Privacy Policy

1. Who We Are

Daily Quest is the data controller responsible for your personal data.

Regulatory Compliance: Daily Quest processes personal data in compliance with the Data Privacy Act of 2012 (RA 10173) and its Implementing Rules and Regulations, as enforced by the National Privacy Commission of the Philippines.

2. Information We Collect

2.1 Personal Information (PII)

• Account Information: First name, last name, nickname, email address, phone number (optional)
• Contact Information: Address (street, city, region, postal code, country)
• Hub Owner Data: Hub name, hub contact details, team member information
• Authentication Data: OTP codes, session tokens (via Supabase Auth)

2.2 Transaction Data

• Order Information: Order numbers, product purchases, payment method, payment status
• Quest Progress: Quest enrollment, progress count, rewards claimed
• Reviews: Product ratings and review text
• Bookings: Service bookings, appointment times

2.3 Technical Data

• Usage Data: Pages visited, features used, activity logs
• Device Data: IP address, browser type, user agent, device identifiers
• Cookies: See our Cookie Policy

2.4 Consent Records

We track your consent preferences for cookies, analytics, and marketing, including when and how you granted or revoked consent.

3. Why We Process Your Information

We process your data based on the following reasons:

• Service Delivery: To provide our services (account creation, order processing, quest management)
• Business Operations: Fraud prevention, service improvement, security
• Your Consent: Marketing communications, analytics cookies, personalization (you can withdraw consent at any time)
• Legal Compliance: Tax compliance, financial audit requirements, and compliance with Philippine laws

4. How We Use Your Information

• Provide and maintain our platform services
• Process transactions and manage quest rewards
• Send transactional emails (order confirmations, quest updates)
• Communicate with you about your account
• Detect and prevent fraud, abuse, and security incidents
• Analyze platform usage and improve our services
• Send marketing communications (with your consent)
• Comply with legal obligations (tax, financial reporting)

5. Information Sharing

We share your information in the following circumstances:

5.1 With Businesses on Our Platform

When you make a purchase, enroll in a quest, or book a service, we share relevant information with the business to fulfill your request. The business owner acts as a separate data controller for this information.

Data shared with businesses:

• Your name and contact information (phone, email)
• Order details (products, quantities, delivery address)
• Quest enrollment and progress
• Booking information (appointment times, service details)

Joint Controller Obligations: When your data is shared with business owners through our platform, both Daily Quest and the business act as joint data controllers for that information under Section 20 of RA 10173. Daily Quest requires all businesses on the platform to comply with the Data Privacy Act and to handle your personal data only for the purposes for which it was shared. If you delete your Daily Quest account, your order history with businesses may be retained for their legal compliance (e.g., BIR financial records) but will be anonymized wherever legally permissible.

5.2 With Service Providers

• Supabase: Database and authentication (Data Processing Agreement in place)
• Vercel: Hosting and infrastructure (DPA in place)
• Email Service: Transactional and marketing emails (DPA in place)

All service providers are contractually bound to protect your data and process it only as instructed.

5.3 For Legal Reasons

We may disclose your information if required by law, court order, or to protect our rights, safety, or property.

5.4 We DO NOT Sell Your Data

We never sell, rent, or trade your personal information to third parties for their marketing purposes.

6. Where We Store Your Data

Cross-Border Data Transfer: Your data is stored on secure cloud servers located outside the Philippines. We use trusted international service providers:

• Supabase: Database and authentication (data centers in various regions)
• Vercel: Website hosting and infrastructure (global network)

While these services are located internationally, we ensure they maintain industry-standard security measures including:

• Encryption of data at rest and in transit (HTTPS/TLS, AES-256)
• Regular security audits and certifications (SOC 2 Type II, ISO 27001)
• Data Processing Agreements to protect your information
• Compliance with international data protection standards

7. Data Retention

We retain your personal data as follows:

• Active Accounts: As long as your account is active
• After Account Deletion: 90 days (soft delete period for recovery and compliance)
• Transaction Records: 10 years (BIR tax compliance under NIRC)
• Consent Records: 3 years after withdrawal (audit compliance)
• Marketing Data: Until you unsubscribe or withdraw consent

Right to Erasure vs. Legal Retention: Where transaction records must be retained for BIR compliance (10 years), we will anonymize your personal identifiers rather than retain them in identifiable form. This means your financial records are kept for audit purposes, but cannot be linked back to you personally after account deletion.

See our Data Retention Policy for full details.

8. Your Privacy Rights

Under the Data Privacy Act of 2012, you have the following rights:

8.1 Right to Access Your Information

Request a copy of all personal data we hold about you in a downloadable format (JSON). Processing time: Available immediately via self-service download.

8.2 Right to Correct Your Information

Update or correct inaccurate personal data. Edit your profile at /profile/edit.

8.3 Right to Delete Your Account

Request deletion of your account and all associated personal data. Processing time: Data is soft-deleted immediately and permanently removed after 90 days. During the 90-day period, you can contact us to restore your account if you change your mind. Note: Transaction records required for BIR compliance will be anonymized rather than deleted, and cannot be linked to your identity after account removal.

8.4 Right to Restrict Processing

Request that we temporarily freeze processing of your data while disputes are resolved.

8.5 Right to Data Portability

Download your data to transfer to another service.

8.6 Right to Object

Object to processing for direct marketing purposes or other legitimate business interests.

8.7 Right to Withdraw Consent

Withdraw consent for cookies, analytics, or marketing at any time.

8.8 Automated Decision-Making

We do not use automated decision-making or profiling that would significantly affect you without human oversight. Any automated systems (like quest progress tracking) are designed to enhance your experience, not make consequential decisions about you.

8.9 Right to File a Complaint

If you believe we have violated your privacy rights, you may:

• Contact us directly at support@dailyquest.co or +63 905 669 1964
• File a formal complaint with the National Privacy Commission (NPC)

9. Data Security

We implement industry-standard security measures:

• Encryption: Data encrypted in transit (HTTPS/TLS) and at rest
• Access Controls: Role-based access, Row Level Security (RLS) policies
• Authentication: Passwordless OTP code authentication with JWT tokens
• Security Headers: CSP, HSTS, X-Frame-Options, X-Content-Type-Options
• Rate Limiting: API rate limits to prevent abuse
• Audit Logging: All access and modifications logged for security monitoring
• Regular Audits: Security reviews and vulnerability assessments

10. Cookies and Tracking

We use cookies for essential functionality, analytics, and personalization. You can manage your cookie preferences in our Cookie Policy or through the cookie banner.

11. Age Requirements

Our platform is intended for users 18 years and older. If you are between 13-17 years old, you may use our platform with verifiable parental or guardian consent.

We do not knowingly collect personal data from children under 13 years old. If you believe we have inadvertently collected information from a child under 13, please contact us immediately at support@dailyquest.co and we will delete it promptly.

12. Data Breach Notification

In the event of a data breach that poses a risk to your privacy, we will:

• Notify the National Privacy Commission within 72 hours of becoming aware of the breach
• Notify affected users within 5 business days of confirming the breach affects your data
• Provide details about the breach, affected data, and steps you can take to protect yourself
• Send notifications via email and display alerts in your account dashboard

For urgent security issues (account compromise, suspicious activity), contact us immediately:

• Email: support@dailyquest.co
• Phone: +63 905 669 1964

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last updated" date at the top
• Sending email notifications for material changes (if you've opted in)

Your continued use of the platform after the effective date constitutes acceptance of the updated policy. If you do not agree with material changes, you may close your account before they take effect by contacting support@dailyquest.co.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights: