a rolling basis — same schedule as server logs |
| Correspondence you send us (e.g., a privacy request) | Up to 2 years from last contact, only as needed to handle the request | Deleted |
We do not maintain any long-term database of individual children's activity.
How We Share Information
We do not sell personal information, and we do not "share" it for cross-context behavioral advertising (as those terms are used in California and other state laws).
We disclose information only in these narrow cases:
- Service providers / processors. We use a web-hosting provider to run the Portal. Such providers may process technical data (for example, server logs) strictly to operate the service for us, under contract terms that forbid using it for their own purposes.
- Legal compliance and safety. We may disclose information if required by law, valid legal process, or to protect the rights, property, or safety of our users or the public.
- Business transfer. If the company is acquired or merged, information may transfer to the successor, which must honor this policy or provide notice and equivalent protection.
We never disclose children's information to advertisers, data brokers, social-media platforms, or — without verifiable parental consent — to researchers.
Your Rights in the EU/EEA and United Kingdom (GDPR)
Because the Portal is offered in French and German and may be used in the EU/EEA and UK, the GDPR (and UK GDPR) applies to those visitors. You have the following rights:
| Right | What It Means |
|---|---|
| To be informed | To know what we do with your data — this policy provides that notice |
| Access | To get confirmation of, and a copy of, the data we hold about you |
| Rectification | To correct inaccurate data |
| Erasure ("right to be forgotten") | To have your data deleted |
| Restriction | To have us limit how we use your data |
| Data portability | To receive certain data in a portable, machine-readable form |
| Objection | To object to processing based on our legitimate interests |
| Rights regarding automated decisions | Not to be subject to solely automated decisions with significant effects — we make none |
You may also withdraw consent at any time where we rely on it (for example, by clearing the preference cookies), without affecting prior processing.
To exercise any right, contact privacy@quizmybrainz.com. We will respond within one month (extendable by two further months for complex requests, with notice to you). There is normally no charge.
Children's consent age (GDPR Art. 8). Where consent is the basis for an information-society service offered to a child, EU member states set the age of valid digital consent between 13 and 16. It is 15 in France and 16 in Germany. Because the Portal is intended for children under 13, we expect a parent or guardian to be involved in a child's use throughout the EU/EEA.
Right to complain. You may lodge a complaint with the data protection authority in your country (for example, the CNIL in France or your relevant authority in Germany). We would appreciate the chance to address your concern first.
EU Representative. We do not currently have a designated EU representative under GDPR Art. 27. EU/EEA users and supervisory authorities may contact us directly at privacy@quizmybrainz.com. We will appoint a designated representative as our EU user base grows.
International Data Transfers (US Hosting)
The Portal is hosted in the United States. If you use it from the EU/EEA or UK, the limited information described above is processed in the US.
For such transfers we rely on appropriate safeguards under GDPR Chapter V. In practice, because the data is minimal and is processed only to deliver the service the user has requested, transfers are supported by the derogation for transfers necessary for the performance of the service (GDPR Art. 49(1)(b)) and, where applicable, by Standard Contractual Clauses with our hosting provider.
You may request a copy of the relevant safeguards by emailing privacy@quizmybrainz.com.
Your California Privacy Rights (CCPA/CPRA)
If you are a California resident, you may have rights under the California Consumer Privacy Act, as amended by the CPRA, including the rights to know, to delete, to correct, and to limit certain uses, and the right not to be discriminated against for exercising them.
Do Not Sell or Share My Personal Information. We do not sell your personal information, and we do not share it for cross-context behavioral advertising. The practice simply does not occur.
We also do not use or disclose sensitive personal information for purposes that would trigger a "limit the use" right.
To exercise any California right, contact privacy@quizmybrainz.com.
California SOPIPA (student data). The Student Online Personal Information Protection Act prohibits operators of services designed and marketed for K–12 school use from targeted advertising to students, profiling students, or selling student information. The Portal does none of these things by design.
Other US State Privacy Laws
A growing number of US states have children's- and teen-focused privacy laws (including, as of 2026, age-appropriate design codes and minors'-data rules in California, Maryland, New York, Connecticut, Colorado, Virginia, Texas, Nebraska, and others). Our practice of minimal collection, no sale or sharing, no targeted advertising, and no profiling of minors is designed to satisfy the core requirements common to these laws. Where a state grants residents specific rights, you may exercise them at privacy@quizmybrainz.com.
Security
We use technical and organizational safeguards appropriate to the small amount of low-sensitivity data we handle, including:
- HTTPS encryption for data in transit;
- Cross-site request forgery (CSRF) protection on form submissions;
- Security headers on server responses;
-
HttpOnly(and, in production,Secure) andSameSiteflags on cookies; - Server-side validation of user input; and
- No third-party advertising or tracking scripts.
We maintain a written information-security program covering these safeguards, as the amended COPPA Rule requires. No system is perfectly secure; if you believe you have found a vulnerability, please report it confidentially to oscarpureco@quizmybrainz.com.
Third-Party Links
The Portal may link to outside websites. We are not responsible for their privacy practices and encourage you to read their policies.
Changes to This Policy
If we change this policy we will update the "Last Updated" date, post the revised policy at this URL, and — for any material change affecting children's information — provide a prominent notice and, where appropriate, seek any newly required parental consent before the change takes effect.
Contact Us
mar&mar ideas products & more, LLC
Attn: Privacy
9133 Silver Dollar Dr.
Fort Worth, TX 76131
privacy@quizmybrainz.com
oscarpureco@quizmybrainz.com
We aim to resolve privacy concerns promptly. If we cannot, you may contact the regulator in your jurisdiction: in the EU/EEA, your national data protection authority; in the US, the Federal Trade Commission or your state attorney general.