Privacy Policy
Last updated: 24 May 2026
Welcome to FestiQuest. We take privacy seriously and handle your data carefully. In this privacy policy we explain what data we collect, why, how long we keep it, and what rights you have. We write this in plain language so you can actually read it.
1. Who we are
FestiQuest is a social festival app that helps people organise activities (“sidequests”) together at festivals and meet new people. The app is provided by:
The FestiQuest team — based in the Netherlands Contact: via our contact form Website: https://festiquest.app
We are the data controller for your personal data as defined under the General Data Protection Regulation (GDPR / EU Regulation 2016/679).
Got questions about your privacy, want to exercise your rights, or have a complaint? Email our contact form and we respond within 30 days.
2. When this policy applies
This privacy policy applies to your use of:
- The FestiQuest app (iOS, Android and the web version at festiquest.app)
- All related services such as account sign-up, sidequest participation, group chats and notifications
The app is intended for people aged 18 and over. We do not accept accounts from minors. See section 11 for details.
3. What data we collect
We only collect data needed to make the app work. By category:
3.1 Account and identity data (required)
- First name — to make you identifiable in the app
- Date of birth — to verify you are 18+ and to display your age to other users
- City — to display your hometown to other users
- Email address — for account verification, security notifications, and (only when necessary) service notifications
3.2 Profile data (optional)
- Profile photo
- Gender
- Short bio
- Instagram handle (to make connecting with other festival-goers easier)
Optional means: you choose whether to fill this in. Skipping has no impact on your account access.
3.3 Activity data
- Festivals you “pin” — which festivals you plan to attend
- Sidequests you create or join — including title, description, location, time, member cap, and any photos
- Chat messages in group chats of sidequests you are a member of (text and any photo attachments)
- Notification preferences and read state for in-app notifications
- QR scans within the app (processed locally, not stored)
3.4 Login and authentication data
When you log in via Google Sign In, Apple Sign In, or (later) Meta, we receive limited information from that provider:
- A unique user ID
- Your email address
- (If you share it) your name and profile picture
We use this data only to create your account and log you in.
3.5 Technical data
- Session tokens (to keep you logged in)
- Language preference (NL/EN)
- IP address (temporarily processed by our hosting provider for security and abuse prevention, not stored long-term)
3.6 What we do not collect
- No tracking for advertising purposes
- No analytics cookies (in a future version possibly Plausible for anonymous page stats, only after explicit notice here)
- No access to your contact list
- No precise GPS location (we work with festival selection, not live location)
- No microphone access
- No access to your photos unless you actively upload one
4. Why we process your data and on what legal basis
Under GDPR we always need a lawful basis to process data. For FestiQuest we rely on:
| Purpose | Data | Legal basis |
|---|---|---|
| Create account and log in | Name, email, date of birth, OAuth ID | Performance of a contract (art. 6(1)(b) GDPR) |
| 18+ age verification | Date of birth | Legitimate interest + legal obligation (no minors) |
| Show your profile to other users | Name, age, city, optional profile fields | Performance of contract + consent for optional fields |
| Create, join, and manage sidequests | Sidequest data, membership | Performance of a contract |
| Group chat | Chat messages, photo attachments | Performance of a contract |
| Send notifications | Email, push token, read state | Performance of contract + consent (push notifications) |
| Protect the app from abuse | IP, session info, abuse reports | Legitimate interest (platform and user safety) |
| Comply with legal obligations | All relevant | Legal obligation (art. 6(1)(c) GDPR) |
| Improve the app (error reporting) | Anonymised error logs | Legitimate interest |
5. How long we keep your data
We do not keep data longer than necessary:
| Category | Retention |
|---|---|
| Account data (profile, email, date of birth) | As long as you have an active account |
| Sidequests (title, description, members) | As long as the sidequest is active or appears in user history. On account deletion: max. 30 days |
| Chat messages | Auto-archived 7 days after the festival ends, hard-deleted after 30 days |
| Photos (profile + chat attachments) | Same as associated data (profile photo until account deletion, chat photos per chat retention) |
| Reports and moderation logs | Up to 6 months for abuse investigation and repeat-pattern detection |
| Error and technical logs | Up to 90 days |
| Deleted accounts | Fully removed from all systems within 30 days of request (see section 9) |
After deletion we may retain anonymised, non-identifiable data to improve the app.
6. Who we share your data with
We never sell your data. We only share with parties needed to operate the app (sub-processors). With each sub-processor we have a Data Processing Agreement (DPA) or they operate under an equivalent legal framework.
6.1 Sub-processors
| Party | Purpose | Data location |
|---|---|---|
| Supabase | Database, authentication, storage (profile photos, chat photos), realtime chat, server functions | EU (Frankfurt, Germany) |
| Vercel | Hosting the web version and API routes | Global edge network, primary storage in EU/US |
| Resend | Sending transactional emails (verification, notifications) | US and EU |
| Google (Sign In) | OAuth login | Global |
| Apple (Sign In with Apple) | OAuth login | Global |
| Meta (Sign In) — future addition | OAuth login | Global |
6.2 Festival data
Festival information (names, dates, images) is fetched automatically from public sources including Festivalfans.nl. This does not involve your personal data.
6.3 Legal requests
We only share data with law enforcement or regulators where we are legally required to do so (e.g. a valid order from a Dutch authority).
7. International data transfers
Our primary database (Supabase) is located in Frankfurt, Germany (EU). This keeps your data inside the European Economic Area (EEA) by default.
Some sub-processors (Vercel, Resend, Google, Apple, Meta) have servers in the United States. Transfers to the US take place on the basis of:
- EU-US Data Privacy Framework (adequacy decision) for certified parties, or
- Standard Contractual Clauses (SCCs) of the European Commission, or
- Another valid transfer basis from chapter V GDPR
We try to keep the number of trans-Atlantic transfers as small as possible.
8. Cookies and similar technologies
We use a minimal number of cookies and local storage, only for app functionality:
| Type | Purpose | Retention |
|---|---|---|
| Authentication cookies / session storage | Keep you logged in | Until logout or expiration |
Language preference (sq:lang) | Remember whether you want NL or EN | Until you clear it or change it |
| Local cache | Fast loading of profile and festivals | Until logout or account deletion |
We use no tracking cookies, advertising cookies, or analytics cookies. If we ever want to collect anonymous, privacy-friendly statistics (e.g. via Plausible Analytics), we will update this policy first and notify you actively.
For functional cookies, no cookie banner is legally required, but this policy explains what we use them for.
9. Your rights
Under GDPR you have several rights. You can exercise them any time by emailing our contact form. We respond within 30 days.
| Right | What it means |
|---|---|
| Access | You can request what data we hold about you |
| Rectification | You can have incorrect data corrected (most fields you can edit yourself in the app) |
| Erasure (“right to be forgotten”) | You can delete your entire account via the app settings. We remove all your data within 30 days. |
| Restriction of processing | In certain cases you can ask us to restrict processing |
| Data portability | You can request a copy of your data in a common format (JSON) |
| Objection | You can object to processing based on legitimate interest |
| Withdraw consent | Where processing is based on consent (such as push notifications), you can withdraw it at any time |
| No automated decision-making | We do not make automated decisions with legal effects on you |
Account deletion
You can delete your account yourself via Profile → Settings → Delete account. This removes:
- Your profile, photo, email, and all personal fields
- All sidequests you created (or we anonymise them if other members are still active)
- All chat messages are anonymised (
Deleted user) or removed - Your uploads in Supabase Storage
Within 30 days everything is gone. Backup systems may temporarily hold a copy that is overwritten automatically on a rolling schedule.
10. Security
We take security seriously. Concrete measures:
- TLS encryption for all connections (HTTPS)
- Encryption at rest for the Supabase database and storage
- Row-Level Security (RLS) at database level: users can only see data they are entitled to (own profile, own sidequests, chats they are members of)
- OAuth authentication via established providers (Google, Apple, Meta) — we do not store passwords
- Session tokens with short TTL and automatic refresh
- Access control on infrastructure (admins only, multi-factor authentication)
- Logging and monitoring for suspicious activity
- Sub-processor DPAs with all parties
No system is 100% secure. If a data breach happens that poses a high risk to you, we notify you within 72 hours per GDPR breach-notification rules, and report it to the Dutch Data Protection Authority.
11. No children
FestiQuest is an 18+ app. We do not allow accounts from people under 18.
At account creation we check your date of birth at database level (age >= 18 constraint). If we discover that a minor has created an account anyway, we delete that account immediately.
Are you a parent or guardian and do you suspect a minor under your responsibility has created an account? Email our contact form and we handle it within 7 days.
12. Complaints
Unhappy with how we handle your data? Let us know first at our contact form. We think it is important to resolve this together.
If we cannot resolve it, you always have the right to lodge a complaint with the Dutch supervisory authority:
Autoriteit Persoonsgegevens (AP) PO Box 93374 2509 AJ The Hague, Netherlands https://autoriteitpersoonsgegevens.nl
Or with the supervisory authority in your own EU member state.
13. Changes to this privacy policy
We may update this privacy policy from time to time, for example because we add new features or because the law changes. We announce material changes via:
- An in-app notice
- An email to your registered address (only for significant changes)
- An update to the “Last updated” date at the top of this document
We recommend reading this document again every now and then.
14. Contact
Questions about this privacy policy or your data? Email us:
We respond within 30 days.