Privacy Policy

Effective: April 2026 · Operated by Pixel Pundit · Victoria, Australia · questlings.dev

TL;DR — We collect only what we need to run Questlings. We don't sell your data, run ads, or share your information with anyone except the infrastructure that powers the app (Supabase, Vercel). You can delete your account and all your data at any time. We comply with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs).

1. Who We Are

Questlings is a gamified task manager made by Pixel Pundit, based in Victoria, Australia. When this policy says "we", "us", or "our", it means Pixel Pundit. When it says "you" or "your", it means you — the person using Questlings at questlings.dev.

For privacy questions, email contact@pixelpundit.dev. We will respond within 30 days.

2. What Data We Collect

Account data (registered users only)

Email address — used to identify your account and send essential service notifications (e.g. password resets).
Password — never stored in plain text. Supabase stores a bcrypt hash. We never have access to your actual password.
User ID — a randomly generated UUID assigned by Supabase.

Social login data (Google Sign-In)

When you sign in with Google, Google shares a limited profile with Supabase on your behalf — typically your email address, display name, and profile photo URL.
We do not request access to your contacts, calendar, files, or any data beyond basic identity.
Your Google password is never shared with us.

App content data (registered users)

Tasks — titles, descriptions, completion status, creation dates, board position.
Trophies — records of defeated creatures, earned on task completion.
Player progress — XP total, level, streak, hero preferences.
Biome configuration — board theme and visual settings.

This content is yours. We store it so you can access it across devices. We do not read, analyse, or use your task content for any purpose other than displaying it back to you.

Guest mode data

If you use Questlings without an account, all data is stored in your browser's localStorage. It never leaves your device and we have no access to it.

Technical and analytics data

Vercel Analytics — privacy-first, cookieless, aggregated performance data. No personally identifiable information is collected. See Vercel's privacy docs.
Server logs — Vercel may retain standard web server logs (IP addresses, request paths, timestamps) for a short rolling window for security purposes.

3. Cookies and Local Storage

We do not use cookies for tracking or advertising. Full details are in our Cookie Policy.

Supabase auth session — a functional cookie/token that keeps you logged in. Strictly necessary.
localStorage — guest mode data and small UI preferences. Never sent to any server.
Service worker cache — static app assets for offline/faster loading. No personal data.

4. How We Use Your Data

We use your data only to:

Provide the service — sync tasks, trophies, and progress across devices.
Authenticate you securely.
Display your own content back to you.
Improve app performance using aggregated, anonymous analytics.

We do not:

Sell or rent your data to anyone.
Share your data with advertisers or data brokers.
Use your task content to train AI or machine learning models.
Build behavioural profiles or engage in targeted advertising.
Send marketing emails (there is no marketing programme).

5. Infrastructure Providers

We rely on two third-party services to deliver Questlings:

Supabase (privacy policy) — authentication, database, and session management. Row Level Security (RLS) ensures your data is only accessible to you. Supabase servers are located in the United States.
Vercel (privacy policy) — hosting, deployment, and analytics.

We do not use any other third-party services that receive your personal information.

6. Data Security

HTTPS everywhere — all data in transit is encrypted via TLS.
Password hashing — bcrypt via Supabase. We never see plain-text passwords.
Row Level Security — database policies ensure users can only access their own data.
OAuth PKCE flow — social login uses Proof Key for Code Exchange to prevent interception attacks.

No system is perfectly secure. If you discover a security issue, please email contact@pixelpundit.dev immediately.

7. Overseas Disclosure

Under Australian Privacy Principle 8, we are required to inform you that your personal information may be disclosed to overseas recipients. Supabase and Vercel are US-based services and may store or process data on servers in the United States. Before engaging these providers, we took reasonable steps to ensure they handle personal information in a manner consistent with the Australian Privacy Principles.

8. Data Retention

Account and app data — retained for as long as your account exists.
Account deletion — permanently removes all associated data from Supabase. This is irreversible.
Server logs — retained by Vercel per their rolling retention window.
Guest data — persists in your browser until you clear storage or migrate to an account.

9. Your Rights

Under the Australian Privacy Act 1988 and the Australian Privacy Principles, you have the right to:

Access — request a copy of all personal information we hold about you (APP 12).
Correction — request correction of inaccurate personal information (APP 13). You can update your email and display name directly in the app.
Deletion — delete your account and all data from within the app settings, or email us and we will do it within 30 days.
Complaint — if you are unsatisfied with our handling of your personal information, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

If you are located in the EU/EEA, you also have rights under the GDPR including data portability and the right to lodge a complaint with your local data protection authority. We honour these rights regardless of your location.

To exercise any right, email contact@pixelpundit.dev. We may need to verify your identity before processing a request.

10. Children's Privacy

Questlings is not directed at children under the age of 13 and we do not knowingly collect personal information from anyone under 13. If you are a parent or guardian and believe a child has provided us with personal information, please contact contact@pixelpundit.dev and we will delete it promptly.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated to registered users via email or in-app notice at least 14 days before taking effect. The effective date at the top of this page will be updated accordingly.

12. Contact

For privacy questions, data requests, or complaints:

Email: contact@pixelpundit.dev
Website: questlings.dev

Operated by Pixel Pundit, Victoria, Australia.