Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

For privacy-related inquiries, please contact us at: privacy@golem15.com

2. Information We Collect

2.1 Parent Account Information

• Required: Name, email address, password (encrypted)
• Optional: Profile photo, PIN for quick access, OAuth provider data (Google, Facebook, GitHub)

2.2 Child Profile Information

• Required: First name, date of birth
• Login Username (Email): Optional - parents may provide an email, or we auto-generate one from parent's email (e.g., parent+childname@example.com) used for login only
• Authentication: PIN (4-8 digits, encrypted) OR password (8+ characters, hashed with bcrypt)
• Optional: Avatar image
• Note: We do NOT collect phone numbers or last names for children. Email is only used for login identification, not communication.

2.3 Quest and Activity Data

• Quest assignments, completions, and approvals
• Photos uploaded as quest completion proof
• Reward purchases and redemptions
• Experience points (XP), coins, and levels
• Achievement unlocks and progress

2.4 Technical Information

• IP address, browser type, device information
• Session data and authentication tokens (JWT)
• Device authorization tokens for trusted devices
• Usage analytics (page views, feature usage)
• Error logs for debugging

2.5 Cookies and Local Storage

• Essential cookies: Session management, authentication, security
• Preference cookies: Language selection, dark mode preference
• Analytics cookies: Usage statistics (anonymized)

3. Legal Basis for Processing (GDPR Article 6)

We process your personal data based on:

• Contract performance (Art. 6(1)(b)): To provide QuestStream services to your family
• Consent (Art. 6(1)(a)): For optional features like analytics and marketing communications
• Legitimate interests (Art. 6(1)(f)): For security, fraud prevention, and service improvement
• Legal obligation (Art. 6(1)(c)): To comply with applicable laws and regulations

Parental Consent: For children under 16 (or applicable age in your jurisdiction), parents provide consent on behalf of their children when creating child profiles.

4. How We Use Your Data

• Provide and maintain QuestStream services (quest management, rewards, profiles)
• Send notifications about quest assignments, completions, and family activity
• Process authentication and maintain account security
• Analyze usage patterns to improve features and user experience
• Provide customer support and respond to inquiries
• Prevent fraud, abuse, and security incidents
• Comply with legal obligations and enforce our Terms of Use

5. Data Sharing and Disclosure

We do not sell or rent your personal data. We may share data only in these limited circumstances:

• Within your family: Quest data, rewards, and activity are visible to authorized family members (parents and co-parents)
• Service providers: Cloud hosting (AWS, DigitalOcean), email delivery (SendGrid, Mailgun), analytics (self-hosted)
• OAuth providers: When you choose to login with Google, Facebook, or GitHub, we receive basic profile data from these providers
• Legal requirements: When required by law, court order, or to protect rights and safety
• Business transfers: In case of merger, acquisition, or asset sale (with notice to users)

Third-Party Services: We use reputable service providers who are contractually obligated to protect your data and comply with GDPR.

6. Data Retention

• Active accounts: Data retained as long as your account is active
• Deleted accounts: Most data permanently deleted within 30 days
• Legal retention: Some data (invoices, transaction logs) retained for 7 years to comply with tax laws
• Anonymized analytics: Aggregated, anonymized data may be retained indefinitely for statistical purposes
• Backups: Deleted data removed from backups within 90 days

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

To exercise your rights: Email us at privacy@golem15.com with your request. We will respond within 30 days.

8. Children's Privacy (GDPR Art. 8, COPPA)

QuestStream is designed for families with children. We take children's privacy very seriously:

• Parental consent required: Parents must create and manage child profiles
• Minimal data collection: We only collect first name, date of birth, login email (optional/auto-generated), and authentication credentials (PIN or password, parent's choice) for children
• Parent-controlled accounts: Children cannot create accounts independently - all managed by parents
• No targeted advertising: We never show ads or marketing to children
• No data selling: Child data is NEVER sold or shared for marketing
• Parental control: Parents can view, edit, or delete all child data
• Safe content: Quest templates are age-appropriate and parent-controlled

Parents' role: By creating a child profile, you consent to the collection and processing of your child's data as described in this policy. You can delete your child's data at any time by removing their profile.

8.1 UK ICO Children's Code Compliance

QuestStream complies with the UK Information Commissioner's Office (ICO) Age-Appropriate Design Code (Children's Code). Our compliance measures include:

8.2 Quest Photo Retention Policy

Quest completion photos uploaded by children are handled as follows:

• EXIF Removal: GPS coordinates, device information, and other metadata are automatically removed from photos for privacy protection.
• Storage: Photos are encrypted and stored on secure servers in the EU (via OVHcloud, Cloudflare CDN).
• Access: Only family members can view quest photos. No public sharing.
• Retention Policy: Parents choose photo retention during onboarding:
  • Keep forever (default): Photos retained indefinitely for family memories
  • Auto-delete (optional): Photos automatically deleted after 6, 12, or 24 months
  • Parents can change this setting or manually delete photos anytime in Settings
• Account Deletion: All quest photos are permanently deleted within 30 days when a parent deletes their account or removes a child profile.
• Content Guidelines: Parents are responsible for ensuring quest photos contain appropriate content. We do not pre-moderate photos but parents can review and delete any photo.
• No AI/Facial Recognition: We do NOT use AI, facial recognition, or automated processing on quest photos. They are stored and displayed only.

