TicQuest Privacy Policy

Effective date: 2026-06-09 Version: 1.0

TicQuest is operated by Velynq, Inc., a Delaware corporation ("Velynq", "we", "us", "our"). This Privacy Policy explains what personal data we collect through the TicQuest mobile and web application ("TicQuest" or the "App"), how we use it, with whom we share it, how long we keep it, and the rights you and your child have.

TicQuest is a children's routine and chore-reward tool for families. Only a parent or legal guardian creates and manages an account; children use the App under their parent's or guardian's supervision and never create an account or sign in. If you are a parent or guardian, please read Section 5 (Children's Privacy) carefully — it explains how we obtain your consent and how you can review, export, or delete your child's information at any time.


1. Summary


2. Data We Collect

2.1 Parent / Account-Holder Data

2.2 Child Data (deliberately minimal)

2.3 Parent-Authored Free Text

You may create routine titles, task names, and reward labels. These are stored as-is; we neither require nor parse them for personal information. Please avoid entering sensitive data in these fields (see Section 6 of the Terms of Service).


3. What We Deliberately Do NOT Collect

These are design decisions, not omissions:

Category Status
Child age or date of birth Not collected.
Child photographs or uploaded images Not collected. Avatars are preset illustration keys only.
Precise location or GPS Not collected. No location permission is requested.
Third-party analytics / advertising / tracking SDKs Not present. No Sentry, PostHog, Firebase Analytics, Mixpanel, Amplitude, ad networks, or equivalent.
Payment-card or bank-account data Not collected. All payments are handled by the App Store / Google Play.
Child email, phone, or postal address Not collected. Children never authenticate.
Behavioral advertising profiles Never created. We have no advertising partners.

4. How We Use Data and Our Legal Bases

4.1 Purposes

Purpose Data used
Running and personalizing the App (routines, progress, stars, certificates) Child first name, behavioral/gameplay data
Account creation, authentication, security Parent email, OAuth identity
Account-verification and password-reset emails Parent email
Recording and honoring parental consent Consent record
Managing your subscription Subscription / billing metadata
Pairing a child's device Device-pairing data
Responding to support and legal requests Relevant account data

We do not use any data for advertising, profiling, or cross-app tracking, and we do not use analytics SDKs.

4.2 Legal Bases (GDPR Article 6 / Article 8)

For users in the European Economic Area (EEA), UK, or Switzerland:


5. Children's Privacy (COPPA + GDPR-K)

TicQuest is designed around children's privacy and the U.S. Children's Online Privacy Protection Act (COPPA, 16 C.F.R. Part 312, including the FTC's 2025 amendments), GDPR Article 8, and equivalent laws.

Parent-controlled accounts. Only a parent or legal guardian creates and manages a TicQuest account. Children never register, never sign in with credentials, and are identified to us only by the first name you enter and the in-app activity described above.

Verifiable parental consent (how we obtain it). Children's data is collected only after a parent or guardian consents. We:

  1. give you a direct notice of exactly what we collect from your child — a first name, in-app activity, a device time zone (for local-time dates), and a device-pairing token — that it is used only to operate the App for your family and is never disclosed to third parties for their own purposes, and that you can revoke consent at any time;
  2. require you to create and verify a parent account — we verify your email through a confirmation link, or you sign in through Apple, Google, or Facebook — so the person consenting holds a real, verified adult account; and
  3. capture your explicit parental consent: you confirm you are the child's parent or legal guardian and consent to TicQuest collecting their first name and activity — both when you accept this Policy at sign-up and again when you add a child.

Because TicQuest collects only a first name plus in-app activity, uses it solely to run the App, shows no advertising, and never discloses it to third parties for their own purposes, this method is reasonably designed to confirm that the person consenting is the child's parent or guardian, consistent with COPPA's verifiable-parental-consent standard (16 C.F.R. § 312.5). You can withdraw consent at any time by deleting the child's profile or your account (Section 9), or by emailing privacy@velynq.co.

We make no other use of your child's data. We use it only to operate the App's features for your family — showing routines, awarding stars, and tracking progress. We do not analyze it for any other purpose, build advertising or behavioral profiles, train AI models, advertise, sell, or share it — ever. Our cloud service providers (Section 6) process child data only to run the App on our behalf, under written data-processing agreements, and may not use it for their own purposes.

No advertising or profiling of children. TicQuest shows no ads, builds no advertising or behavioral profiles, and shares no child data with ad networks or data brokers.

Your parental rights. At any time you may review, export, or delete your child's data, and revoke consent — directly in the App (Settings → "Export my family data" / "Delete account") or by contacting privacy@velynq.co. We respond to verifiable parental requests within 30 days.


6. Sharing and Sub-Processors

We do not sell personal information, do not "share" it for cross-context behavioral advertising, and do not disclose it to advertising networks, data brokers, or any third party for their own purposes. We use the following service providers ("sub-processors"), each acting only on our instructions under a written data-processing agreement and only to support the App's internal operations:

Sub-processor Role Data it processes
Supabase Backend: database, authentication, edge functions, hosting Account, family, and child data in Section 2; account-verification / password-reset emails; platform request logs (including IP at the infrastructure layer, which we do not store in App data tables)
PowerSync Offline sync: mirrors a subset of family/child data to the device for offline use The synced tables incl. child behavioral data (routine history, stars, streaks, completions, certificates, alarms, device links)
Apple App Store / Google Play App distribution and payment processing (native launch) Payment/card data (never reaches us); subscription receipts
RevenueCat Subscription-state management (planned for native launch; not yet integrated) Subscription status and an external subscription identifier
Expo / EAS App build and over-the-air update delivery App binaries/updates (not user personal data)

Account-related emails (verification, password reset) are sent through our authentication provider, Supabase. We do not currently use any advertising, analytics, attribution, or crash-reporting processor. We will update this section before adding any new sub-processor (for example, a push-notification provider at native launch).


7. International Transfers

Our primary backend (Supabase) hosts data in the European Union (Ireland). Our offline-sync provider (PowerSync) is configured to process data in the European Union. Apple, Google, and RevenueCat (subscription/payment at native launch) may process limited subscription metadata in the United States.

If you are in the EEA, UK, or Switzerland and your data is transferred to a country outside those regions (for example, to a U.S. provider for subscription processing), we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and the providers' data-processing agreements.


8. Data Retention Policy

We keep children's personal information only as long as is reasonably necessary to fulfill the purpose for which it was collected, and we do not retain it indefinitely. Our retention schedule:

Data Purpose Retention
Routine completion logs (routine_history) Show recent day-by-day history to the parent 7-day rolling — automatically deleted daily by a scheduled job
Monthly progress summaries Parent progress dashboard (current-period view) Kept while the account is active; deleted when the child or account is deleted
Yearly progress summaries (aggregate counts only) Show your child's progress over time Kept while the account is active to display long-term progress; deleted when the child or account is deleted
Child profile, routines, tasks, rewards, streaks, certificates Operate the App for your family Kept while the account is active; deleted when the child or account is deleted
Parental-consent record Demonstrate COPPA/GDPR-K compliance Kept while the account is active; deleted on account deletion
Device-pairing records Link a child's device Pairing codes expire automatically; link records persist until you unpair or delete the account
Subscription / billing metadata Manage your subscription and resolve disputes Kept while the account is active; deleted on account deletion

Account and data deletion. You can delete your account at any time in the App (Settings → "Delete account"). This immediately deletes your account and all associated data — family record, every child profile, all activity data, routines, tasks, rewards, and subscription records — by a cascading database deletion. Deletion is immediate and cannot be undone from within the App. We may retain limited billing and transaction records in de-identified form (with your family identifier removed, so they no longer identify you) where required for financial record-keeping, fraud prevention, or legal compliance. Separately, copies cached offline on your device(s) are cleared when you sign out or delete the account, and routine infrastructure backups held by our hosting provider are overwritten on that provider's standard backup cycle (typically within about 30 days) and are not used to restore deleted accounts.


9. Your Rights

9.1 All Users

9.2 EEA / UK Users (GDPR)

You also have the right to restrict or object to processing, and to lodge a complaint with your local data-protection supervisory authority (e.g., the UK ICO or your EEA authority). We ask that you contact us first so we can help.

9.3 California Users (CCPA / CPRA)

We do not sell personal information and do not "share" it for cross-context behavioral advertising. You have the right to know what we collect (Section 2), access a copy (in-app export), delete it (in-app "Delete account"), and not be discriminated against for exercising these rights. To exercise them, use the in-app tools or contact privacy@velynq.co.


10. Security

We maintain reasonable administrative, technical, and organizational measures to protect personal data, including:

No method of transmission or storage is perfectly secure. To report a security concern, contact privacy@velynq.co.


11. Changes to This Policy

We may update this Policy when the App changes (for example, at native launch when subscription and push-notification providers are added). We will revise the effective date above and, for material changes, provide an in-app notice or email. Continued use after the effective date constitutes acceptance.


12. Contact

Velynq, Inc. 221 W 9th Street, PMB 858, Wilmington, DE 19801, United States Privacy / data requests: privacy@velynq.co General support: support@velynq.co

A Data Protection Officer is not required for our processing (we do not carry out large-scale monitoring of individuals or process special categories of data); for any data-protection question, contact privacy@velynq.co.


This Privacy Policy is maintained by Velynq, Inc. and applies to the TicQuest app and the services that power it.