Privacy Policy | GoalQuest

1. Introduction

Welcome to GoalQuest. We are committed to protecting the privacy of children and families who use our goal-tracking and rewards application. This Privacy Policy explains how we collect, use, and safeguard your information in compliance with the Australian Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the Children's Online Privacy Protection Act (COPPA), and other applicable privacy laws.

2. Information We Collect

From Parents/Guardians:

Full name
Email address
Date of birth (to verify you are 18+)
Country of residence
Account credentials

From Children (with parental consent):

Display name or nickname
Avatar selection
Goal progress and completion data
Reward redemption history
PIN for child login (stored securely)

Automatically Collected:

Device type and operating system
App usage analytics (aggregated, non-identifying)
Error logs for app improvement

3. How We Use Information

We use the collected information to:

Provide and maintain the GoalQuest service
Enable parents to create and manage children's profiles
Track goal progress and calculate rewards
Process wallet stars and gift card redemptions
Provide parents with insights about their child's goal completion patterns (visible only to parents, not shared externally)
Send important account notifications to parents
Improve our app and user experience
Comply with legal obligations

4. Children's Privacy

GoalQuest is designed with children's privacy as a priority. We comply with COPPA (Children's Online Privacy Protection Act) and the Australian Privacy Principles regarding the handling of children's personal information:

Parental Consent Required: We require verifiable parental consent before collecting any information from children under 13.
No Behavioral Advertising: We do not display behavioral or targeted advertising to children. Any advertisements shown are contextual only.
No Data Sales: We never sell, rent, or share children's personal information with third parties for marketing purposes.
Minimal Collection: We only collect information that is reasonably necessary to provide the GoalQuest service.
No Social Features: Children cannot publicly share information, communicate with strangers, or access external links without parental approval.

5. Parental Rights

As a parent or legal guardian, you have the right to:

Review Your Child's Data: View all information we have collected about your child at any time through the Privacy & Data settings.
Request Modification: Update or correct your child's information.
Request Deletion: Permanently delete your child's data and profile.
Withdraw Consent: Revoke consent for future collection, which will result in deletion of the child's profile.
Download Data: Export all data associated with your child in a portable format.

To exercise these rights, use the Privacy & Data section in Settings or contact us at privacy@goalquest.mobi.

6. Data Security

We implement appropriate technical and organizational measures to protect personal information:

Encryption of data in transit and at rest
Secure authentication systems
Regular security assessments
Access controls limiting employee data access
Secure deletion procedures

While we strive to protect your information, no method of electronic transmission or storage is 100% secure.

7. Customer Support Access

To provide customer support and resolve issues:

Support Access: Our authorized support personnel may access your account information (including payment history, subscription status, and transaction records) to assist with inquiries, troubleshoot problems, and resolve disputes.
Limited Access: Support access is restricted to information necessary to address your specific issue. We maintain audit logs of support access.
Children's Data: Support personnel only access children's data when necessary to resolve a parent-initiated support request, and only with appropriate safeguards.
No Marketing Use: Information accessed for support purposes is never used for marketing or shared with third parties.

8. Third-Party Services

We work with trusted third-party services to provide certain features:

Gift Card Providers: When you redeem stars for gift cards, we share necessary information (parent email only) with our gift card fulfillment partners to process your order. Children's information is never shared with these providers.
Push Notification Service: We use OneSignal to deliver push notifications about goal approvals, gift card releases, and other app activity. OneSignal receives a device identifier (push token) to deliver notifications. For children's devices, notifications are limited to parent-initiated actions only (e.g., goal approval, gift card release). OneSignal does not receive any personal information such as names or email addresses, and no child behavioural data is shared.
Crash Reporting: We use Sentry for crash reporting and error diagnostics. Sentry receives anonymized error data, stack traces, and basic device information (device type, operating system version). No children's personal information is shared with Sentry. All identifying information (emails, user IDs, phone numbers) is stripped from error reports before transmission. Data is used solely for improving app stability.
Cloud Services: We use secure cloud infrastructure to store data with providers that comply with applicable privacy regulations.

All third-party providers are contractually obligated to protect your information and use it only for the purposes we specify.

9. Overseas Data Disclosure (APP 8)

In accordance with Australian Privacy Principle 8, we disclose that your personal information may be transferred to the following countries through our third-party service providers:

United States: Stripe (payment processing), OneSignal (push notifications), Sentry (crash reporting), and gift card fulfilment providers.
European Union: Some infrastructure and processing services may operate within the EU.

We take reasonable steps to ensure that overseas recipients handle your personal information in accordance with the Australian Privacy Principles. All overseas transfers are protected by contractual obligations requiring equivalent privacy protections.

10. Analytics (COPPA-Compliant)

We use self-hosted, privacy-focused analytics with strict COPPA compliance:

No Child Tracking: When a child uses the app, all personal analytics are disabled. Children are NEVER identified or tracked individually.
Parent-Only Identification: Only verified adult parents (18+) who have provided consent during registration are identified in our analytics.
Anonymous App Metrics: We collect anonymous, aggregate data about app stability and performance that cannot be linked to any individual.
Self-Hosted Infrastructure: All analytics data is stored on our own servers, giving us full control over data handling and ensuring no third-party access.
No Behavioral Profiling: We do not build behavioral profiles of children or use analytics data for advertising purposes.
Data Minimization: We only collect operational data necessary for app improvement. Parent analytics are retained for 90 days, anonymous metrics for 30 days.
Data Deletion: When you delete your account, all associated analytics data is also deleted.
Crash Reporting: We use Sentry for crash reporting to identify and fix app errors. Crash reports contain technical information only (error type, stack trace, device model, OS version) and never include personal information or children's data. When a child is using the app, Sentry reports contain no user association.

11. Data Retention

We retain personal information only as long as necessary:

Active Accounts: Data is retained while your account is active.
After Account Deletion: Personal data (names, email, child profiles, goals, achievements) is permanently deleted within 30 days of account closure. A scheduled cleanup process runs daily to ensure timely deletion.
Payment Records (7-Year Retention): Transaction records including payment amounts, gift card purchases, and fee breakdowns are retained for 7 years as required by tax and financial regulations. After account deletion, these records are anonymized (personal identifiers removed) but the financial data is preserved for compliance.
Audit Logs: Security and compliance logs are retained for 2 years, then permanently deleted.
Backup Data: Deleted data may persist in encrypted backups for up to 90 days before permanent removal.

12. International Users

GoalQuest is operated by Jordan Saker from Australia. If you are accessing our service from outside Australia, please be aware that your information may be transferred to, stored, and processed in Australia where our servers are located.

13. Your Rights Under Australian Privacy Law

Under the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs), you have the right to:

Access Your Information: Request access to the personal information we hold about you (APP 12).
Correct Your Information: Request correction of any inaccurate, out-of-date, or incomplete personal information (APP 13).
Know How We Handle Your Data: Request details about how we manage your personal information (APP 1).
Opt Out of Marketing: Opt out of receiving direct marketing communications at any time (APP 7).
Complain: If you believe we have breached the Australian Privacy Principles, you may lodge a complaint with us. If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or by calling 1300 363 992.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify parents of any material changes via email and update the "Last Updated" date. Continued use of GoalQuest after changes constitutes acceptance of the updated policy. For significant changes affecting children's data, we will seek renewed parental consent.

15. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us:

Email: privacy@goalquest.mobi

We aim to respond to all inquiries within 48 hours.