Privacy Policy

KidQuest is a family chore and habit-tracking app intended for use by parents and guardians (18+) who create and manage the household account. Child-facing features are available only within an adult-managed family account and under the direct supervision of the parent or guardian.

Account creation is restricted to adults (18 and older). Children do not create independent accounts. A child's presence in the app is established only when a parent or guardian adds a child profile ("Hero") to the family account.

Parent-Managed Household Use: We designed KidQuest to keep household control with the adult account holder and to minimize child-profile data. Parents and guardians decide what information to enter for child profiles and remain responsible for supervising children's use of the Service.

We collect information in the following categories:

A. Information You Provide (Parent/Guardian)

• Account Information: Your email address and password, processed securely via Supabase Auth. If you sign in via Google or Sign in with Apple, we receive the account information made available by that provider, such as your email address, name, and profile image where provided. We do not have access to your Google or Apple password.
• Family Profile Data: Names or nicknames you assign to family members ("Heroes"). You control this entirely and may use pseudonyms. We recommend using first names or nicknames only — never full legal names for children.
• User Content: Quest titles, reward names, completion history, XP balances, streak data, avatar selections, level progression, and shop configurations you create within the app.
• Billing Information: If you subscribe to KidQuest Pro, payment is processed by Stripe (web) or Apple In-App Purchase / Google Play Billing (mobile apps). We do not store your full payment card details on our servers.

B. Information Collected Automatically

• Authentication, Session, and Preference Technologies: We use cookies, local storage, and similar technologies to keep you signed in, maintain your session, remember basic preferences, and support security-related functionality on the web.
• Usage Logs: Timestamps and interaction events (for example, when a quest is marked complete) used to operate the Service and maintain streaks, progress tracking, and account history.
• Device & Technical Information: Browser type, operating system, device type, IP address, and related technical information collected for security monitoring, fraud prevention, debugging, and service reliability.

C. Information We Do NOT Collect

• Children's full legal names (we encourage nickname use only).
• Precise GPS or location data.
• Photos, videos, or biometric data.
• Advertising identifiers for behavioral advertising to children.
• Financial information beyond what is necessary to process your subscription.

We use collected information solely to operate and improve KidQuest, including:

• Creating and managing your Family Dashboard.
• Authenticating your identity and securing your account.
• Tracking quest progress, streaks, XP, and rewards.
• Processing subscription payments and managing your plan tier.
• Sending transactional emails such as password resets and account verification.
• Sending webhooks to your personal Home Assistant instance (only if explicitly enabled by you — disabled by default).
• Diagnosing technical issues and maintaining service reliability.

We do not sell, rent, or trade your personal information. We do not use your data for targeted advertising. We do not display third-party advertisements within the Service.

We share information only with the infrastructure and service providers required to operate the Service. Any third party with whom we share user data is required to protect that data in a manner consistent with this Privacy Policy and applicable law.

• Supabase: Secure database hosting, authentication, and row-level security. Your data is stored in Supabase's managed PostgreSQL infrastructure.
• Vercel: Web application hosting and edge delivery.
• Google (Authentication): Only if you choose to sign in with Google. We receive only the minimum account data needed for authentication and account setup.
• Apple (Sign in with Apple): Only if you choose to sign in with Apple. We receive only the account data Apple makes available for authentication and account setup.
• Stripe: Payment processing for KidQuest Pro subscriptions on the web. Stripe handles payment card data under PCI DSS compliance. We do not store card numbers.
• Apple / Google Play Billing: In-app purchase processing on iOS and Android respectively, governed by Apple's and Google's own privacy policies and billing terms.
• Resend: Transactional email delivery (for example, password reset or verification emails). Only your email address is shared for this purpose.
• Legal Requirements: We may disclose information if required by law, court order, or where reasonably necessary to protect the safety, rights, or property of our users, the public, or Sidecar LLC.

Data Storage Location: Our infrastructure providers may store and process data in the United States and other countries. By using the Service, you understand that your information may be processed in countries other than your own, subject to appropriate safeguards where required by law.

This section is important. Please read it carefully.

Account Creation

Only adults (18+) may create a KidQuest account. Children do not register independently and do not maintain separate login credentials for their own accounts. A child's profile is created and managed exclusively by the parent or guardian within the family account.

Child Profile Data

When a parent or guardian creates a child's Hero profile and the child uses the app through the parent-managed family account, the following data may be stored as part of that household account:

• The name or nickname assigned by the parent or guardian.
• Quest completion history, XP earned, streaks, rewards, avatar choices, and level progression.
• In-app shop interactions involving virtual currency or rewards.

