Privacy Policy

Last updated: 12.07.2021


Questo is a mobile app for city exploration games. With Questo, users play some mission-like tours called quests through solving clues for discovering new places and stories. Each quest lasts on average 2 hours to play and can be explored both outdoors and indoors. Our mission is to transform every place into a game, by promoting local heritage, sharing unique stories and supporting local communities (the “Services”).

The protection of your privacy and personal data is one of our main concerns. This Privacy Policy will inform you as to how we look after your personal data, tell you about your privacy rights and how the law protects you when you visit our website at (the “Website”) and when you use our mobile application (the “App”). Together our site and application are known as our “Platforms”).

If you continue to use our platforms, you agree with our policy and terms of use.


In relation to the provision of our Services, Questo is the controller and responsible for the safety of your personal data (“Questo”, “we”, “us” or “our” in this Privacy Policy).

If you have any questions regarding this Privacy Policy, including any requests to exercise your legal rights set out below, please contact us by using the following details:

Questo Global S.R.L.
Registered address: 20 Stejarului Street, Cisnadie, Sibiu County, 555300 Romania. Trade Registry No.: J32/96/2017 Sole Registration No.: 36999501 E-mail:


Personal data, or personal information, means any information regarding an individual which can lead to his or her identification.

In order to provide the Services, we may collect, use, store and transfer different kinds of personal data about you, as follows:

Identity data includes first and last name and profile picture (when you log in with Facebook or Google accounts); Contact data includes email address and phone number; Financial data includes card numbers, bank account details and/or other billing details; please note that Financial data is not collected and/or stored by Questo but by our payment services providers whose own terms and conditions and privacy policy are applicable; you can access them at:

Transaction data includes details about payments from you and other details of Services you have purchased from us; Technical data includes internet protocol (IP) address, your login data, device type, browser type and version, time zone setting and location, browser plug-in types and versions , operating system and platform and other technology on the devices you use to access the Platforms; Profile data includes your unique username, actions or transactions made by you on the Platform, preferences, feedback, survey responses and other correspondence; Usage data includes information about how you use our Website, Platform and Services; Marketing and communications data includes your preferences in receiving marketing from us, and your communication preferences. We do not collect any special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

If you fail to provide personal data

Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide the Services to you). In this case, we may have to cancel the delivery of the Service but we will notify you if this is the case at the time.


We collect, use, transfer and store your personal data in accordance with the applicable laws and this Policy. Most frequently, we will use your personal data (i) where we need to perform the contract we are about to enter into or have entered into with you, (ii) where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests and (iii) where we need to comply with a legal or regulatory obligation.

Generally, we do not rely on consent as a legal basis for processing your personal data other than in relation to your location and in order to send you direct marketing communications to you via email. You have the right to withdraw consent with regard to the processing of location data and the processing of data for marketing purposes by accessing the Settings section of the Application .

Your data about your Primary User account will be uploaded directly at, and may be used for one ore more of the following purposes:

4.1. For specific purposes

If you send us your data for a specific purpose, we will use such data in order to achieve said purpose. For instance, if you send us an e-mail, we will use your contact data you provide us to answer your inquiry.

4.2. To register you as a new user

We will use your identity and contact details to perform the contract we are about to enter into or have entered into with you.

4.3. To provide the Services to you

We will use your data in order to perform the contract, for compliance with legal obligations and for fraud prevention purposes. For instance, your profile, technical and usage data will be used to provide the Services (e.g., to provide access to quest creators section of our Website, save your progress during quests, to select the winners of sponsored quests) and for customer support. Your identity data or username will be available to other users of the Application.

4.4. To manage our relationship with you

We will use your identity and contact data to notify you about changes to our Terms & Conditions, Privacy Policy or Services.

4.5. For internal business purposes

We may use your identity, contact, financial and technical data for running our business, provision of administration and IT services (e.g., troubleshooting, data analysis, support), network security (e.g., testing, system maintenance), to prevent fraud and in the context of a business reorganization or group restructuring exercise.

4.6. To deliver relevant website content and advertisements

We may use your identity, contact, profile, technical and usage data to understand how customers use our Services, to develop them and to inform our marketing strategy. Where it is in accordance with your marketing preferences, we may use your marketing and communications data to inform you with regard to services we believe might be of interest to you. See section “Opt-out from electronic communications" below on how to opt-out of Questo marketing communications.

4.7. Other purposes

To participate in our contests

We will use your identity and contact data, as well as any other information specifically requested by us depending on the situation, to enable your participation to the contests we may organize from time to time and to deliver to you the prize (if you are a winner). This processing is based on the performance of an agreement which you enter whenever you sign up for one of our contests.

4.8. Aggregated data

In an ongoing effort to understand and serve our users better, we often conduct research on our customer demographics, interests and behavior based on personal data and other information that we have collected. This research is typically conducted on an aggregate basis only that does not identify you. Once personal data is in an aggregated form, for purposes of this Policy, it becomes non-personal data.


We will not sell your data to third parties, including third-party advertisers. There are, however, certain circumstances in which we may disclose, transfer or share your Personal Data with certain third parties without further notice to you, as set forth below.

5.1. Business Transfers

As we develop our business, we might sell or buy businesses or assets. In the event of a corporate sale, merger, reorganization, dissolution or similar event, your data may be part of the transferred assets. You acknowledge and agree that any successor to or acquirer of Questo (or its assets) will continue to have the right to use your data and other information in accordance with the terms of this Policy.

5.2. Parent Companies, Subsidiaries and Affiliates We may also share your data with our parent companies, subsidiaries and/or affiliates for purposes consistent with this Privacy Policy. Our parent companies, subsidiaries and affiliates will be bound to maintain that personal data in accordance with this Policy.

5.3. Agents, Consultants and Service Providers We may share your data with our contractors and service providers who process data on behalf of Questo to perform certain business-related functions. When we authorize a third party to process your data, we remain fully responsible for the protection of the data. Third parties will only have access to information regarding you where necessary for providing their services. Third parties we may engage are:

accountants and legal counsels; marketing partners/service providers; location service providers; hosting service providers; email service providers; IT/support service providers; data aggregators e.g., user behavior analytics providers; payment service providers.

5.4. Fraud Prevention

We may check the details you provide with fraud prevention agencies and share your information with them if we suspect fraud. It is important that you don’t provide false, inaccurate information or impersonate another individual.

5.5. Facebook, Google or other third parties

You can log in to your Questo account using Facebook or Google. In this case, we may collect, store, use and transfer information regarding your account with these entities, in accordance with this Policy. For instance, if you log in using Facebook, we may store your user name, e-mail address, location and profile picture to provide you certain functionalities within the Platforms.

5.6. Legal Requirements

We may disclose your data if required to do so by law in order to (for example) respond to a subpoena or request from law enforcement, a court or a government agency (including in response to public authorities to meet national security or law enforcement requirements), or in the good faith belief that such action is necessary to (i) comply with a legal obligation, (ii) protect or defend our rights, interests or property or that of third parties, (iii) prevent or investigate possible wrongdoing in connection with the Services, (iv) act in urgent circumstances to protect the personal safety of users of the Services or the public, or (v) protect against legal liability.

5.7. International Transfers

Some of our external third-party suppliers are based outside the European Economic Area (“EEA”). Their processing of your personal data will involve a transfer of data outside the EEA. Whenever we transfer your personal data out of the EEA, we endeavor to ensure one of the following safeguards is implemented:

we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries; where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe; where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the EEA and the US. For further details, see European Commission: EU-US Privacy Shield; where such data cannot be afforded one of the safeguards above, we shall only transfer such data outside the EEA where it is necessary for performing our contract with you or we have your fully informed, active, clear and specific consent. We shall take all steps necessary to ensure that your personal data is protected when we transfer it outside the EEA.


We may store personal data or such information may be stored by third parties to whom we have transferred it in accordance with this Policy. We have taken reasonable steps to protect the personal data collected via the Services from loss, misuse, unauthorized use, access, inadvertent disclosure, alteration and destruction. Among the security measures we have implemented there are: SSL standard for the encryption of data flow, OAUTH standard for user authentication, HMAC authentication against alteration of data, SSH private keys for limiting server access etc.

In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

However, please note that no network, server, database or Internet or e-mail transmission is ever fully secure or error-free. Therefore, you should take special care in deciding what information you send to us electronically. Please keep this in mind when disclosing any personal data.


We will retain your personal data as long as you are registered to use the Services.

You can stop using our Platforms and/or Services by clicking the “Delete Questo account” button in the “Settings” section of our Platform or by contacting us .

Deleting your user account involves automatically deleting your personal data (name, surname, email, picture, password, phone number), collections created, and followed pages.

If you decide to stop using our Services, we will only retain your personal data for as long as necessary to fulfil the purposes we collected it for , including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

We will ensure the secure deletion of your personal data as soon as the processing is no longer sustained by one of the legal grounds mentioned above.


8.1. Cookies

Please see our Cookie Policy for detailed information.

8.2. Opt-out from electronic communications

You can ask us or third parties to stop sending you marketing messages at any time by accessing the Settings section of the Application or by contacting us at . You can also unsubscribe from our marketing list by clicking on the "Unsubscribe " link at the bottom of any such electronic communication. Where you opt-out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a Service purchase, Service experience or other transactions.


9.1. Third party links

Our Website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.

9.2. Data regarding children

Our Website, Platform and Services are not designed or intended for use by children. If you are under the age of sixteen (16), please do not submit any personal data through the Services. If you have reason to believe that a child under the age of 16 has provided personal data to us through the Services, please contact us at and we will endeavor to delete that information from our databases.

9.3. Changes to this Privacy Policy

This Policy has been updated on November 19, 2018. The Services and our business may change from time to time. As a result, at times it may be necessary for us to make changes to this Privacy Policy. We reserve the right, in our sole discretion, to update or modify this Policy at any time (collectively, "Modifications"). Modifications to this Policy will be posted to the Website with a change to the "Updated" date at the top of this Policy. In certain circumstances Questo may, but need not, provide you with additional notice of such Modifications, such as via email or with in-Service notifications. Modifications will be effective thirty (30) days following the "Updated" date or such other date as communicated in any other notice to you.


In accordance with Regulation no. 2016/679, under certain circumstances, you have the following rights in relation to your personal data:

Access to information: You have the right to request a copy of the information Questo holds about you. Ensuring accuracy of information: Questo wants to make sure that your personal information is accurate and up-to-date. You may ask Questo to correct or complete information that is inaccurate or incomplete.
Right to erasure: You may have a right to erasure, which is more commonly known as the ‘right to be forgotten’. This means that in certain circumstances you can require Questo to delete personal information held about you. Ability to restrict processing: You may also have the right to require Questo to restrict Questo’s use of your personal information in certain circumstances. This may apply, for example, where you have notified Questo that the information Questo holds about you is incorrect and you would like Questo to stop using such information until Questo has verified that it is accurate. Right to data portability: You may have the right to receive personal data Questo holds about you in a format that enables you to transfer such information to another data controller (e.g. such as another service provider).
Preventing direct marketing: Questo does not sell your personal data. From time to time, Questo may send emails containing information about new features and other news about us. This is considered direct marketing. Questo will always inform you if Questo intends to use your personal data or if Questo intends to disclose your information to any third party for such purposes. Objecting to other uses of your information: You may also have the right to object to Questo’s use of your information in other circumstances. In particular, where you have consented to Questo’s use of your personal data, you have the right to withdraw such consent at any time. Review by an independent authority: You will always have the right to lodge a complaint with a supervisory body, including the National Supervisory Authority for Personal Data Processing (NSAPDP) at 28 – 30 Gheorghe Magheru Blvd., District 1, Bucharest (post code: 010336; phone no.: 0040 318.059.211).

No fee usually required You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

If you want to exercise any of the rights listed above, or if you would like further information on how you can exercise these rights, please email us at .