Back

Privacy Policy

Overview

QuestList is a gamified quest management system for teachers, parents, and game hosts. We take the privacy of all users seriously, especially children. This policy explains what data we collect, how we use it, and your rights.

Data We Collect

Game Hosts (Account Holders)

  • Email address and password (for authentication)
  • First and last name
  • Organization name

Players (Children and Students)

We collect minimal data about players. Players are not registered as users and do not have accounts.

  • First name and display name only (no email, no last name, no date of birth)
  • Quest completion records (which quests were completed and when)
  • For URL quests: time spent viewing content (in seconds)
  • For location quests: whether the player was within range (yes/no only)

Children's Privacy (GDPR / COPPA)

  • No child accounts: Players do not create accounts. They access the game via a link provided by their game host.
  • Minimal data: We only store a first name and display name. No email addresses, photos, or identifying information is collected from children.
  • No location tracking:For location-based quests, the game checks proximity on the player's device and only sends a yes/no result to our server. We never receive, store, or process a child's GPS coordinates.
  • Parental consent: Game hosts must confirm parental consent when adding each player to the system.
  • Right to deletion: Deleting a player permanently removes all their data, including completion records, game links, and player associations.

How We Use Data

  • To provide the quest management and game integration service
  • To display progress to game hosts
  • To authenticate game hosts and manage organizations
  • To process subscription payments (via Stripe)

We do not sell, share, or use personal data for advertising purposes.

Data Storage and Security

  • Data is stored in Supabase (hosted on AWS) with encryption at rest
  • All data access is protected by Row Level Security (RLS) policies
  • Organizations can only see their own data
  • Game sessions use short-lived tokens (2 hours) for authentication
  • Payment data is handled entirely by Stripe; we do not store card numbers

Data Retention

  • Account data is retained while the account is active
  • Deleting a player cascades to all related records (completions, game links)
  • Deleting an organization removes all associated data
  • Inactive accounts may be deleted after 12 months of inactivity with prior notice

Your Rights

Under GDPR and applicable data protection laws, you have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion of your data
  • Export your data in a portable format
  • Object to data processing

Contact

For privacy-related questions or data requests, please contact your organization administrator or reach out to us at the email address provided in your account settings.

Last updated: April 2026