We intentionally limit child-profile data. We do not request child email addresses, child phone numbers, precise location data, photos, videos, advertising identifiers for behavioral advertising, or other independent child contact information.

When a child uses a device to access the Service through a parent-managed account, we may still process limited technical data such as IP address and basic device/browser information for internal operations, security, fraud prevention, debugging, and service reliability.

Parent Consent and Control

By creating a KidQuest account and adding a child profile, you represent that you are the child's parent or legal guardian and consent to our collection and use of child profile data as described in this Privacy Policy. If we determine that additional consent or verification is required by applicable law, we may request it before permitting continued use of certain features.

Parental Rights — Review, Correct, Delete, and Stop Further Collection

As a parent or guardian, you have the right to:

• Review the child profile data associated with your household account by logging into the Service.
• Correct child profile information at any time through the family management features in the Service.
• Delete a child profile or your entire account by using the deletion tools described in Section 8 below or by contacting support@kidquest.app.
• Stop further collection of child profile data by deleting the child profile or closing the household account entirely.

If you believe we have collected information in a way that is inconsistent with this policy, please contact us and we will investigate and take appropriate action.

No Behavioral Advertising to Children

We do not use child profile data for behavioral advertising, targeted advertising, or profiling. We do not display third-party ads within the Service.

KidQuest offers an optional feature that allows a parent or guardian to send event data to their personal Home Assistant instance via Webhooks. This feature is disabled by default and operates only at the direction of the adult account holder.

If you enable this feature and provide a webhook URL, we will send only the event data necessary for that integration, which may include a parent-provided child nickname and quest title when a quest is completed. You are solely responsible for the configuration, security, access controls, and retention practices of your own Home Assistant endpoint or any third-party system you connect to KidQuest.

We implement industry-standard security measures including:

• Row Level Security (RLS) in Supabase, ensuring each family's data is isolated and inaccessible to other accounts.
• Encrypted data transmission via HTTPS/TLS.
• Secure authentication via Supabase Auth and related access controls.
• Access controls limiting who within our organization can access production data.

While we strive to protect your data, no internet transmission is 100% secure. We cannot guarantee absolute security but commit to notifying affected users in the event of a data breach as required by applicable law.

We retain your data for as long as your account is active and as reasonably necessary to provide the Service, maintain security, and comply with legal obligations.

You may request account deletion at any time:

• In the app by navigating from the main Dashboard to the Admin Dashboard, then to Account & Billing.
• On the web by visiting kidquest.app/account.
• By contacting support@kidquest.app.

When your account is deleted, we will delete or de-identify your account data and associated family profile data within 30 days, except where retention is reasonably necessary or legally required for security, fraud prevention, chargeback prevention, tax or accounting recordkeeping, dispute resolution, legal compliance, or backup and restoration processes.

• Family profile data, including child Hero profiles, will be removed from active use.
• Quest history, XP, rewards, and related user content will be deleted or de-identified from active systems.
• Authentication records will be removed from active systems, subject to any required retention exceptions described above.

Depending on your location, you may have the following rights regarding your personal data:

California Residents (CCPA / CalOPPA)

• Right to Know: You may request a summary of the personal information we have collected about you.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
• Do Not Sell: We do not sell personal information. The California "Shine the Light" law does not apply as we do not share personal information with third parties for direct marketing.
• Do Not Track: We do not respond to browser "Do Not Track" signals. We track activity only to provide the Service.

EEA / UK Residents (GDPR)

• You have the right to access, rectify, erase, restrict, or object to the processing of your personal data.
• Our legal basis for processing your data is the performance of a contract (providing the Service you signed up for) and, where applicable, your consent.
• You have the right to data portability and to lodge a complaint with your local supervisory authority.

To exercise any of these rights, contact us at support@kidquest.app. We will respond within 30 days.

Where we rely on your consent to process data, you may withdraw that consent at any time by disabling the relevant optional feature, disconnecting the relevant integration, deleting the associated profile, deleting your account, or contacting support@kidquest.app. Withdrawal of consent does not affect processing already completed before the withdrawal.

The Service may reference third-party services (e.g., Google, Apple, Home Assistant). We are not responsible for the privacy practices of any third-party services. We encourage you to review their privacy policies before use.

We may update this policy periodically to reflect changes in our practices or applicable law. When we make material changes, we will update the "Effective Date" at the top of this page and notify users via email or an in-app notice. Continued use of the Service after such changes constitutes your acceptance of the updated policy.

If you have questions, concerns, or requests regarding this Privacy Policy — including requests related to children's data — please contact us at: