Privacy Policy

Quizmatch — Product Quiz & Recommendation Funnel for Shopify

Last updated: 18 May 2026

Quizmatch is an embedded Shopify app by Timmgard GmbH that lets online stores run interactive product quizzes and recommendation funnels in their storefront. This privacy policy transparently explains, in line with Art. 13 GDPR, which personal data the App processes, for which purposes, on which legal basis, with whom it is shared, and what rights data subjects have. It describes the App's actual processing — not a generic template.

1. Data Controller

Provider and data controller within the meaning of Art. 4(7) GDPR for the operation of the Quizmatch app (the “App”) as a software service is:

Timmgard GmbH

Kurhausstraße 78a

53773 Hennef

Germany

Commercial Register: HRB 17527 (Amtsgericht Siegburg)

VAT ID: DE359202464

Authorised Representative: S. Timm

Email: [email protected]

Imprint: https://tg-ai.de/en/impressum

For the processing of shop end-customer quiz data, Timmgard GmbH acts as processor under Art. 28 GDPR — see Section 2.

2. Roles (Controller / Processor)

Quizmatch processes personal data in two distinct roles:

• As controller under Art. 4(7) GDPR for installation, operation, security, and billing of the App vis-à-vis the merchant (e.g. Shopify shop domain, admin contact data, plan/billing state).

• As processor under Art. 28 GDPR for quiz answers, email addresses, and derived profile data of shop end customers. The controller for that data is the merchant. Timmgard GmbH processes such data exclusively on the merchant's documented instructions (in particular through the merchant's quiz configuration) under the data processing agreement (DPA) concluded upon installation. The full DPA is available at https://tg-ai.de/en/dpa.

For their own personal data as storefront visitors, end customers should primarily contact the respective merchant.

3. Purposes of Processing

Quizmatch processes personal data for the following purposes:

• Providing and evaluating the storefront product quiz (rendering questions, evaluating conditional logic, computing the product recommendation via a deterministic score/tag/outcome model).

• Storing quiz responses so the merchant can review them in the admin and the visitor can resume an interrupted quiz.

• Optional email capture as a lead, where the merchant enables the feature and the visitor provides their email address with explicit consent.

• Producing aggregated, quiz-level (non-personal) statistics: views, starts, completions, drop-off per question, attributed revenue.

• Conversion attribution: when a visitor adds a recommended product to cart and the resulting order is paid, the corresponding quiz record is updated with order ID and order value (requires Shopify Protected Customer Data Access approval, granted 2026-05-11, and only triggers for orders originating from a quiz).

• Forwarding email and quiz answers to marketing tools the merchant has explicitly connected (see Section 11).

• Abuse and fraud prevention (rate limiting).

• Fulfilment of the statutory Shopify compliance webhooks CUSTOMERS_DATA_REQUEST, CUSTOMERS_REDACT, and SHOP_REDACT, and evidence of timely handling.

4. Legal Basis

Processing is based on the following legal grounds:

• Art. 6(1)(b) GDPR — performance of the SaaS contract with the merchant (providing the App, storing and evaluating quiz responses as the core contractual service).

• Art. 6(1)(a) GDPR — consent for the optional email capture and the forwarding to the merchant's marketing tools. Quizmatch displays an explicit, non-pre-ticked consent checkbox in the quiz for this; without active consent, no email address is stored or transmitted to marketing tools. On the FREE plan, email capture is disabled entirely server-side.

• Art. 6(1)(f) GDPR — legitimate interest in abuse and fraud prevention (rate limiting), in the integrity of the multi-tenant model, and in a tamper-evident log of sensitive data operations (audit log).

• Art. 6(1)(c) GDPR in conjunction with Art. 12(3) GDPR — fulfilment and evidence of the Shopify compliance webhooks and of timely handling of data subject requests.

Where Quizmatch acts as processor, the merchant as controller determines the legal basis vis-à-vis the data subject; Quizmatch processes solely on the merchant's instructions.

5. Data Categories — Merchant Data

On installation and operation by the merchant, the following are processed:

• Shop master data: shop domain (e.g. example.myshopify.com), shop name, primary shop email, default currency, default locale, timezone.

• OAuth access token granting the App the access approved by the merchant (scopes: read_products, read_orders, read_customers, write_customers, read_files). The token is stored encrypted.

• Account and billing state of the chosen Quizmatch plan via Shopify-managed billing (plan, subscription ID, trial end). Payment/card data is processed exclusively by Shopify — Quizmatch neither receives nor stores payment data.

• Data of the merchant's staff who use the embedded admin (Shopify user ID, first/last name, email, locale) — provided and authenticated exclusively via Shopify; Quizmatch maintains no separate user database.

• Integration credentials optionally entered by the merchant (API keys for Klaviyo/Omnisend/HubSpot, webhook URLs for Zapier/custom webhooks) and the merchant's own tracking IDs (Google Analytics 4 Measurement ID, Meta Pixel ID). These are stored encrypted at rest.

6. Data Categories — Storefront End-Customer Data

When a visitor uses a quiz in the merchant's storefront, Quizmatch processes:

• Quiz answers: selected options, multiple selections, slider/numeric values, and free-text inputs. Free-text fields may contain any content the visitor enters — the merchant is responsible for the design of the questions.

• Email address — only if the merchant enables email capture, the visitor provides it, and the consent checkbox is actively confirmed (see Section 4). No email is stored on the FREE plan.

• Consent status (boolean) as evidence of the consent given.

• Anonymous session identifier (generated client-side) so the same visitor can resume an interrupted quiz.

• Product recommendations determined for the response.

• Conversion data: whether a recommended product was added to cart/purchased, plus the Shopify order ID and order value of the attributed order (only via the orders/paid webhook, Protected Customer Data Access, see Section 3).

• Language and currency from Shopify Markets (e.g. “de-DE”, “EUR”) so the results page renders correctly.

• A technical source/origin label (e.g. “storefront”); UTM parameters only where the merchant's setup passes them.

Aggregated daily statistics (views, starts, completions, drop-off, revenue) are stored per quiz — not per person — and are not personal data.

Zero-party profile: where an email address with consent exists, Quizmatch may, on the merchant's behalf, build an aggregated preference profile per email (e.g. derived preference tags from quiz answers) for the merchant's exclusive use. This is not used for automated individual decisions (see Section 15).

7. IP Address

Quizmatch does not store storefront visitors' IP addresses. An IP address is evaluated only ephemerally in memory to count requests for rate limiting (abuse prevention under Art. 6(1)(f) GDPR); the counter is reset every minute. Neither the full nor a truncated IP address is persisted with the quiz record. Quizmatch likewise creates no cross-device identifiers, no fingerprinting, and no profiling beyond what Shopify itself emits.

8. Browser Storage (Cookies / Storage)

The storefront quiz widget sets no cookies. It uses only strictly necessary browser storage to provide the function requested by the visitor (Section 25(2) no. 2 TDDDG, the German implementation of the ePrivacy Directive):

• localStorage “quizkit_progress_<quizId>”: stores progress (answers, current step, timestamp) so an interrupted quiz can be resumed. Remains exclusively in the visitor's browser and expires automatically after 24 hours or is cleared on completion.

• sessionStorage “quizkit_popup_<slug>”: a technical marker so a popup quiz triggers at most once per session. Cleared when the browser tab is closed.

These entries contain no data beyond quiz usage and are not transmitted to any server unless the visitor submits the quiz.

9. Tracking by the Merchant (Google Analytics 4 / Meta Pixel)

The merchant may optionally enter their own Google Analytics 4 Measurement ID and/or Meta Pixel ID. In that case the quiz widget sends events (e.g. quiz started, question viewed, completed, added to cart) to the merchant's tracking tools — only if the corresponding tracking code (gtag/fbq) is already loaded in the storefront by the merchant. Quizmatch does not load these scripts itself and neither receives nor stores the resulting analytics data; the data flows directly from the visitor to the merchant's analytics/pixel account.

The lawfulness of this tracking — in particular the prior consent required by Section 25(1) TDDDG and Art. 6(1)(a) GDPR, and its integration into the storefront's consent management — is the sole responsibility of the merchant as controller. Quizmatch performs no consent prompt of its own.

10. Recipients and Sub-Processors (Infrastructure)

Quizmatch uses the following infrastructure sub-processors, each engaged under a data processing agreement per Art. 28 GDPR:

• Render Services, Inc. — role: hosting of the application and the PostgreSQL database. Region: “Frankfurt (EU Central)”; storage and processing take place exclusively within the EU. The provider is US-incorporated; EU Standard Contractual Clauses apply to the corporate relationship.

• Shopify Inc. — role: data source via the Shopify Admin API, recipient of the compliance webhooks, host of the embedded admin session and of app billing. Location: Canada (headquarters, EU adequacy decision) with US-based infrastructure. Covered by the Shopify DPA including EU Standard Contractual Clauses.

Quizmatch uses no AI/LLM services (a semantic “AI Smart Match” feature is specified but not implemented and not active) and integrates no third-party error monitoring or telemetry. No processing for Quizmatch's own advertising or profiling purposes takes place.

11. Recipients — Merchant-Activated Integrations

The following recipients are activated only when the merchant configures the respective integration in Quizmatch themselves. In that case the visitor-provided email address, the quiz answers, and the recommended products are typically transmitted:

• Klaviyo (USA) — profile/event sync once the merchant provides a Klaviyo API key. Only where email consent is present.

• Omnisend (USA) — contact sync where an Omnisend API key is provided. Only where email consent is present.

• HubSpot (USA, Germany) — contact sync where a HubSpot API key is provided. Only where email consent is present.

• Zapier (USA) — generic webhook delivery to an inbound URL provided by the merchant.

• Custom webhooks — any HTTPS URL the merchant configures under integration settings.

Outbound calls to merchant-provided webhook URLs are SSRF-guarded at request time (private/loopback/link-local/metadata addresses blocked, redirects re-validated). For these merchant-activated recipients the merchant is the responsible controller; where a recipient is located outside the EU, the merchant must ensure an appropriate transfer mechanism (Standard Contractual Clauses, adequacy decision, EU-US Data Privacy Framework).

12. International Transfers

The App infrastructure and the database operate exclusively within the EU (Frankfurt, Germany). Transfers to third countries are safeguarded by:

• EU Standard Contractual Clauses under Implementing Decision (EU) 2021/914 — within the Shopify DPA and for the corporate relationship with the US-incorporated hosting provider (data residency nonetheless EU).

• The EU adequacy decision for Canada (Shopify headquarters).

• For merchant-activated US recipients (Section 11): the transfer mechanism the merchant must provide, where applicable the EU-US Data Privacy Framework or Standard Contractual Clauses.

• Supplementary technical and organisational measures (transport encryption, access restrictions).

13. Retention

The following retention periods apply and are enforced automatically, independently of merchant action:

• Completed quiz responses: at most 24 months.

• Incomplete or abandoned quiz responses: at most 90 days.

• Zero-party profiles not seen for 24 months: deleted.

• Aggregated daily statistics (non-personal): for as long as the underlying quiz exists.

• Data-subject request log (data export): the generated export is deleted as soon as the merchant marks the request as “delivered”; full deletion on CUSTOMERS_REDACT or SHOP_REDACT.

• Webhook idempotency markers: contain no quiz or customer data (only webhook ID, topic, shop domain) and are deleted at the latest with the shop account.

• On uninstallation: immediate cleanup; at the latest 48 hours after uninstallation, all shop data (quizzes, responses, profiles, sessions, onboarding state, product cache) is permanently deleted via the SHOP_REDACT webhook.

• Individual CUSTOMERS_REDACT request: anonymisation of the email address, deletion of free-text answers, nulling of the order ID, plus deletion of the associated zero-party profile and any export records.