8.3 Children's Data Rights (Exercised Through Parents)

Under GDPR Article 8 and UK ICO guidance, children's data rights are exercised by parents on their behalf:

• Right to Access: Parents can export all child data via "Privacy & Data" settings.
• Right to Rectification: Parents can edit child profiles anytime in "My Children" settings.
• Right to Erasure: Parents can delete child accounts permanently, removing all data within 30 days.
• Right to Data Portability: Child data is included in family data export (JSON format).
• Right to Object: Parents can disable analytics tracking for children in privacy settings.

8.4 Parental Authority Verification & Abuse Reporting

Under GDPR Article 8 (Polish RODO: children under 16 require parental consent), QuestStream requires parents to confirm they have legal authority to create and manage profiles for their children.

How We Verify Parental Authority

• Registration Declaration: During registration, parents must confirm they are at least 18 years old and have legal parental authority to consent on behalf of their children under 16.
• Consent Audit Trail: We track all parental consent declarations with timestamps, IP addresses, and policy versions for GDPR compliance.
• Individual Child Consent: When adding each child, parents provide explicit consent for data processing, recorded with the child's age and parent information.
• No Identity Documents Required: We use an honor-system approach during registration to maintain good user experience, but take violations seriously.

What Happens if Parental Authority is Misrepresented?

QuestStream is designed exclusively for parent-child family use. Accounts created without proper parental authority (e.g., by teachers for students, by unauthorized individuals) violate our Terms of Use and GDPR requirements.

• Account suspension: Accounts found to violate parental authority requirements will be suspended pending verification.
• Proof of authority may be requested: We reserve the right to request documentation proving legal guardian status.
• Account termination: False declarations may result in permanent account termination and data deletion.

How to Report Suspected Abuse

Special Circumstances (Divorce, Custody Arrangements)

For families under divorce or custody arrangements:

• Each parent with legal custody can create a separate QuestStream account for their household.
• Multiple parents can be added to the same family using our family invitation system (Settings → My Family).
• If custody disputes arise, contact us at privacy@golem15.com with court documentation.
• We recommend documenting custody arrangements in your personal records.

9. Data Security

We implement industry-standard security measures to protect your data:

• Encryption in transit: All data transmitted via HTTPS/TLS 1.3
• Encryption at rest: Passwords, PINs, and OAuth tokens encrypted with AES-256
• Authentication: JWT tokens with expiration, PIN lockout after failed attempts
• Access control: Role-based permissions, family-scoped data isolation
• Regular backups: Daily automated backups with encryption
• Security monitoring: Intrusion detection, error logging, audit trails
• Vulnerability scanning: Regular security audits and dependency updates

Security incident notification: In case of a data breach affecting your data, we will notify you and relevant authorities within 72 hours as required by GDPR Article 33.

10. International Data Transfers

QuestStream is operated from the European Union (Poland). If you access our services from outside the EU:

• Your data may be transferred to and processed in the EU
• We use EU-approved Standard Contractual Clauses (SCCs) for international transfers
• Third-party service providers comply with GDPR or Privacy Shield frameworks
• You have the same privacy rights regardless of your location

11. Cookies Policy

We use cookies and similar technologies:

Essential Cookies (Required)

• session_token - Authentication session (expires after 30 days)
• csrf_token - Security protection against CSRF attacks
• device_auth - Trusted device authorization token
• locale_manually_set - Language preference tracking (expires after 1 year) - Stores a simple flag indicating you have manually selected a language to prevent automatic language detection from overriding your choice. No personal information is stored.

Preference Cookies (Optional)

• darkMode - Dark mode preference (localStorage)
• language - Selected language preference

Analytics Cookies (Optional)

• Self-hosted analytics (no third-party tracking)
• Anonymized usage statistics
• Can be disabled in Settings

Managing Cookie Preferences

You can manage your cookie preferences at any time:

• Cookie Banner: On your first visit, you'll see a cookie consent banner at the bottom of the page where you can accept all cookies, accept only essential cookies, or customize your preferences.
• Re-configure Anytime: If you've already accepted cookies, clear your browser's localStorage to see the banner again and update your preferences.
• Essential Cookies: These cannot be disabled as they're required for the site to function (login, security, session management).
• Optional Cookies: Analytics and marketing cookies (when implemented) can be enabled or disabled individually.

Cookie consent: Essential cookies are used automatically as they're necessary for site functionality. Optional cookies require your consent, which you can provide or withdraw at any time through the cookie consent banner.

12. Changes to This Policy

We may update this Privacy Policy periodically. Changes will be posted on this page with an updated "Last modified" date. For material changes, we will notify you via email or in-app notification at least 30 days before the changes take effect. Continued use of QuestStream after changes constitutes acceptance of the updated policy.

13. Contact Us

For privacy questions, data requests, or to exercise your GDPR rights:

14. Supervisory Authority

If you are not satisfied with our response to your privacy concerns, you have the right to lodge a complaint with your national data protection authority:

You can also contact the data protection authority in your country of residence. Find your local authority: edpb.europa.eu