Privacy Policy
This Privacy Policy covers two things: (A) the QuestLock mobile app, and (B) this website. They are intentionally separate because they process data very differently. The app is built privacy-first and runs almost entirely on your device.
Part A — The QuestLock App
1. Overview
QuestLock works entirely on your device. Your quest progress, streak data, habits, and personal settings are stored locally using Apple's SwiftData framework and are never transmitted to any server operated by us.
2. Data Controller (under GDPR)
Jan Harenbrock
Coming soon (address)
Email: info@getquestlock.com
3. Data We Do Not Collect
We do not collect, store, or transmit:
- Your name or any personal identifiers (the name you enter during onboarding stays only on your device)
- Location data
- Browsing history
- Health data
- Crash reports or analytics
- Advertising identifiers (IDFA)
- Usage analytics
There is no account system. There is no backend server for the app. We have no access to any data on your device.
4. Data Stored Locally on Your Device
The following is stored exclusively on your device using Apple's SwiftData and UserDefaults:
| Data | Purpose | Storage |
|---|---|---|
| Your chosen name (onboarding) | Personalized display within the app | Local (SwiftData) |
| Quest progress & completion history | Core app functionality | Local (SwiftData) |
| Streak counter & program day | Core app functionality | Local (SwiftData) |
| Bedtime / wake time settings | App blocking schedule | Local (UserDefaults) |
| Selected apps to block (FamilyActivitySelection) | App blocking functionality | Local (UserDefaults via App Groups) |
| Wisdoms seen, insight count | Journey tab functionality | Local (UserDefaults) |
| In-app coin balance & reward history | Rewards tab functionality | Local (SwiftData) |
| Subscription status (cached) | Determining feature access | Local (UserDefaults) |
In-app coins are stored only on your device and have no monetary value. They cannot be transferred and are lost if you uninstall the app. You can delete all local data at any time by uninstalling the app.
5. Device Permissions Used
Camera (NSCameraUsageDescription)
Used exclusively for quest proof verification:
- Object Detection: The camera scans for physical objects (e.g., a water bottle) to confirm quest completion. Processed on-device using Apple's Core ML with a pre-trained model (YOLOv3). No images are stored or transmitted.
- Pose Detection: The camera detects body pose (e.g., push-ups, squats) using Apple's Vision framework. No images are stored or transmitted.
Camera frames are processed in real time on your device only. The camera activates only when you explicitly open a proof sheet for a specific quest. You can always choose a different proof type (timer or tap-to-confirm) that does not require the camera.
Screen Time / FamilyControls
Used to block and unblock selected apps according to your quest completion and schedule. The apps you select are stored using Apple's opaque token system — we cannot read which specific apps are selected; only Apple's frameworks can interpret this data. This data never leaves your device.
6. Third-Party Services (App)
RevenueCat (Subscription Management)
We use RevenueCat to process and manage subscriptions. When you make a purchase, RevenueCat processes:
- Your Apple-assigned subscriber ID (anonymous — not your name or email)
- Purchase transaction data (product ID, transaction date, price)
- Subscription status
RevenueCat acts as a data processor on our behalf. Their privacy policy: revenuecat.com/privacy. RevenueCat may process data outside the EU/EEA on the basis of EU Standard Contractual Clauses (Art. 46 GDPR).
Apple In-App Purchase: The actual payment is processed entirely by Apple. We do not receive your payment details. Apple's privacy policy: apple.com/legal/privacy.
7. Legal Basis (GDPR Art. 6)
| Processing | Legal Basis |
|---|---|
| Local app data (quest progress, settings, name) | Art. 6(1)(b) — necessary to provide the app's functionality |
| Camera data (on-device only, not stored) | Art. 6(1)(b) — necessary for the feature you explicitly activate |
| FamilyControls selection | Art. 6(1)(b) — necessary for the core app-blocking feature |
| RevenueCat subscription data | Art. 6(1)(b) — necessary for subscription management |
Automated Decision-Making
We do not use your data for automated decision-making or profiling within the meaning of Art. 22 GDPR. In-app coach recommendations (e.g., suggested level-ups after consistent quest completion) are based on simple local rules running on your device and have no legal or similarly significant effect on you.
International Data Transfers
The only app processing that may involve transfer outside the EU/EEA is RevenueCat subscription management (Section 6). All other app data stays exclusively on your device.
8. Data Retention (App)
- Local device data: Retained until you delete the app or clear app data. You are in full control.
- RevenueCat subscription data: Retained as long as needed to manage your subscription and meet legal obligations. See RevenueCat's policy for details.
Part B — This Website
9. Hosting (Netlify)
This website is hosted via Netlify (Netlify, Inc., 2325 3rd Street, Suite 296, San Francisco, CA 94107, USA). When you visit this site, Netlify automatically processes connection data in server logs, including your IP address, date and time of the request, the requested URL, referrer, and browser/user-agent. This is technically necessary to deliver the site securely and to ensure stable operation.
Legal basis: Art. 6(1)(f) GDPR (our legitimate interest in a secure, stable website). Because Netlify may process data in the USA, transfers are safeguarded by EU Standard Contractual Clauses (Art. 46 GDPR). More: netlify.com/privacy.
10. Web Fonts (Google Fonts)
This website loads fonts from Google Fonts servers to display text consistently. When fonts load, your IP address may be transmitted to Google (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). Legal basis: Art. 6(1)(f) GDPR (legitimate interest in consistent presentation). More: policies.google.com/privacy.
11. Contact by Email
If you contact us by email, we process the data you provide (your email address and message content) solely to handle your request. Legal basis: Art. 6(1)(b) or (f) GDPR. We delete these messages once they are no longer needed and no legal retention applies.
12. Cookies & Analytics
This website does not use tracking cookies and does not run analytics or advertising tools. Netlify may set strictly necessary technical cookies required to operate the site.
13. Your Rights (EU/EEA Users)
You have the right to: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), and to object (Art. 21). For local app data, simply uninstall the app; for RevenueCat data, contact us.
You also have the right to lodge a complaint with a supervisory authority. In Germany: Berliner Beauftragte für Datenschutz und Informationsfreiheit, datenschutz-berlin.de.
To exercise your rights, contact: info@getquestlock.com.
14. Children
This app and website are not directed at children under 16 years of age. We do not knowingly collect data from children.
15. Changes to This Policy
We will reflect material changes by updating the "Last updated" date above. The current version is always accessible within the app under Settings and on this website.
16. Contact
Jan Harenbrock
Coming soon (address)
Email: info@getquestlock.com