TicQuest Privacy Policy
Effective date: 2026-06-09 Version: 1.0
TicQuest is operated by Velynq, Inc., a Delaware corporation ("Velynq", "we", "us", "our"). This Privacy Policy explains what personal data we collect through the TicQuest mobile and web application ("TicQuest" or the "App"), how we use it, with whom we share it, how long we keep it, and the rights you and your child have.
TicQuest is a children's routine and chore-reward tool for families. Only a parent or legal guardian creates and manages an account; children use the App under their parent's or guardian's supervision and never create an account or sign in. If you are a parent or guardian, please read Section 5 (Children's Privacy) carefully — it explains how we obtain your consent and how you can review, export, or delete your child's information at any time.
1. Summary
- We collect the minimum data needed to run the App. From your child we collect only a first name (that you type), their in-app activity (stars, streaks, completed tasks, certificates), and a device-pairing token if you link a second device.
- We collect a parent email address (or an OAuth sign-in identity) to create and secure your account.
- We show no advertising, use no third-party analytics, attribution, or tracking SDKs, and never sell or share personal information.
- We obtain verifiable parental consent before collecting a child's personal information (Section 5).
- You can export or delete all of your family's data at any time from within the App.
2. Data We Collect
2.1 Parent / Account-Holder Data
- Email address — collected at sign-up (email-and-password flow), used for account creation, verification, security, and password reset. Stored by our authentication provider (Supabase).
- OAuth identity — if you sign in with Apple, Google, or Facebook, we receive a verified identity token and basic profile (e.g., a display name) from that provider. We never receive your password.
- Parental-consent record — the consent tier and the timestamp when you gave consent, stored on your family record as our COPPA consent record (Section 5).
- Subscription / billing metadata — if you subscribe, we store subscription status, plan interval, period dates, and an external subscription identifier from the App Store, Google Play, or our subscription-management provider. We do not receive or store your payment-card number or any other financial-instrument details (Section 3).
- App settings — notification preferences, audio/haptic settings, and display options you configure.
- Device-pairing data — if you pair a child's device, a time-limited 6-digit pairing code, a device token (UUID), and the times the device was linked / last seen. Used solely to link a second device to your family.
2.2 Child Data (deliberately minimal)
- First name — a single first name or nickname you type when adding a child. No surname is requested or required.
- Behavioral / gameplay data — routine and task completion logs (per-task on-time status, stars earned, timestamps), star counts, streaks and active-day counters, certificates earned, optional alarm settings, monthly/yearly progress summaries, quest-completion and rest-day records, and reward unlocks.
- Avatar — a preset illustration key (e.g.,
avatar-boy1) you choose from our built-in library. Never a photograph or uploaded image. - Time zone — your device's time zone (e.g., "America/New_York"), used only to calculate streak and activity dates in your child's local time. This is a coarse regional setting, not precise location, and we request no location permission.
2.3 Parent-Authored Free Text
You may create routine titles, task names, and reward labels. These are stored as-is; we neither require nor parse them for personal information. Please avoid entering sensitive data in these fields (see Section 6 of the Terms of Service).
3. What We Deliberately Do NOT Collect
These are design decisions, not omissions:
| Category | Status |
|---|---|
| Child age or date of birth | Not collected. |
| Child photographs or uploaded images | Not collected. Avatars are preset illustration keys only. |
| Precise location or GPS | Not collected. No location permission is requested. |
| Third-party analytics / advertising / tracking SDKs | Not present. No Sentry, PostHog, Firebase Analytics, Mixpanel, Amplitude, ad networks, or equivalent. |
| Payment-card or bank-account data | Not collected. All payments are handled by the App Store / Google Play. |
| Child email, phone, or postal address | Not collected. Children never authenticate. |
| Behavioral advertising profiles | Never created. We have no advertising partners. |
4. How We Use Data and Our Legal Bases
4.1 Purposes
| Purpose | Data used |
|---|---|
| Running and personalizing the App (routines, progress, stars, certificates) | Child first name, behavioral/gameplay data |
| Account creation, authentication, security | Parent email, OAuth identity |
| Account-verification and password-reset emails | Parent email |
| Recording and honoring parental consent | Consent record |
| Managing your subscription | Subscription / billing metadata |
| Pairing a child's device | Device-pairing data |
| Responding to support and legal requests | Relevant account data |
We do not use any data for advertising, profiling, or cross-app tracking, and we do not use analytics SDKs.
