Privacy Policy

Pomlet is responsible for the data it processes to operate the website, accounts, subscriptions, security, support and product. For quizzes, classroom games, employee training, participant answers and organization content, the customer, host, school, employer or organization may also be responsible for deciding what data is collected and why. In those cases, Pomlet may act as a service provider or processor where applicable law recognizes that role.

Privacy questions and rights requests may be sent to privacy@pomlet.com.

Depending on how you use Pomlet, we may collect:

• account data: name, email address, password hash, email verification status, login method and plan;
• authentication and session data: session tokens, account identifiers, reset tokens and verification tokens;
• quiz content: titles, descriptions, questions, answers, explanations, settings, themes, folders, images and slide content;
• AI input data: prompts, instructions, source URLs and extracted document or PDF text submitted for AI quiz generation;
• AI output data: generated quiz titles, descriptions, questions, answers, explanations and image search keywords;
• organization data: organization name, roles, members, invitations, license assignments and billing status;
• player data: game PIN, nickname, answers, score, rank, streak, team, connection state and game progress;
• reports: session summaries, player names, question statistics, answer distributions and scores;
• billing data: customer identifiers, subscription identifiers, plan, seat count, payment status, invoice status and billing portal events from our payment provider;
• communications: emails, support requests, legal notices, feedback and related metadata;
• technical data: IP address, request metadata, browser/device information, timestamps, security logs, rate-limit records and error information.

Pomlet does not intentionally store full payment card numbers. Card details are handled by the payment provider. For AI PDF generation, the browser extracts text from the PDF. Pomlet intends to transmit and process extracted text, not to store the original PDF file as a server-side upload for that feature.

We use data to:

• provide, maintain, secure and improve Pomlet;
• create accounts, verify emails, authenticate users and prevent abuse;
• store, edit, organize, launch, embed and display quizzes;
• operate live games, solo games, teams mode, elimination mode, leaderboards, QR codes and reports;
• process AI quiz generation requests and return generated quiz drafts;
• manage organizations, members, roles, invitations, seats and licenses;
• process subscriptions, renewals, prorations, cancellations, invoices and billing support;
• send transactional emails, account notices, security messages, invitations and billing confirmations;
• monitor service health, enforce limits, detect fraud, prevent attacks and comply with law;
• respond to support, privacy, legal and abuse requests.

Where laws such as the GDPR, UK GDPR, Swiss FADP or similar rules apply, we rely on legal bases that may include contract performance, legitimate interests, consent, compliance with legal obligations and, where applicable, the instructions of a customer acting as controller.

Examples: account and subscription processing are generally needed to perform a contract; security logging and abuse prevention are based on legitimate interests and legal obligations; marketing or optional cookies, if introduced, would rely on consent where required.

If you use AI features, you instruct Pomlet to send relevant prompts, instructions, source material and extracted document text to third-party AI providers, including OpenAI or successor providers. Those providers process data under their own systems, policies and contractual terms.

Pomlet does not control the independent retention, abuse monitoring, security or policy decisions of AI providers. You are responsible for ensuring that you have the right to send the content to an AI provider and that the content is appropriate for AI processing. Do not submit trade secrets, confidential documents, personal data, student records, health data, financial data, regulated data or other sensitive information unless you are authorized and accept the third-party processing risk.

As of the date above, OpenAI's public API data controls state that API data is not used to train or improve OpenAI models unless the customer opts in, while abuse monitoring logs may be retained for a limited period by default. Provider policies can change, and the current OpenAI data controls are available at OpenAI's platform data controls.

AI output is stored in Pomlet as quiz content until you delete it or your account is deleted. Source text used for AI generation is not intentionally stored as a separate source document after generation, but it may appear in generated questions, answers, explanations, logs, provider systems or support/security records.

We may share data with:

• service providers that help us host, process, secure, email, bill, support or operate Pomlet;
• AI providers when you use AI generation features;
• payment providers for checkout, subscriptions, invoices, fraud prevention and billing support;
• image providers when you search or import public images, or when AI-generated cover keywords are used to find cover images;
• organization admins and members according to their workspace role and access rights;
• players and audience members in a live game, according to game mode and settings;
• anyone who can access an embed, public game PIN, QR code or shared page that you publish;
• law enforcement, regulators, courts, advisors or other parties where legally required or needed to protect rights, safety and security;
• successors in connection with a merger, acquisition, financing, reorganization or sale of assets.

We keep data for as long as reasonably necessary for the purposes described in this Policy, including to provide the service, maintain accounts, comply with law, resolve disputes, enforce agreements, maintain security and keep business records.

• Account data is generally kept while the account exists.
• Session records expire after a limited period unless refreshed by continued use.
• Quizzes, images and organization content are kept until deleted by an authorized user or account deletion process.
• Game reports are kept until deleted by an authorized user or account deletion process.
• Billing records may be retained as needed for accounting, tax, fraud prevention and legal compliance.
• Security logs, rate-limit records and technical records may be kept for limited periods appropriate to security and operations.

Pomlet and its providers may process data in countries other than where you live. Those countries may have different data protection laws. Where required, we use appropriate safeguards such as contractual commitments, transfer mechanisms or provider terms.

Depending on your location and role, you may have rights to access, correct, delete, restrict, object to or port personal data, withdraw consent and complain to a supervisory authority. You may also have rights to opt out of certain processing.

To exercise rights, contact privacy@pomlet.com. We may need to verify your identity and may direct player, student or employee requests to the relevant host, school, employer or organization where they control the data.

Pomlet is not intended for children to create accounts without appropriate authorization. Players can join games without accounts, but hosts should avoid collecting unnecessary personal information from minors. Schools, teachers and organizations are responsible for obtaining any required notices, consents, approvals or data processing terms before using Pomlet with children or students.

We use reasonable technical and organizational measures designed to protect data. No internet service is completely secure. You are responsible for using strong passwords, limiting who receives game PINs and embeds, managing organization roles and avoiding unnecessary sensitive content.

Pomlet uses necessary cookies and browser storage to keep users signed in, remember player names for a game, maintain demo return paths and operate the service. See the Cookie Policy for details.

We may update this Privacy Policy as the product, providers, laws or practices change. The updated date above shows when the page was last changed. Continued use of Pomlet after an update means the updated Policy applies.