PointQuest Privacy Policy

Last updated: April 4, 2026

1. What PointQuest Does

PointQuest is a family activity challenge app. Families create point-based fitness and activity challenges, log activities, and track progress together. The app is designed for families to use privately.

2. Information We Collect

We collect only what's needed to make the app work:

• Account info: Email address, display name, and avatar emoji you choose during sign-up.
• Family data: Family name, member names, and managed child profiles that you create.
• Activity data: Activity logs (what activity, how long, when) that you enter into challenges.
• COPPA consent records: When you add children, we record that you provided parental consent, including the child's name, age range, and timestamp.

We do not collect location data, contacts, photos, health data, browsing history, or device identifiers beyond what Firebase provides for authentication.

3. Children's Privacy (COPPA Compliance)

PointQuest complies with the Children's Online Privacy Protection Act (COPPA). Children under 13 cannot create their own accounts. Only a parent or legal guardian may create managed profiles for children under 13. These profiles:

• Are created and fully controlled by the parent's account
• Do not have their own login credentials
• Cannot access the internet independently through the app
• Store only a display name and emoji avatar

We do not knowingly collect personal information directly from children under 13. All child data is entered and managed by the parent. Parents must provide consent before adding any child profile, and a consent record is created each time a child is added.

Parents can review and delete their child's profile and all associated activity data at any time from the app.

4. How We Use Your Data

• To authenticate your account and keep your data secure
• To display challenge progress, scoreboards, and activity history to your family
• To calculate points, streaks, and tier progress

We do not sell your data, show you ads, or share your information with third parties for marketing purposes.

5. Data Storage and Security

Your data is stored in Google Firebase (Cloud Firestore), hosted in the United States. Firebase provides encryption at rest and in transit.

Access to your data is restricted by Firestore security rules:

• You can only read your own family's data and challenges your family participates in
• Other users cannot see your family members, activity logs, or challenge details
• Point calculations are performed by secure Cloud Functions that cannot be tampered with
• COPPA consent records are immutable and cannot be deleted by users

6. Third-Party Services

• Firebase Authentication: Handles sign-in (email/password, Apple Sign-In). Firebase Privacy Policy
• Firebase Cloud Firestore: Stores all app data.
• Firebase Cloud Functions: Processes point calculations server-side.
• Apple Sign-In: Optional authentication method. Apple's privacy practices apply.
• RevenueCat: Manages in-app subscriptions (when available). RevenueCat Privacy Policy

7. Account Deletion

You can delete your account at any time from the More tab in the app. Account deletion permanently removes:

• Your user profile and all managed child profiles
• Your membership in all families (and decrements member counts)
• All activity logs you created
• All challenges you created (including their activity logs and stats)
• All COPPA consent records associated with your account
• Your Firebase Authentication account

8. Data Retention

We retain your data for as long as your account is active. When you delete your account, all your personal data is removed immediately as described above.

9. Your Rights

You have the right to:

• View all your data within the app
• Edit your profile (name, avatar) at any time
• Delete your account and all associated data
• Request a copy of your data by contacting us

10. Canadian Privacy Law (PIPEDA)

If you are located in Canada, your personal information is protected under the Personal Information Protection and Electronic Documents Act (PIPEDA). You have the right to access, correct, and request deletion of your personal information. We collect and use your personal information only with your knowledge and consent, and only for the purposes described in this policy.

11. International Data Transfers

Your data is stored in the United States via Google Firebase. By using the app, you consent to the transfer and processing of your data in the United States. Google Firebase complies with EU Standard Contractual Clauses (SCCs) for transfers of personal data from the European Economic Area and United Kingdom to the United States.

12. European Union and United Kingdom Users (GDPR)

If you are located in the European Union or United Kingdom, the General Data Protection Regulation (GDPR) or UK GDPR applies to your personal data. This section supplements the rest of this Privacy Policy.

Lawful basis for processing: We process your personal data on the following legal bases:

• Performance of a contract: Account information and activity data are processed to provide the App and its features.
• Legal obligation: COPPA consent records are retained to satisfy our legal obligations.
• Legitimate interests: Usage interaction data (processed via RevenueCat) is used to operate and improve our subscription service.

Your rights under GDPR: In addition to the rights described in Section 9, you have the right to:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your personal data (subject to legal retention obligations).
• Restriction: Request that we limit how we use your data in certain circumstances.
• Portability: Request your data in a structured, machine-readable format.
• Objection: Object to processing based on legitimate interests.

To exercise any of these rights, contact us at crstudiosdev@gmail.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection supervisory authority.

Data transfers: Your data is transferred to and stored in the United States. Google Firebase uses Standard Contractual Clauses approved by the European Commission to ensure an adequate level of data protection for these transfers.

Retention: We retain your personal data for as long as your account is active. COPPA consent records are retained for the duration required by applicable law even after account deletion.

13. Law Enforcement and Legal Requests

We may disclose your personal data if required to do so by law, court order, subpoena, or other legal process, or if we reasonably believe that disclosure is necessary to:

• Comply with applicable law or legal process served on us
• Protect and defend the rights or property of the developer
• Protect the personal safety of users of the App or the public

Where permitted by law, we will attempt to notify affected users before disclosing their data in response to a legal request.

14. Changes to This Policy

If we make changes, we'll update the date at the top. For significant changes, we'll notify you in the app.

15. Contact

Questions about this policy? Email crstudiosdev@gmail.com.