Privacy Policy
This document describes what personal data Viktorinka (the «Service») collects, why, how long it keeps it and to whom it transfers it. It complies with the Russian Personal Data Protection law (152-ФЗ).
1. Operator and processor
For data of registered users (teachers and parents with an email account), the personal-data operator is the natural person Калистратов Илья Алексеевич. Contact for personal-data requests and legal matters: viktorinka-info@mail.ru. For data about students/players that a teacher/parent enters into their own cabinet (nickname, group label, answer statistics), the operator is the teacher/parent who entered that data. Viktorinka acts as **a person processing personal data on the operator's behalf** in the sense of Art. 6 §3 of 152-ФЗ — we technically store and display this data on the teacher's instruction, but we don't define the purposes of processing and have no independent access to information linking a nickname to a specific child (surname, school, address). Consent for the operator-side processing of user data (email, nickname, password hash, IP, user agent, cookies) is given at registration via an active checkbox carrying this Policy's version; the consent record (timestamp + version) is stored in the system. Consent may be withdrawn by writing to the operator's address or by deleting the account via Cabinet → Settings.
2. Data we collect
From teachers/parents: email, nickname, password (as a hash), optional avatar URL. From students (entered by the teacher/parent): nickname, optional group label (e.g. «Class A», «morning club»), statistics of correct/incorrect answers. The status of this student data depends on the party. For the teacher/parent in whose cabinet the records exist, the nickname combined with additional information known to that user (their own knowledge of the class roster) can indirectly identify a specific minor — from that user's perspective the records are personal data of a minor under Art. 3 of 152-ФЗ, and the user as operator must have a legal basis for processing (consent of legal guardians, or an educational function under Art. 6 §1 cl. 2). For Viktorinka the data is not personal: the service has no access to a key linking the nickname to a specific child, and processes it solely as a processor on the teacher's/parent's behalf (see §1). The teacher/parent agrees not to enter the child's surname, address, school number, or other directly identifying info into these fields. Technical data: session cookies, IP address per request, user agent. From service usage: created question packs, game session history.
3. Why we collect
Email and password for authentication. Nickname for display in the cabinet and team rosters. Student nicknames and stats so the teacher can see which topics the class has mastered. Session cookies for sign-in without re-authentication. IP and user agent for abuse protection (rate limiting, brute-force prevention).
4. Retention
Email, nickname and password hash: while the account is active. After account deletion: 30 days in archive, then irreversible removal. Student answer history: aggregate stats (correct/wrong counts) for as long as the nickname exists in the system; per-question detail for 30 days. Cookies: until sign-out or 30 days.
5. Whom we share data with
Email provider (for verification and password-reset mail) — Yandex 360, Russian servers. The AI provider (used when a teacher invokes auto-generation) is configured by the service operator; Yandex GPT (Russia, no cross-border transfer) is active by default. The AI request payload is the lesson topic typed by the teacher; student names and stats are never sent. If the operator activates a foreign AI provider (e.g. OpenRouter), that constitutes cross-border transfer to a country without adequate protection under Art. 12 of 152-ФЗ; such activation triggers a new Policy version and a fresh consent request — no transfer occurs until consent is recorded. No other third parties.
6. Data security measures
The service applies organisational and technical safeguards under Art. 19 of 152-ФЗ: — HTTPS/TLS on all server connections; — password hashing via bcrypt; — email-verification and password-reset tokens stored only as SHA-256 hashes; — session cookies set with HttpOnly + Secure (in production) and SameSite=Lax; — role-based access control on the admin area (admin/moderator only); — rate limiting on sensitive endpoints (login, registration, AI generation); — physical server location in the Russian Federation; — regular OS and dependency updates.
7. User rights
The user has the right to: — withdraw consent — by deleting the account via Cabinet → Settings or by emailing the operator (see §1); — request a copy of their personal data processed by Viktorinka; — request correction of inaccurate or outdated data; — request blocking or destruction of data that is incomplete, outdated, inaccurate, unlawfully obtained, or no longer necessary for the stated purposes; — receive information on the purposes, means and retention periods of processing. Requests are processed within 30 calendar days of receipt. Requests about student data are submitted by the teacher/parent in whose cabinet those records exist, or by a legal guardian via that teacher/parent (since the user — not Viktorinka — is the operator of the student's personal data, see §1).
8. Changes
Material changes to this policy require re-consent — we'll show the form on next sign-in. Minor edits (typos, rephrasing) may be published without a separate notice.