Privacy Policy | Daily Quest

Daily Quest ("we," "our," or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform.

This policy complies with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable data protection laws.

1. Data Controller

Daily Quest is the data controller responsible for your personal data.

Data Protection Officer (DPO):

Email: privacy@dailyquest.com

Address: Daily Quest, Inc., [Your Business Address]

2. Information We Collect

2.1 Personal Information (PII)

Account Information: First name, last name, nickname, email address, phone number (optional)
Contact Information: Address (street, city, region, postal code, country)
Business Owner Data: Business name, business contact details, team member information
Authentication Data: Magic link tokens, session tokens (via Supabase Auth)

2.2 Transaction Data

Order Information: Order numbers, product purchases, payment status (we do NOT store card numbers)
Quest Progress: Quest enrollment, progress count, rewards claimed
Reviews: Product ratings and review text
Bookings: Service bookings, appointment times

2.3 Technical Data

Usage Data: Pages visited, features used, activity logs
Device Data: IP address, browser type, user agent, device identifiers
Cookies: See our Cookie Policy

2.4 Consent Records

We track your consent preferences for cookies, analytics, and marketing, including when and how you granted or revoked consent.

3. Legal Basis for Processing (GDPR)

We process your data based on the following legal grounds:

Contract Performance: To provide our services (account creation, order processing, quest management)
Legitimate Interests: Fraud prevention, service improvement, security
Consent: Marketing communications, analytics cookies, personalization (you can withdraw consent at any time)
Legal Obligation: Tax compliance, financial audit requirements

4. How We Use Your Information

Provide and maintain our platform services
Process transactions and manage quest rewards
Send transactional emails (order confirmations, quest updates)
Communicate with you about your account
Detect and prevent fraud, abuse, and security incidents
Analyze platform usage and improve our services
Send marketing communications (with your consent)
Comply with legal obligations (tax, financial reporting)

5. Information Sharing

We share your information in the following circumstances:

5.1 With Businesses on Our Platform

When you make a purchase, enroll in a quest, or book a service, we share relevant information (name, order details) with the business to fulfill your request.

5.2 With Service Providers

Supabase: Database and authentication (Data Processing Agreement in place)
Vercel: Hosting and infrastructure (DPA in place)
Email Service: Transactional and marketing emails (DPA in place)

All service providers are contractually bound to protect your data and process it only as instructed.

5.3 For Legal Reasons

We may disclose your information if required by law, court order, or to protect our rights, safety, or property.

5.4 We DO NOT Sell Your Data

We never sell, rent, or trade your personal information to third parties for their marketing purposes.

6. International Data Transfers

Your data may be processed in countries outside your residence (e.g., cloud servers in the United States). We ensure adequate safeguards through:

Data Processing Agreements with service providers
Standard Contractual Clauses (SCCs) approved by the European Commission
Certifications such as EU-U.S. Data Privacy Framework (where applicable)

7. Data Retention

We retain your personal data as follows:

Active Accounts: As long as your account is active
After Account Deletion: 90 days (soft delete period for recovery and compliance)
Transaction Records: 7 years (financial audit and tax compliance)
Consent Records: 3 years after withdrawal (GDPR compliance)
Marketing Data: Until you unsubscribe or withdraw consent

See our Data Retention Policy for full details.

8. Your Privacy Rights

You have the following rights under GDPR and CCPA:

Manage Your Privacy Settings

Exercise your rights from your account settings:

Go to Privacy Settings

8.1 Right to Access (GDPR Art. 15)

Request a copy of all personal data we hold about you in a machine-readable format (JSON).

8.2 Right to Rectification (GDPR Art. 16)

Update or correct inaccurate personal data. Edit your profile at /profile/edit.

8.3 Right to Erasure / Right to be Forgotten (GDPR Art. 17)

Request deletion of your account and all associated personal data. Data is soft-deleted immediately and permanently removed after 90 days.

8.4 Right to Restriction (GDPR Art. 18)

Request that we temporarily freeze processing of your data while disputes are resolved.

8.5 Right to Data Portability (GDPR Art. 20)

Download your data in JSON format to transfer to another service.

8.6 Right to Object (GDPR Art. 21)

Object to processing based on legitimate interests or for direct marketing purposes.

8.7 Right to Withdraw Consent

Withdraw consent for cookies, analytics, or marketing at any time without affecting previously lawful processing.

8.8 Right to Lodge a Complaint

If you believe we have violated your privacy rights, you may file a complaint with your local data protection authority (EU: EDPB Members).

9. Data Security

We implement industry-standard security measures:

Encryption: Data encrypted in transit (HTTPS/TLS) and at rest
Access Controls: Role-based access, Row Level Security (RLS) policies
Authentication: Passwordless magic link authentication with JWT tokens
Security Headers: CSP, HSTS, X-Frame-Options, X-Content-Type-Options
Rate Limiting: API rate limits to prevent abuse
Audit Logging: All access and modifications logged for security monitoring
Regular Audits: Security reviews and vulnerability assessments

10. Cookies and Tracking

We use cookies for essential functionality, analytics, and personalization. You can manage your cookie preferences in our Cookie Policy or through the cookie banner.

11. Children's Privacy

Our platform is not intended for children under 13 years old. We do not knowingly collect personal data from children. If you believe we have inadvertently collected information from a child, please contact us immediately.

12. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority within 72 hours (GDPR Art. 33)
Notify affected users without undue delay if the breach poses a high risk (GDPR Art. 34)
Provide details about the breach, affected data, and mitigation steps

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

Posting the new Privacy Policy on this page
Updating the "Last updated" date at the top
Sending email notifications for material changes (if you've opted in)

Your continued use of the platform after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights:

Data Protection Officer:

Email: privacy@dailyquest.com

Support: Contact Support

Response Time: Within 30 days (GDPR requirement)

Related Policies

→ Cookie Policy → Data Retention Policy → Terms of Service → Privacy Settings