The merchant may also delete responses manually in the admin at any time. Commercial or tax retention obligations (e.g. §§ 257 HGB, 147 AO) concern the merchant's bookkeeping and are met in Shopify, not in Quizmatch.

14. Special Categories of Data (Art. 9 GDPR)

Quizmatch does not process special categories of personal data under Art. 9 GDPR (e.g. health, biometric, ethnic, political, religious, or sex-life data) unless the merchant designs a quiz that actively asks for such information (e.g. skin, health, or diet quizzes). In that case the merchant alone, as controller, is responsible for ensuring a valid legal basis under Art. 9(2) GDPR (typically explicit consent) and for designing the questions accordingly. Quizmatch does not collect such data on its own initiative.

15. No Automated Individual Decisions (Art. 22 GDPR)

Quizmatch performs no automated individual decisions with legal or similarly significant effect within the meaning of Art. 22 GDPR. The product recommendation is based on a deterministic score/tag/collection/outcome model configured by the merchant and serves solely to display suitable product suggestions. No profiling with decision-making effect on the data subject takes place; the zero-party aggregation (Section 6) serves merchant analytics only. An AI-assisted semantic recommendation is not implemented.

16. Security Measures (Art. 32 GDPR)

Quizmatch implements appropriate technical and organisational measures:

• TLS encryption for all data transmissions.

• OAuth access tokens encrypted at rest; the managed PostgreSQL database (Render) encrypts all stored data including merchant-provided integration credentials; database backups are encrypted.

• Authenticity verification of all Shopify webhooks via HMAC signatures; idempotency against duplicate processing.

• Tenant isolation: every database query is scoped to the requesting shop (shopDomain); cross-shop access is rejected at the service layer.

• SSRF protection of outbound calls to merchant-provided webhook URLs.

• Timeout (5 seconds) and bounded retries for outbound third-party calls.

• Append-only log (audit log) of sensitive data operations (data export, customer/shop deletion) — without personal content, only operation type and counts.

• Access to production infrastructure restricted to authorised personnel only; security-relevant changes are reviewed before deployment.

17. Data Subject Rights

Shop end customers have the following rights vis-à-vis the merchant as controller:

• Right of access (Art. 15 GDPR)

• Right to rectification (Art. 16 GDPR)

• Right to erasure (Art. 17 GDPR)

• Right to restriction of processing (Art. 18 GDPR)

• Right to data portability (Art. 20 GDPR)

• Right to object (Art. 21 GDPR)

• Right to withdraw consent under Art. 7(3) GDPR with future effect (as easy as it was to give)

Requests can be made via the merchant (primary route) or directly to the processor at [email protected]. Requests arriving through Shopify are handled automatically via the CUSTOMERS_DATA_REQUEST (data export for the merchant) and CUSTOMERS_REDACT (anonymisation/deletion) compliance webhooks. Responses are provided within the deadline set by Art. 12(3) GDPR (generally no longer than 30 days).

18. Right to Lodge a Complaint / Supervisory Authority

Without prejudice to other remedies, data subjects have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The authority competent for Timmgard GmbH is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)

Kavalleriestraße 2-4

40213 Düsseldorf

Germany

The authority competent for the merchant as controller may differ.

19. Privacy Contact

Timmgard GmbH is not required to appoint a data protection officer under § 38 BDSG because it has fewer than 250 staff and no core activity requiring large-scale regular monitoring or large-scale processing of special categories of data. Privacy requests are handled centrally at [email protected] and answered within the statutory deadlines (Art. 12(3) GDPR, generally no longer than 30 days).

20. Obligation to Provide and Changes

Providing quiz answers and an email address is voluntary; there is no statutory or contractual obligation to provide them. Without quiz participation only the product recommendation is unavailable; without an email address only the optional lead feature is unavailable. This privacy policy may be updated when processing changes, sub-processors change, or legal requirements so require; the current version is always available at this URL. Version date: 18 May 2026.