Privacy Policy

Last updated: February 26, 2026

1. Who We Are
Questo is operated by Questo Global S.R.L., a company registered in Romania. We are the "data controller", meaning we decide how and why your personal data is processed.

This privacy policy is issued by Questo Global S.R.L. ("Questo," "we," "us," or "our"), the data controller responsible for your personal data.

Company details:

  • Registered name: Questo Global S.R.L.
  • Address: 20 Stejarului Street, Cisnădie, Sibiu County, 555300, Romania
  • Trade Registry No.: J32/96/2017
  • Sole Registration No.: 36999501
  • Contact email: care@questoapp.com

This policy applies to all personal data collected through our website (questoapp.com), our mobile applications (iOS and Android), and any related services.

2. What Data We Collect
We collect information you give us (like your name and email when you sign up), information generated when you use the app (like your location during a quest), and technical information about your device. We never collect sensitive data like your political opinions, health information, or religious beliefs.

We collect the following categories of personal data:

Information you provide directly:

  • Account data: Name, email address, profile picture (when you sign up via email, Google, Facebook, or Apple)
  • Purchase data: Transaction details and purchase history (payment card details are handled entirely by our payment processors, Apple, Google Play, and Stripe, and are never stored on our servers)
  • Communication data: Messages you send us via support chat, email, or feedback forms
  • Creator data: If you create quests, we collect the content you submit (quest text, images, route data) and your creator profile information

Information collected automatically:

  • Device & technical data: IP address, device type and model, operating system and version, browser type, screen resolution, language settings, time zone
  • Usage data: How you interact with the app, quests viewed, quests started, quests completed, features used, time spent, buttons tapped
  • Location data: GPS location while you are actively playing a quest (only when you grant permission). We use this to guide you along the quest route. Location data is not collected when the app is in the background or closed.

Information from third parties:

  • Social login providers: If you sign in with Google, Facebook, or Apple, we receive your name, email address, and profile picture (as permitted by your settings on those platforms)
  • Payment processors: We receive confirmation of successful payments from Apple, Google Play, and Stripe, but not your full payment card details
  • Analytics providers: Aggregated and anonymized usage patterns to help us improve the product

Data we do NOT collect:

We do not collect sensitive personal data, including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health data, sexual orientation, or criminal records.

3. How We Use Your Data
We use your data to run the app, process your purchases, guide you through quests, improve our product, and send you communications you've opted into. We don't sell your data to anyone.

We use your personal data for the following purposes:

PurposeData usedWhy
Providing our serviceAccount data, location data, usage dataTo let you play quests, track your progress, and deliver the core Questo experience
Processing purchasesAccount data, transaction dataTo process payments, issue receipts, and manage your quest library
Customer supportAccount data, communication data, usage dataTo respond to your questions, troubleshoot issues, and resolve complaints
Product improvementUsage data, technical data (anonymized)To understand how people use Questo and make it better, fix bugs, improve features, optimize performance
Marketing communicationsAccount data, marketing preferencesTo send you updates, quest recommendations, and promotional offers (only if you've opted in, you can unsubscribe at any time)
Safety & securityTechnical data, usage dataTo detect fraud, prevent abuse, and keep the platform safe
Legal complianceVarious, as requiredTo comply with legal obligations, respond to lawful requests, and protect our legal rights
Creator paymentsCreator account data, transaction dataTo calculate and process revenue share payments to quest creators

We do NOT:

  • Sell your personal data to third parties
  • Use your data for automated decision-making that produces legal effects
  • Profile you for purposes unrelated to improving your Questo experience
5. Who We Share Your Data With
We share data only when necessary, with payment processors to handle purchases, with analytics tools to improve the product, and with service providers who help us run Questo. We never sell your data.

We may share your personal data with the following categories of third parties:

Service providers:

  • Payment processors: Apple (App Store), Google (Play Store), Stripe, to process payments securely
  • Cloud hosting: To host and deliver the Questo platform
  • Email services: To send transactional emails (receipts, password resets) and, with your consent, marketing communications
  • Analytics providers: To understand product usage and improve performance (data is anonymized or aggregated where possible)
  • Customer support tools: To manage and respond to support requests

Authentication providers:

Google, Facebook, and Apple, when you choose to sign in with these services.

Professional advisors:

Accountants, legal counsel, and auditors, as needed for business operations.

Legal and regulatory:

Law enforcement or regulatory authorities, only when required by law or to protect our legal rights.

Business transfers:

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity. We will notify you of any such change.

We do NOT share data with:

  • Data brokers or advertisers for the purpose of selling your information
  • Any third party for their own independent marketing purposes without your explicit consent
6. Cookies & Tracking Technologies
We use cookies to make the website work, remember your preferences, and understand how people use Questo. You can control which cookies you accept.

What are cookies?

Cookies are small text files placed on your device when you visit our website. They help us recognize you, remember your preferences, and understand how you use our site.

Types of cookies we use:

Cookie typePurposeRequired?
Strictly necessaryMake the website function (login sessions, security, load balancing)Yes, the site won't work without them
FunctionalRemember your preferences (language, region, display settings)Optional
AnalyticsUnderstand how visitors use the site (page views, navigation paths, popular content), data is anonymizedOptional
MarketingDeliver relevant ads and measure campaign effectiveness (only with your consent)Optional

Third-party cookies:

Some cookies are set by third-party services we use, including:

  • Google Analytics, website usage analysis
  • Meta Pixel (Facebook), advertising measurement and optimization
  • Stripe, secure payment processing

Managing your cookies:

You can manage your cookie preferences at any time:

  • Through our cookie consent banner (displayed on your first visit)
  • Through your browser settings (each browser has its own cookie management options)
  • By contacting us at care@questoapp.com

Do Not Track:

We respect "Do Not Track" browser signals where technically feasible.

7. International Data Transfers
We're based in Romania (EU), but some of our service providers operate outside the EU. When data leaves the EU, we make sure it's protected by appropriate legal safeguards.

Questo Global S.R.L. is based in Romania, within the European Economic Area (EEA). Some of the third-party services we use (such as cloud hosting, analytics, and payment processors) may process data outside the EEA.

When personal data is transferred outside the EEA, we ensure it is protected by appropriate safeguards, including:

  • Adequacy decisions: Transfers to countries the European Commission has determined provide adequate data protection (e.g., the EU–U.S. Data Privacy Framework)
  • Standard Contractual Clauses (SCCs): EU-approved contractual terms that require the recipient to protect data to EU standards
  • Binding Corporate Rules: Where applicable, for transfers within corporate groups

You may request details of the specific safeguards applied to international transfers by contacting us at care@questoapp.com.

8. How Long We Keep Your Data
We keep your data as long as you have an active Questo account. When you delete your account, we delete your personal data, except where the law requires us to keep it (like tax records).

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

Data typeRetention period
Account dataAs long as your account is active. Deleted within 30 days of account deletion request.
Purchase & transaction dataAs long as your account is active, plus any period required by tax and accounting law (typically up to 10 years).
Usage & analytics dataAnonymized and aggregated data may be retained indefinitely for product improvement. Identifiable usage data is deleted with your account.
Location dataNot stored persistently. Used in real-time during quest gameplay and discarded after the session ends.
Communication dataSupport conversations retained for up to 3 years after resolution for quality and training purposes, then deleted.
Marketing preferencesRetained until you unsubscribe or delete your account.

When you request account deletion, we will:

  1. Delete your personal data within 30 days
  2. Anonymize any data we are permitted to retain for analytics
  3. Retain only data required by law (e.g., tax records), stored securely and accessed only for compliance purposes
9. Your Rights
You have full control over your data. You can see what we have, correct it, delete it, or take it with you. These rights are free to exercise. Just email us.

