Privacy Policy

1. Data Controller

The data controller for personal data collected through the App is:

2. Personal Data We Collect

2.1 Account data (provided at registration or via Apple Sign-In): email address; full name (optional, where shared via Apple Sign-In); profile picture URL (optional, where shared via Apple Sign-In); unique user identifier (UUID) generated automatically at account creation.

2.2 Authentication credentials: passwords are hashed by our authentication provider (Supabase) and are never stored in plain text; we do not have access to your password. Where Apple Sign-In is used, no password is stored.

2.3 App usage and progress data (stored on our servers): the Quest you are currently working on and your progress through the Quest system; XP accumulated and any administrator-granted bonus XP; difficulty levels selected within Quests.

2.4 Device-local data (encrypted storage on your device only; not transmitted to our servers): Quest timer start and completion timestamps; onboarding completion status flag.

2.5 Onboarding session data: during onboarding, you select from predefined options in response to motivational framing questions. These selections are used within the session only to personalise the narrative flow. They are not transmitted to our servers and are not retained after the session ends.

2.6 Signature data: during onboarding, you are invited to draw a signature as a gamified commitment prompt. This is captured in-session to enable onboarding progression. It is not stored on our servers, not transmitted, and is discarded at the end of onboarding.

2.7 Subscription data (retrieved from RevenueCat): whether you hold an active SocialQuest Pro entitlement. We do not hold or process your payment card details; all payment information is held by Apple.

3. Age and Under-Age Users

We do not knowingly collect personal data from anyone under the age of 16. If we become aware that we hold personal data belonging to a person under 16, we will take steps to delete it without undue delay. If you believe a child under 16 has created an account, please contact us at 527studioslimited@gmail.com.

4. How We Use Your Data and Our Lawful Basis

4.1 Creating and managing your account

Purpose: Registering your account, authenticating you, and maintaining your account.

UK/EU GDPR: Performance of a contract (Article 6(1)(b)).

CCPA/CPRA: Disclosed purpose — account administration.

PIPEDA: Consent at registration and necessary for service delivery.

4.2 Providing the App's features

Purpose: Retrieving your Quest progress, calculating XP and rank, and displaying your profile.

UK/EU GDPR: Performance of a contract (Article 6(1)(b)).

CCPA/CPRA: Disclosed purpose — service delivery.

PIPEDA: Necessary for service delivery.

4.3 Managing your subscription

Purpose: Verifying subscription status and gating access to premium content.

UK/EU GDPR: Performance of a contract (Article 6(1)(b)).

CCPA/CPRA: Disclosed purpose — subscription management.

PIPEDA: Necessary for service delivery.

4.4 Responding to your communications

Purpose: Handling support requests, enquiries, and complaints.

UK/EU GDPR: Legitimate interests (Article 6(1)(f)) — our legitimate interest in providing customer support.

CCPA/CPRA: Disclosed purpose — customer support.

PIPEDA: Implicit consent and our legitimate purpose of providing support.

4.5 Security and fraud prevention

Purpose: Detecting, investigating, and preventing fraudulent activity, abuse, and security incidents.

UK/EU GDPR: Legitimate interests (Article 6(1)(f)).

CCPA/CPRA: Disclosed purpose — security.

PIPEDA: Our legitimate purpose of protecting the App and its users.

4.6 Compliance with legal obligations

Purpose: Complying with applicable laws, regulations, court orders, or competent authority requests.

UK/EU GDPR: Legal obligation (Article 6(1)(c)).

CCPA/CPRA / PIPEDA: Legal obligation.

5. Third-Party Recipients and Processors

5.1 Supabase Inc. — Data Processor

Role: Backend database hosting and authentication services.

Data received: Account data (email, name, avatar URL, UUID), hashed authentication tokens, Quest progress data.

Location: Data is primarily stored in the EU (Ireland). Where data is transferred outside the EEA or UK, appropriate safeguards are applied in accordance with applicable law.

Privacy policy: supabase.com/privacy

5.2 RevenueCat, Inc. — Data Processor / Independent Controller (in part)

Role: Subscription entitlement management.

Data received: User identifier, subscription status, purchase event data.

Location: United States. Where data is transferred outside the EEA or UK, appropriate safeguards are applied.

Note: RevenueCat may act as an independent controller for certain platform-level analytics it collects.

Privacy policy: revenuecat.com/privacy

5.3 Apple Inc. — Independent Controller

Role: App Store operator, Apple Sign-In provider, and subscription payment processor.

Data received: Authentication data (via Apple Sign-In) and subscription purchase data (via App Store billing).

Location: United States.

Note: Apple acts as an independent data controller for all data processed through its platforms.

Privacy policy: apple.com/privacy

6. International Data Transfers

Core user data is primarily stored within the European Union (Supabase infrastructure in Ireland). As a UK company, we transfer personal data from the UK to the EU. The UK Government has determined that the EU/EEA provides an adequate level of data protection; this transfer is covered by that adequacy determination.

Supabase Inc., RevenueCat, Inc., and Apple Inc. are US-based. Where personal data is transferred from the UK or EEA to these organisations, we rely on appropriate transfer safeguards in accordance with applicable law. Where required by applicable law, appropriate safeguards for international transfers are in place.

7. Data Retention

7.1 Account and progress data: retained for as long as your account is active. If you delete your account, we will delete or anonymise your personal data within a reasonable period, subject to any retention required by applicable law.

7.2 Subscription data: records of subscription transactions may be retained for longer periods where required by applicable tax, financial, or fraud-prevention regulations, or to resolve disputes.

7.3 Support communications: correspondence is retained for a reasonable period to resolve your request and for a further period in the event of follow-up claims.

7.4 Device-local data: session tokens, onboarding status, and Quest timer data stored on your device are removed when you delete the App or delete your account.

8. Security

We implement appropriate technical and organisational measures to protect your personal data, including: transmission over encrypted HTTPS connections; encrypted local storage of session tokens and on-device data using Apple's Keychain mechanism via Expo SecureStore; hashed storage of passwords by our authentication provider; and access controls restricting access to backend systems.

No method of electronic transmission or storage is entirely secure. While we take appropriate steps to protect your data, we cannot guarantee absolute security.

9. Data We Do Not Collect

Based on the current design of the App, we do not collect:

• Precise or approximate location data
• Device contacts or address book data
• Camera, microphone, or photo library data
• Advertising identifiers (IDFA or equivalent)
• Analytics or behavioural tracking data (no analytics SDK is integrated)
• Crash or error reporting data (no crash reporting service is integrated)
• Push notification tokens (no push notifications are sent)

Regarding IP addresses: the App does not collect IP addresses at the application layer. However, our infrastructure providers (Supabase, RevenueCat, Apple) may log IP addresses at the server or network level as part of standard operations. Please refer to their respective privacy policies.

Important: this section reflects the App as currently built. If any new SDK, analytics integration, or data-collection feature is added, this section must be reviewed and updated before that version ships.

10. Your Rights

10.1 UK and EU/EEA Users (UK GDPR / EU GDPR)

• Right of access — to request a copy of the data we hold about you.
• Right to rectification — to request correction of inaccurate or incomplete data.
• Right to erasure — to request deletion of your data in certain circumstances.
• Right to restriction — to request restricted processing in certain circumstances.
• Right to data portability — to receive your data in a structured, machine-readable format where processing is based on contract or consent and carried out by automated means.
• Right to object — to object to processing based on legitimate interests.
• Right to withdraw consent — where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

These rights are subject to exceptions. We will respond within one month, with possible extension in complex cases.

10.2 California Residents (CCPA/CPRA)

• Right to know — to request disclosure of categories and specific pieces of personal information collected, sources, purposes, and third-party recipients.
• Right to delete — to request deletion, subject to certain exceptions.
• Right to correct — to request correction of inaccurate information.
• Right to opt out of sale or sharing — see clause 12.
• Right to limit use of sensitive personal information — to direct us to limit use to what is necessary for our services.
• Right to non-discrimination — we will not discriminate for exercising any CCPA/CPRA right.

We will respond within 45 days of receipt, subject to permitted extensions.

10.3 Canadian Residents (PIPEDA and Quebec Law 25)

• Right to access — to request access to personal information we hold and how it is used.
• Right to correction — to request correction of inaccurate information.
• Right to withdraw consent — subject to legal or contractual restrictions; withdrawal may affect our ability to provide the App.
• Quebec Law 25: Quebec residents have additional rights including data portability and de-indexation.

We will respond within 30 days.

10.4 Australian Residents (Privacy Act 1988)

• Right of access — to request access to personal information we hold.
• Right to correction — to request correction of inaccurate, out of date, or misleading information.
• Right to complain — to complain to the OAIC if you believe we have breached the Australian Privacy Principles.

We will respond within 30 days.

11. How to Exercise Your Rights and How to Complain

11.1 To exercise any right in clause 10, contact us at:

Please provide your registered email address. We may ask for additional verification and will not charge a fee unless a request is manifestly unfounded or excessive.

11.2 UK supervisory authority: Information Commissioner's Office (ICO) — ico.org.uk | Phone: 0303 123 1113 | Address: Wycliffe House, Water Lane, Wilmslow, SK9 5AF

11.3 EU supervisory authorities: if you are in the EU/EEA, you may lodge a complaint with the data protection authority in your country of residence. A directory is available at edpb.europa.eu.

11.4 Australian supervisory authority: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au | Phone: 1300 363 992

11.5 Canadian supervisory authorities: Office of the Privacy Commissioner of Canada — priv.gc.ca. Quebec residents may also contact the Commission d'accès à l'information (CAI) — cai.quebec.ca.

11.6 California: California Privacy Protection Agency (CPPA) — cppa.ca.gov.

12. Do Not Sell or Share (CCPA)

We do not sell your personal information to third parties. We do not share your personal information with third parties for cross-context behavioural advertising purposes, as those terms are defined under the CCPA/CPRA. We share data only with the service providers identified in clause 5 for the purposes of operating and delivering the App.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify you through the App or by email to your registered address. The date at the top of this Policy will always reflect when it was last updated.

Where applicable law requires a specific notice period before changes to data processing take effect, we will comply with those requirements.

14. Contact Information

For questions, concerns, or requests relating to this Privacy Policy or our data practices: