Questify

Privacy Policy

Effective date: 2026-06-05 · Last updated: 2026-06-05 · Version 2.0

This Privacy Policy describes how Questify (“we”, “us”, “our”) collects, uses, shares, and protects information when you use the Questify mobile application (the “App”). We've written it to be readable. Where law requires technical legal terms, we use them; where it doesn't, we use plain English.

If you have questions, email rtrivv@gmail.com.


1. Who we are

Questify is a hyperlocal marketplace where people post real-world quests (tasks, favors, errands) and others nearby accept and complete them. The App is operated by Vladimir Rakočević, a sole operator based in Montenegro (contact details in §14). Questify is not (yet) incorporated as a separate legal entity; the operator is the responsible data controller.

We act as the data controller for the personal information you provide while using the App.

2. What we collect, and why

We collect the minimum information needed to make the App work. Categories below, grouped by purpose.

2.1 Account and profile data

DataSourceWhy
Email addressYou (signup) or Apple/Google SSOAuthentication, account recovery, important notices
Display name (handle)YouPublic identifier so others can recognize you
Avatar imageYou (uploaded) or built-in selectionPublic identifier
Apple / Google user identifierApple / Google during SSOSign-in mechanism
Push notification token (FCM)Your deviceSending you notifications about quests and messages
Account creation date, last sign-inAutomaticAccount management, fraud prevention
Date of birth (month and year)You (age screen at sign-up)Confirming you meet our 18+ age requirement; evidencing the age check

2.2 Quest activity

DataWhy
Quests you post (title, description, category, photos, location)Operating the marketplace
Quests you accept, complete, or cancelOperating the marketplace, reputation
Chat messages and attachments inside quest chatsCommunication between participants
Coin balance and transaction history (rewards, transfers, gifts)Operating the in-app economy
Ratings you give and receiveReputation system
Reports and disputes you file or are involved inSafety, moderation

2.3 Location

We process location data only when you choose to share it: when posting a quest with a location, when filtering quests by distance on the map, or when proving completion with a location proof. We never track your location passively or in the background.

2.4 Identity verification (optional)

Identity verification is entirely optional and is not required to use the core marketplace. If you choose to verify, the check is carried out by an independent third-party identity-verification provider. The provider inspects a government-issued identity document and a live selfie on its own systems and returns to us only the outcome (verified / not verified) plus minimal confirmation data — such as a verification reference and confirmation that you are over 18.

We do not receive or store your identity document, your selfie, or any biometric template. Those are held and processed by the provider, under its own privacy terms, on infrastructure located in the EU. Identity/biometric data is special category data under Article 9 GDPR and is processed only with your explicit consent, given to the provider when you start the flow. You can decline verification with no loss of core functionality.

2.5 Device and technical data

DataSourceWhy
Device model and operating system versionYour deviceCompatibility, debugging
App versionYour deviceCompatibility, debugging
Crash reports (anonymized stack traces, device class)Firebase CrashlyticsDiagnosing and fixing crashes
IP address (transient)Your networkRequired for any internet connection; not stored

We do not collect: contacts, photos outside of those you explicitly upload, microphone audio, calendar events, browsing history outside the App, advertising identifiers, biometric data (any biometric check during optional identity verification is performed by the third-party provider and never reaches us — see §2.4), or your device's other apps.

We do not use cookies (this is a native mobile app, not a website).

3. Legal basis for processing (GDPR)

We process your data on these legal bases:

ActivityLegal basis
Running your account, completing quests you initiatedContract — necessary to provide the service you signed up for
Confirming you are 18+ (date of birth at the age screen)Legitimate interest / legal obligation — preventing minors from using an adults-only service
Sending essential service notificationsContract
Optional identity verificationExplicit consent (Art. 9 GDPR) — you opt in; the verification provider acts as a separate controller for the document and biometric check, and we receive only the result
Reputation system (ratings, trust score, cancellation flags)Legitimate interest — required for marketplace safety; balanced against your interests
Crash diagnosticsLegitimate interest — required to keep the App working
Optional marketing or promotional notificationsConsent — you opt in, and can withdraw at any time in Settings
Compliance with legal obligations (e.g. responding to court orders)Legal obligation

You can withdraw consent for any consent-based processing at any time. Withdrawal doesn't affect processing already done in reliance on your consent.

4. Who we share data with

We do not sell your personal data. Ever.

We share specific data with specific service providers acting as data processors on our behalf:

ProviderWhat they receivePurposeWhere they process it
Supabase (Supabase Inc., USA)Account data, quest data, messages, ratings, transactions — basically everythingBackend hosting, database, authentication, file storageOur Supabase project is hosted in the EU (Frankfurt, eu-central-1)
Firebase (Google LLC, USA)Push notification tokens, anonymized crash diagnosticsPush notification delivery, crash reportingUSA
AppleApple SSO identifierSign in with AppleUSA
GoogleGoogle SSO identifierSign in with GoogleUSA
Identity-verification provider (only if you use optional verification)Your ID document + selfie are processed on the provider's systems; we receive only the pass/fail resultOptional identity verificationEU data residency

If and when we enable optional identity verification, we will name the specific verification provider in this Policy, and ensure it offers EU data residency and a signed data-processing agreement, before the feature goes live.

We also share data with other Questify users only as required by the marketplace function:

We may disclose data in response to lawful requests by public authorities, court orders, or legal process — and only after we've verified the request is valid.

5. International data transfers

Some of our processors (Firebase, Apple, Google) are based in the United States. When data is transferred outside your country, we rely on standard contractual clauses and the providers' own data-protection commitments to ensure protection equivalent to what applies in the EU.

Our primary database (Supabase) is hosted in Frankfurt, Germany. Most of your data never leaves the EU.

6. How long we keep your data

Data categoryRetention
Account profileWhile your account is active. On deletion, we immediately erase or irreversibly de-identify your profile — your email, name, phone and avatar are removed or scrubbed and your login is permanently severed — so the account can no longer identify you. Any residual backup copies roll off within 30 days.
Quest content (posts, completions, ratings)Active while your account is active. On deletion, content that is yours alone is removed or de-identified; where a Quest involved another user, a de-identified record (your name and avatar shown as “Deleted User”) may be retained so the other party keeps a complete record of their own activity.
Chat messages365 days from the message timestamp, or until the account is deleted, whichever is sooner.
Coin transactions7 years (accounting and dispute-resolution requirement).
Identity verificationWe do not store your identity document or biometric — only the result (verified / not, plus a reference), kept while your account is active. The third-party provider keeps its own records under its policy; you can ask us or the provider to delete the verification record.
Crash diagnostics (Crashlytics)90 days per Firebase default.
Disputes and reportsWhile the account exists + 2 years post-deletion (legal records).
Auth logs (sign-in attempts)90 days.
Date of birth (age check)Month and year retained while your account is active, to evidence the 18+ check; removed on account deletion.

7. Your rights

You have these rights regarding your personal data:

To exercise any of these rights, email rtrivv@gmail.com with the email address tied to your account. We respond within 30 days. We may ask for additional verification before acting on requests involving sensitive data (e.g. ID verification documents).

You can delete your account directly from the App: Profile → Settings → Delete Account. Account deletion is irreversible.

8. Age requirement (18+)

Questify is an adults-only service. It is not directed to anyone under 18, and we do not knowingly collect personal data from anyone under 18. We apply a neutral age screen at sign-up and store only your month and year of birth to evidence the check. If we discover that an account belongs to someone under 18, we block it and delete the associated personal data.

If you believe someone under 18 is using Questify or has provided us data, email rtrivv@gmail.com and we'll act promptly.

9. Security

We take reasonable technical and organizational measures to protect your data:

No system is perfectly secure. If a data breach occurs that materially affects your rights, we'll notify you and the relevant authority within 72 hours of discovery, per applicable law.

10. Marketing and analytics

We do not currently run marketing campaigns through third-party advertising networks. We do not track you across other apps or websites.

If we add marketing notifications later, they'll require opt-in consent and you can disable them at any time in Settings.

We use Firebase Crashlytics for crash diagnostics only — never for advertising or behavioral tracking.

11. Cookies and similar technologies

The Questify mobile app does not use browser cookies. We use device storage to:

You can clear this data at any time by uninstalling the App or signing out.

12. Automated decision-making

We don't use automated decision-making or profiling that produces legal effects on you. Specifically:

13. Changes to this Policy

When we make material changes to this Policy, we'll:

  1. Update the “Last updated” date at the top.
  2. Notify you in the App at next launch.
  3. For significant changes (new categories of data collected, new processors, new purposes), require you to acknowledge the update before continuing to use the App.

Minor clarifications (typo fixes, wording improvements) don't trigger notifications.

14. Contact

For any privacy question, request, complaint, or general inquiry:

Email: rtrivv@gmail.com
Operator: Vladimir Rakočević, Montenegro (full postal address available on request; to be added before public launch)

We aim to respond within 5 business days; statutory rights requests are handled within 30 days.


This document is the canonical Privacy Policy for Questify. It is shipped inside the app and also available at this URL, which is declared in Settings → Legal → Privacy Policy.


Website and waitlist (usequestify.com)

This section covers the website at usequestify.com itself. It is a website-specific addendum and is not part of the canonical in-app Policy above.

The Policy above covers the Questify mobile App. The website also processes a small amount of data:

Your rights under §7 apply equally to waitlist data.