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access, request a copy of the personal data we hold about you.
  • Right to rectification, request correction of any inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten"), request deletion of your personal data where there is no compelling reason for continued processing.
  • Right to restriction, request that we limit how we process your data in certain circumstances.
  • Right to data portability, request a copy of your data in a structured, commonly used, machine-readable format, and have it transferred to another controller.
  • Right to object, object to processing based on legitimate interests, including direct marketing.
  • Right to withdraw consent, withdraw consent at any time for processing based on consent (location tracking, marketing emails, non-essential cookies).
  • Right to lodge a complaint, file a complaint with a supervisory authority. For Romania, this is ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal). Website: dataprotection.ro

How to exercise your rights:

Email us at care@questoapp.com with your request. We will respond within 30 days. If your request is complex, we may extend this by up to two additional months (we'll let you know).

Cost:

Exercising your rights is free. We may charge a reasonable fee for manifestly unfounded or excessive requests.

Verification:

We may ask you to verify your identity before processing your request, to protect your data from unauthorized access.

10. Children's Privacy
Questo is not designed for children under 16. We don't knowingly collect data from children. If we learn we have, we'll delete it immediately.

Questo's services are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at care@questoapp.com. We will promptly delete any such data from our systems.

If you are an organization using Questo with minors (e.g., schools or youth groups), you are responsible for obtaining appropriate parental or guardian consent and should contact us to discuss data handling arrangements.

11. AI & Automated Processing
We use AI to improve quests and personalize recommendations, but we don't make any decisions about you using fully automated processes. A human is always in the loop for anything that matters.

Questo uses artificial intelligence and machine learning technologies in the following ways:

  • Quest recommendations: We may use algorithms to suggest quests based on your location, preferences, and past activity.
  • Content moderation: AI tools may assist in reviewing user-generated content (quests, reviews) for quality and policy compliance.
  • Quest creation assistance: AI tools may assist creators in developing quest content, such as generating draft narratives or suggesting puzzle types.
  • Product improvement: We analyze anonymized usage patterns to improve app features, navigation, and user experience.

What we do NOT do with AI:

  • We do not use fully automated decision-making that produces legal or similarly significant effects on you (as defined under GDPR Article 22).
  • We do not use AI to build behavioral profiles for sale to third parties.
  • We do not use facial recognition or biometric identification.
12. Data Security
We take security seriously. We use encryption, secure authentication, and access controls to protect your data. No system is 100% secure, but we work hard to keep your information safe.

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption: All data transmitted between your device and our servers is encrypted using SSL/TLS (HTTPS).
  • Authentication: We use secure authentication protocols (OAuth 2.0) for social logins and account access.
  • Data integrity: HMAC-based integrity verification to ensure data has not been tampered with.
  • Access controls: Server access is restricted via SSH private keys, limited to authorized personnel on a need-to-know basis.
  • Infrastructure security: Our hosting infrastructure is monitored and maintained with regular security updates and vulnerability assessments.

While we strive to protect your personal data, no method of transmission or storage is 100% secure. If you become aware of any security vulnerability or suspect unauthorized access to your account, please contact us immediately at care@questoapp.com.

13. Changes to This Policy
If we make significant changes to this policy, we'll let you know via email or in-app notification at least 30 days before the changes take effect.

We may update this privacy policy from time to time to reflect changes in our data practices, legal requirements, or business operations.

  • Minor changes (formatting, clarification of existing practices) may be made without advance notice.
  • Material changes (new data collection, new third-party sharing, changes to your rights) will be communicated at least 30 days before they take effect, via email notification and/or a prominent notice in the app.
  • The "Last updated" date at the top of this page will always reflect the most recent revision.

We encourage you to review this page periodically.

14. How to Contact Us
Questions about your data? Just email us. We're real people and we respond quickly.

If you have any questions, concerns, or requests regarding this privacy policy or how we handle your personal data, please contact us:

Questo Global S.R.L.

  • Email: care@questoapp.com
  • Address: 20 Stejarului Street, Cisnădie, Sibiu County, 555300, Romania
  • Trade Registry No.: J32/96/2017
  • Sole Registration No.: 36999501

We aim to respond to all inquiries within 48 hours.