4.2 Legal Bases (GDPR Article 6 / Article 8)
For users in the European Economic Area (EEA), UK, or Switzerland:
- Contract (Art. 6(1)(b)) — processing necessary to provide the App: your account, routines, and subscription.
- Legitimate interests (Art. 6(1)(f)) — keeping progress/streak data to power the App's features, and billing-event metadata for dispute resolution; limited to the minimum needed and balanced against your interests.
- Legal obligation (Art. 6(1)(c)) — retaining consent records to demonstrate COPPA / GDPR-K compliance.
- Consent (Art. 6(1)(a) / Art. 8) — for a child's personal data we rely on the verifiable parental consent you provide (Section 5). Under GDPR Art. 8 the default age requiring parental authorization is 16 (EU member states may set it as low as 13; the UK sets it at 13); as the holder of parental responsibility you authorize the processing of your child's data.
5. Children's Privacy (COPPA + GDPR-K)
TicQuest is designed around children's privacy and the U.S. Children's Online Privacy Protection Act (COPPA, 16 C.F.R. Part 312, including the FTC's 2025 amendments), GDPR Article 8, and equivalent laws.
Parent-controlled accounts. Only a parent or legal guardian creates and manages a TicQuest account. Children never register, never sign in with credentials, and are identified to us only by the first name you enter and the in-app activity described above.
Verifiable parental consent (how we obtain it). Children's data is collected only after a parent or guardian consents. We:
- give you a direct notice of exactly what we collect from your child — a first name, in-app activity, a device time zone (for local-time dates), and a device-pairing token — that it is used only to operate the App for your family and is never disclosed to third parties for their own purposes, and that you can revoke consent at any time;
- require you to create and verify a parent account — we verify your email through a confirmation link, or you sign in through Apple, Google, or Facebook — so the person consenting holds a real, verified adult account; and
- capture your explicit parental consent: you confirm you are the child's parent or legal guardian and consent to TicQuest collecting their first name and activity — both when you accept this Policy at sign-up and again when you add a child.
Because TicQuest collects only a first name plus in-app activity, uses it solely to run the App, shows no advertising, and never discloses it to third parties for their own purposes, this method is reasonably designed to confirm that the person consenting is the child's parent or guardian, consistent with COPPA's verifiable-parental-consent standard (16 C.F.R. § 312.5). You can withdraw consent at any time by deleting the child's profile or your account (Section 9), or by emailing privacy@velynq.co.
We make no other use of your child's data. We use it only to operate the App's features for your family — showing routines, awarding stars, and tracking progress. We do not analyze it for any other purpose, build advertising or behavioral profiles, train AI models, advertise, sell, or share it — ever. Our cloud service providers (Section 6) process child data only to run the App on our behalf, under written data-processing agreements, and may not use it for their own purposes.
No advertising or profiling of children. TicQuest shows no ads, builds no advertising or behavioral profiles, and shares no child data with ad networks or data brokers.
Your parental rights. At any time you may review, export, or delete your child's data, and revoke consent — directly in the App (Settings → "Export my family data" / "Delete account") or by contacting privacy@velynq.co. We respond to verifiable parental requests within 30 days.
6. Sharing and Sub-Processors
We do not sell personal information, do not "share" it for cross-context behavioral advertising, and do not disclose it to advertising networks, data brokers, or any third party for their own purposes. We use the following service providers ("sub-processors"), each acting only on our instructions under a written data-processing agreement and only to support the App's internal operations:
| Sub-processor | Role | Data it processes |
|---|---|---|
| Supabase | Backend: database, authentication, edge functions, hosting | Account, family, and child data in Section 2; account-verification / password-reset emails; platform request logs (including IP at the infrastructure layer, which we do not store in App data tables) |
| PowerSync | Offline sync: mirrors a subset of family/child data to the device for offline use | The synced tables incl. child behavioral data (routine history, stars, streaks, completions, certificates, alarms, device links) |
| Apple App Store / Google Play | App distribution and payment processing (native launch) | Payment/card data (never reaches us); subscription receipts |
| RevenueCat | Subscription-state management (planned for native launch; not yet integrated) | Subscription status and an external subscription identifier |
| Expo / EAS | App build and over-the-air update delivery | App binaries/updates (not user personal data) |
Account-related emails (verification, password reset) are sent through our authentication provider, Supabase. We do not currently use any advertising, analytics, attribution, or crash-reporting processor. We will update this section before adding any new sub-processor (for example, a push-notification provider at native launch).
7. International Transfers
Our primary backend (Supabase) hosts data in the European Union (Ireland). Our offline-sync provider (PowerSync) is configured to process data in the European Union. Apple, Google, and RevenueCat (subscription/payment at native launch) may process limited subscription metadata in the United States.
If you are in the EEA, UK, or Switzerland and your data is transferred to a country outside those regions (for example, to a U.S. provider for subscription processing), we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and the providers' data-processing agreements.
8. Data Retention Policy
We keep children's personal information only as long as is reasonably necessary to fulfill the purpose for which it was collected, and we do not retain it indefinitely. Our retention schedule:
| Data | Purpose | Retention |
|---|---|---|
Routine completion logs (routine_history) |
Show recent day-by-day history to the parent | 7-day rolling — automatically deleted daily by a scheduled job |
| Monthly progress summaries | Parent progress dashboard (current-period view) | Kept while the account is active; deleted when the child or account is deleted |
| Yearly progress summaries (aggregate counts only) | Show your child's progress over time | Kept while the account is active to display long-term progress; deleted when the child or account is deleted |
| Child profile, routines, tasks, rewards, streaks, certificates | Operate the App for your family | Kept while the account is active; deleted when the child or account is deleted |
| Parental-consent record | Demonstrate COPPA/GDPR-K compliance | Kept while the account is active; deleted on account deletion |
| Device-pairing records | Link a child's device | Pairing codes expire automatically; link records persist until you unpair or delete the account |
| Subscription / billing metadata | Manage your subscription and resolve disputes | Kept while the account is active; deleted on account deletion |
Account and data deletion. You can delete your account at any time in the App (Settings → "Delete account"). This immediately deletes your account and all associated data — family record, every child profile, all activity data, routines, tasks, rewards, and subscription records — by a cascading database deletion. Deletion is immediate and cannot be undone from within the App. We may retain limited billing and transaction records in de-identified form (with your family identifier removed, so they no longer identify you) where required for financial record-keeping, fraud prevention, or legal compliance. Separately, copies cached offline on your device(s) are cleared when you sign out or delete the account, and routine infrastructure backups held by our hosting provider are overwritten on that provider's standard backup cycle (typically within about 30 days) and are not used to restore deleted accounts.
9. Your Rights
9.1 All Users
- Access / portability — request a machine-readable copy of your family's and children's data (the information in Section 2) directly in the App (Settings → "Export my family data"). Your account login email is the address you sign in with; for a copy of any other account-identity data held by our authentication provider, contact privacy@velynq.co.
- Erasure — delete your account and all associated data (Settings → "Delete account"), or contact privacy@velynq.co.
- Rectification — update your account details; child first names and content are editable directly in the App.
- Withdraw consent — withdraw consent for your child's data by deleting the child's profile or your account, or by contacting privacy@velynq.co.
9.2 EEA / UK Users (GDPR)
You also have the right to restrict or object to processing, and to lodge a complaint with your local data-protection supervisory authority (e.g., the UK ICO or your EEA authority). We ask that you contact us first so we can help.
9.3 California Users (CCPA / CPRA)
We do not sell personal information and do not "share" it for cross-context behavioral advertising. You have the right to know what we collect (Section 2), access a copy (in-app export), delete it (in-app "Delete account"), and not be discriminated against for exercising these rights. To exercise them, use the in-app tools or contact privacy@velynq.co.
10. Security
We maintain reasonable administrative, technical, and organizational measures to protect personal data, including:
- TLS/HTTPS encryption for all data in transit between the App and our servers;
- short-lived authentication tokens managed by our authentication provider;
- time-limited pairing codes and signed tokens for device pairing;
- database Row-Level Security that scopes every query to the authenticated parent's own family; and
- a database-level rule that a child profile cannot be created unless a parental-consent timestamp is recorded.
No method of transmission or storage is perfectly secure. To report a security concern, contact privacy@velynq.co.
11. Changes to This Policy
We may update this Policy when the App changes (for example, at native launch when subscription and push-notification providers are added). We will revise the effective date above and, for material changes, provide an in-app notice or email. Continued use after the effective date constitutes acceptance.
12. Contact
Velynq, Inc. 221 W 9th Street, PMB 858, Wilmington, DE 19801, United States Privacy / data requests: privacy@velynq.co General support: support@velynq.co
A Data Protection Officer is not required for our processing (we do not carry out large-scale monitoring of individuals or process special categories of data); for any data-protection question, contact privacy@velynq.co.
This Privacy Policy is maintained by Velynq, Inc. and applies to the TicQuest app and the services that power it.