Legal

Privacy Policy

What data we collect, why we collect it, and how we keep it safe.

Note: This is a plain-language template provided for launch purposes and is not a substitute for professional legal advice. TheBairCompany should have this policy reviewed by a qualified lawyer, particularly regarding GDPR and COPPA obligations, before or shortly after launch.

Last updated: June 2026

1. Who We Are

Questic is an iOS social quest and dare app developed and operated by TheBairCompany ("we", "us", "our"). When this policy refers to "Questic", it means the Questic mobile application and the website at questic.app.

TheBairCompany is the data controller for the personal data described in this policy. If you have any questions or requests about your data, contact us at privacy@questic.app.

2. What Data We Collect

We only collect data that is necessary to operate Questic. Here is a plain breakdown:

Account information

  • Email address: used to create and identify your account, send important notifications, and recover access if needed.
  • Username: the display name you choose, visible to members of your groups.
  • Date of birth: used to verify you meet the minimum age requirement (13+) and to apply appropriate protections for younger users.
  • Password: stored as a secure hash; we never store or transmit your password in plain text. Questic also runs automated checks against known leaked-password databases to help protect your account.

Content you submit

  • Proof media: photos and videos you upload as quest proof. These are stored in private, access-controlled storage buckets (see Section 5) and are only visible to members of the relevant group.
  • Quest and dare content: text you write when proposing a quest or dare within a group.
  • Reactions and votes: your in-app interactions such as voting on proof submissions and leaving reactions.

Usage and technical data

  • Gameplay data: XP, level, streak count, coins, gems, completed quests, and other in-app progress data necessary to operate the game systems.
  • Device and session data: basic information such as device type, operating system version, app version, and session timestamps, used for debugging and maintaining service stability.
  • Purchase records: records of virtual item purchases and subscription status, processed by Apple. We receive confirmation of a purchase but not your full payment details.

3. How We Use Your Data

We use the data we collect to:

  • Create and manage your account.
  • Operate the core features of Questic: quests, groups, XP, streaks, the shop, and Quester Pro.
  • Show your proof submissions to the members of your group so they can vote.
  • Send you important service communications (for example, security alerts or policy updates). We do not send marketing emails without your opt-in consent.
  • Detect, investigate, and prevent fraud, abuse, or violations of our Terms of Service.
  • Improve and debug the App using aggregated, non-identifying usage data.
  • Comply with legal obligations.

We do not build advertising profiles, sell your data, or use your content to train AI models.

4. Legal Basis for Processing

If you are in the European Economic Area (EEA) or the United Kingdom, we rely on the following legal bases under GDPR:

  • Contract performance: processing your account data and content is necessary to provide the Questic service you signed up for.
  • Legitimate interests: maintaining service security, preventing abuse, and improving the App, where these interests are not overridden by your rights.
  • Legal obligation: where we are required by law to process or retain data.
  • Consent: for any optional processing (such as marketing communications), where we will ask for your explicit consent and you can withdraw it at any time.

5. Storage & Security

Questic's backend is built on Supabase, a cloud database and storage platform. Your data is stored on Supabase's infrastructure, which is hosted on AWS data centres in the EU region.

  • Proof images and videos are stored in private Supabase storage buckets. They are never publicly accessible by URL. Access is granted only via short-lived, signed URLs generated on demand, meaning only authenticated group members can view proof for their own group's quests.
  • Passwords are hashed using bcrypt (via Supabase Auth) and are never stored or transmitted in plain text.
  • Leaked-password protection: Supabase Auth checks new and updated passwords against the HaveIBeenPwned database of known breached passwords and will reject credentials that appear in known data breaches.
  • Data in transit is encrypted using TLS.
  • Access controls: database access is governed by Row Level Security (RLS) policies, meaning your data is only accessible by you and the specific group members it is intended for.

No system is 100% secure. If you believe your account has been compromised, contact us immediately at privacy@questic.app.

6. Sharing Your Data

We do not sell your personal data to third parties. We share data only in the following limited circumstances:

With other Questic users

Your username, avatar, XP, level, and streak are visible to members of your groups. Proof submissions are visible to your group for the purpose of voting.

With service processors

  • Supabase: database, authentication, and file storage provider. Supabase processes data on our behalf and is bound by a Data Processing Agreement.
  • Apple: all in-app purchases are processed by Apple through the App Store. Apple's Privacy Policy governs data collected during that transaction.

For legal reasons

We may disclose data if required by law, court order, or to protect the safety of our users or the public.

7. Children's Privacy

Questic is designed for users aged 13 and older and is not directed at children under 13. We do not knowingly collect personal data from children under 13. If we become aware that we have done so, we will delete that data promptly.

Users between 13 and 17 are minors in most jurisdictions. We encourage parents and guardians to be aware of their child's use of Questic. If you are a parent or guardian and believe your child has created an account without appropriate awareness, please contact us at privacy@questic.app and we will assist you.

8. Your Rights

Depending on where you live, you may have the following rights regarding your personal data:

  • Access: request a copy of the data we hold about you.
  • Correction: ask us to correct inaccurate data.
  • Deletion: request that we delete your account and personal data. You can do this directly from within the App in your account settings, no email required. We will delete your data within 30 days of the request, subject to any legal retention obligations.
  • Restriction: ask us to limit how we process your data in certain circumstances.
  • Portability: request your data in a machine-readable format.
  • Objection: object to processing based on legitimate interests.
  • Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any right not available directly in the App, contact us at privacy@questic.app. We will respond within 30 days. If you are in the EEA, you also have the right to lodge a complaint with your local data protection authority.

9. Data Retention

We keep your personal data for as long as your account is active or as needed to provide you with the Questic service. Specific retention periods:

  • Account data: retained until you delete your account. Upon deletion, your profile, username, and personal details are removed within 30 days.
  • Proof media: deleted when you delete your account, or when the relevant quest record is removed from our active systems.
  • Purchase records: retained for up to 7 years where required by financial regulations.
  • Logs and technical data: typically retained for up to 90 days for debugging purposes, then deleted.

10. International Data Transfers

Questic is operated from Belgium, and our data is primarily stored in EU-based infrastructure via Supabase. If data is transferred outside the EEA (for example, as part of Supabase's or Apple's global infrastructure), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via an in-app notice or email before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision. Continuing to use Questic after the effective date means you acknowledge the updated policy.

12. Contact

For any questions, requests, or concerns about your privacy or this policy, please reach out: