AtomicQuests

Privacy Policy

Last updated: 26 February 2026  ·  Effective: 26 February 2026

1. Who We Are

AtomicQuests is developed and operated by Malmborg (GitHub: mattiasmalmborg), a Swedish independent developer ("we", "us", "our"). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the AtomicQuests mobile application (the "App").

For privacy inquiries, contact us at: GitHub Issues

2. Age Restriction

AtomicQuests is intended for users aged 16 and older. We do not knowingly collect personal data from anyone under the age of 16. If you believe a person under 16 has provided us with personal data, please contact us immediately at GitHub Issues and we will delete that data promptly.

Users must confirm their date of birth during account creation. If the provided date indicates the user is under 16, access is blocked and no data is retained.

3. Data We Collect

We collect only the data necessary to operate the App. We do not collect health data, location data, contacts, or any sensitive personal categories beyond what is listed below.

Data type	Source	Purpose
Email address	Google OAuth sign-in	Account authentication and communication
User ID	Generated at account creation	Account management and cloud sync
Display name	Provided by user	In-app profile display and social features
App usage data	App activity	Core app functionality (quest completion, progress tracking)
Gamification stats	App activity	XP, streaks, quest history — core game mechanics
Social connections	User-initiated	Friends list for optional social features
Date of birth	Provided by user	Age verification only; not stored after verification

We do not collect: precise location, health or medical data, financial data, contacts, call/SMS logs, photos, or any biometric data.

4. How We Use Your Data

• Account management: Creating, authenticating, and maintaining your account.
• App functionality: Syncing your quests, progress, and gamification stats across devices.
• Social features: Enabling optional features like friend connections and shared progress (only if you choose to use them).
• Service communications: Sending transactional emails (e.g., account confirmation, deletion confirmation). We do not send marketing emails without explicit opt-in.
• Safety and integrity: Detecting and preventing abuse, fraud, or violations of our Terms of Service.
• Legal compliance: Complying with applicable laws and responding to lawful requests.

We do not use your data for: targeted advertising, sale to third parties, profiling for automated decision-making that produces legal or similarly significant effects, or any health-related analysis.

5. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA) and the United Kingdom, we process your personal data under the following legal bases:

• Contract performance (Art. 6(1)(b) GDPR): Processing your email, user ID, and usage data is necessary to provide the App and fulfill our agreement with you.
• Legitimate interests (Art. 6(1)(f) GDPR): We have a legitimate interest in maintaining service security, preventing abuse, and improving our service. We balance these interests against your privacy rights.
• Legal obligation (Art. 6(1)(c) GDPR): We may process data where required by applicable law.
• Consent (Art. 6(1)(a) GDPR): Where we rely on consent (e.g., optional communications), you may withdraw consent at any time without affecting the lawfulness of prior processing.

6. Third Parties and Data Processors

Supabase (supabase.com) is our sole third-party data processor. Supabase provides our authentication infrastructure and cloud database. Your account data and synced progress are stored on Supabase-hosted servers.

• Supabase Privacy Policy: supabase.com/privacy
• Supabase processes data in accordance with GDPR and has signed a Data Processing Agreement with us.
• Data may be stored in data centers in the United States or the European Union depending on your Supabase region configuration.

We also use the following platforms for app distribution and infrastructure. These platforms receive only the minimum data necessary for their function:

• Google Play / Google OAuth: For app distribution and sign-in authentication. Subject to Google's Privacy Policy.
• Expo / EAS (Expo Application Services): For app builds and over-the-air updates. Expo receives anonymized build and update metadata, not your personal account data.

We do not use advertising networks, analytics SDKs that track users across apps, or any data brokers. We do not sell your personal data.

7. Data Storage and Security

• All data in transit is encrypted using HTTPS/TLS.
• Cloud data is protected by Supabase Row Level Security (RLS), ensuring each user can only access their own data.
• Authentication tokens are stored in device secure storage (expo-secure-store), not in plain text or unencrypted storage.
• Local app data (quests, stats cached on-device) is stored in an on-device SQLite database.

No method of data transmission or storage is 100% secure. While we use industry-standard safeguards, we cannot guarantee absolute security. If a data breach occurs involving personal information, we will notify affected users in accordance with applicable law (within 72 hours to supervisory authorities under GDPR; within 60 days to affected individuals under the FTC Health Breach Notification Rule where applicable).

8. Data Retention

• Account data: Retained for as long as your account is active. Deleted permanently when you delete your account (see Section 9).
• Gamification and usage data: Retained as part of your account. Deleted with your account.
• Anonymous or aggregated usage data (if collected in the future): Retained for a maximum of 2 years.
• Age verification data (date of birth): Used at the point of verification only; not retained after the verification check is complete.

9. Account Deletion

You can delete your account at any time from within the App (Profile → Settings → Delete Account). Upon deletion:

• All cloud data associated with your account is permanently deleted from Supabase (profile, streaks, quest history, social connections, activity feed).
• All local data on your device is cleared (SQLite database, cached tokens).
• Your Supabase authentication record is deleted.

Deletion is irreversible. If you cannot access the in-app deletion flow, you may request deletion via GitHub Issues. We will process the request within 30 days.

10. Your Rights

GDPR Rights (EEA / UK Users)

If you are located in the EEA or UK, you have the following rights under the General Data Protection Regulation (GDPR) or UK GDPR:

• Right to access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure ("right to be forgotten"): Request deletion of your personal data.
• Right to data portability: Receive your data in a structured, machine-readable format.
• Right to restriction: Request that we limit processing of your data in certain circumstances.
• Right to object: Object to processing based on legitimate interests.
• Right to withdraw consent: Where processing is based on consent, withdraw it at any time.
• Right to lodge a complaint: You have the right to lodge a complaint with your national data protection authority. In Sweden, this is Integritetsskyddsmyndigheten (IMY).

CCPA Rights (California, USA Users)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
• Right to delete: Request deletion of your personal information.
• Right to correct: Request correction of inaccurate personal information.
• Right to opt-out of sale or sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out mechanism is required because we do not engage in these practices.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise any of these rights, contact us at GitHub Issues. We will respond within 30 days (GDPR) or 45 days (CCPA) of receiving a verifiable request.

11. International Data Transfers

We are based in Sweden. Your data may be transferred to and processed in countries outside the EEA, including the United States, where Supabase infrastructure is located. Such transfers are carried out under appropriate safeguards, including Standard Contractual Clauses (SCCs) as required by GDPR. For more information, refer to Supabase's privacy policy.

12. Cookies and Tracking

The AtomicQuests mobile app does not use cookies. We do not use tracking pixels, fingerprinting, or cross-app tracking technologies. Any analytics collected are limited to app-internal usage data (as described in Section 3) and are not shared with advertising platforms.

13. Health Disclaimer

14. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via the App or via in-app notice at least 30 days before the changes take effect. Continued use of the App after that date constitutes acceptance of the revised policy. We will update the "Last updated" date at the top of this page.

15. Contact Us

For any privacy-related questions, requests, or concerns:

• Contact: GitHub Issues
• Developer: Malmborg (Sweden)
• GitHub: github.com/mattiasmalmborg

We will respond to data subject requests within 30 days (GDPR) or 45 days (CCPA) as required by law.