GuestQuest← Back to home

Legal

Privacy Policy

Last updated April 16, 2026

This Privacy Policy explains how GuestQuest (“GuestQuest,” “we,” “us,” or “our”) collects, uses, and protects personal information in connection with our website, event-hosted mobile-web experiences, admin dashboard, print assets, and related services (the “Service”).

GuestQuest is often used at family events, birthdays, weddings, and youth sports — events where children may be present and photographed. We treat children's data and any biometric-adjacent feature with additional care. If you are a parent or guardian, please read Section 5 closely.

By using the Service, you agree to the collection and use of information as described in this Policy and in our Terms of Service.

1. Information We Collect

1.1 Information You Provide

  • Guest profile: the display name you enter when you join an event, and the email address you optionally provide to get a magic-link session recovery.
  • Photos, videos, and captions: content you upload while playing, including challenge photos, video guestbook recordings, and any captions or tags.
  • Admin and inquiry info: if you set up an event or submit a contact form, we collect your name, email, organization, message, and login credentials.
  • Communications: the content of emails and messages you send us.

1.2 Information Collected Automatically

  • Session data: device info (user-agent), approximate locale/timezone, points, badges earned, challenges completed, and timestamps of actions.
  • Cookies and local storage: we use first-party cookies and your browser's local storage to keep you signed in, remember gallery passwords you've entered, and persist session state like your shortlist picks. We do not use third-party advertising cookies.
  • View counts and analytics: aggregated counts of gallery views and approximate performance metrics.

1.3 Biometric-Related Information

Some optional features process imagery from your device camera. We want to be fully transparent about what happens to that data:

  • Face Filters (built-in + custom): run entirely on your device using MediaPipe Face Mesh. Facial landmark points (x/y/z coordinates for 468 mesh points) are computed in your browser in real time to anchor a graphic overlay. These landmarks are never transmitted to our servers and are never stored. If you tap the shutter, the resulting composed image (video frame + overlay) is treated as a normal photo per Sections 1.1 and 2.
  • AR Marker Hunt: the camera feed is analyzed on your device using the MindAR library to detect printed image markers. Only the identity of the matched marker (e.g., “trophy-01”) and your points update are sent to our servers. The camera frames are not uploaded, stored, or transmitted.
  • Find My Photos (optional, event-by-event): if an event host enables this feature and you opt in, we compute a face embedding (a numerical signature of your face geometry) from a selfie you submit, then compare it to embeddings of faces that appear in photos from that single event. Embeddings are stored scoped to your session and the event, used solely to surface photos you appear in, and deleted when the event ends or when you delete your session — whichever comes first. You may ask us to delete your embedding at any time by emailing hello@guestquest.app. For guests located in jurisdictions with specific biometric laws (including Illinois' Biometric Information Privacy Act (BIPA), Texas CUBI, and Washington HB 1493), you must provide written consent before your embedding is computed; the opt-in screen in the Service constitutes that written consent. Parents/guardians of minors must provide this consent on the minor's behalf.

2. How We Use Information

We use the information we collect to:

  • Operate the Service, including showing guests their points, badges, and leaderboard position, and showing event hosts a gallery of uploaded content.
  • Moderate content (either automated quality checks or manual approval by the event host/coordinator).
  • Deliver magic-link session recovery and event-related emails (welcome, gallery-ready, prize winner, recap).
  • Detect and prevent fraud, abuse, and violations of our Terms.
  • Improve the Service through aggregated, de-identified analysis. We do not train AI models on your photos.
  • Comply with legal obligations and respond to lawful requests.

3. How We Share Information

We share information only in these specific cases:

  • With the event host: when you participate in an event, the host can see your display name, the photos you upload, and your points/badges. This is fundamental to the Service.
  • With sponsors, when you redeem a sponsor-funded prize: your display name and the prize you claimed may be shared with the sponsor so they can fulfill the prize. We do not share your email or other contact information with sponsors unless you explicitly provide it to them.
  • With service providers under contract: Supabase (data storage, auth, and realtime), Resend (transactional email), Vercel (hosting), and similar processors are bound by data- processing agreements and may only use your data to provide us with services.
  • When required by law: in response to a valid subpoena, court order, or similar legal process, or to protect rights, property, or safety.
  • In a corporate transaction: if GuestQuest is acquired, merged, or reorganized, your information may be transferred to the acquiring entity, subject to the same protections described here.

We do not sell personal information, and we do not rent or trade contact lists.

4. Social Sharing

When you tap the Instagram, Facebook, TikTok, WhatsApp, X, or Copy Link buttons, we open the platform's share flow or copy a pre- formatted caption and event URL. The platforms' own privacy policies govern anything you do on them after that point. We log that you tapped a share button so we can award bonus share points per event host settings; we don't receive your post content from the platforms.

5. Children's Privacy

5.1 Under 13 (COPPA)

GuestQuest is a general-audience service, not directed at children under 13, but we understand events often include young attendees. Where we have actual knowledge that personal information has been collected from a child under 13 without verifiable parental consent, we will delete that information.

Parents and guardians: if your child under 13 has used the Service and you wish to review, correct, or delete the information we have collected from them (including any photos of them that appear in an event gallery), email us at hello@guestquest.app and we will respond promptly. Please include enough context to help us identify the event and the child (for example, the event name, the display name your child used, or the date of the event).

We will not:

  • Use children's photos for GuestQuest marketing or AI-model training.
  • Knowingly compute biometric embeddings (Find My Photos) for a child under 13 without explicit verifiable parental consent for that specific event.
  • Share children's contact information (email) with sponsors or third-party marketers.

5.2 Event Hosts and Photo Policies

Event hosts are responsible for informing attendees — including parents — that photos will be taken and uploaded, and for collecting any photo-release consent required by the venue or applicable law. Hosts can moderate, reject, or delete any upload before it appears in the event gallery and can provide the gallery password only to intended audiences. Parents can ask the event host or GuestQuest directly to remove specific photos of their child at any time.

6. Your Rights and Choices

Depending on where you live, you may have the following rights:

  • Access and portability: request a copy of the personal information we hold about you.
  • Correction: ask us to correct inaccurate or incomplete information.
  • Deletion: ask us to delete your session, your uploaded content, and your face embedding (if any).
  • Objection / restriction: object to or restrict certain processing.
  • Withdraw consent: withdraw consent for features you had opted in to (including Find My Photos), at any time.
  • CCPA / California: California residents have the rights above plus the right to know what personal information is collected, the purposes of collection, and the categories of third parties with whom it's shared. We do not sell personal information.
  • GDPR / EEA / UK: residents of the European Economic Area and the UK have rights under the GDPR/UK GDPR, including lodging a complaint with your local supervisory authority.

To exercise any of these rights, email hello@guestquest.app. We may need to verify your identity before acting on certain requests.

7. Data Retention

  • Guest sessions and photos: retained while the event is active and for up to 12 months after event end unless the host has a different retention setting or you request deletion sooner.
  • Face embeddings (Find My Photos): deleted when the event ends or when you delete your session — whichever comes first.
  • Admin account data: retained for as long as you maintain an admin account, plus a reasonable period for legal and audit purposes.
  • Email records: transactional email metadata may be retained by our email provider for up to 30 days.
  • Aggregated analytics: may be retained in de-identified form indefinitely.

8. Security

We use industry-standard measures to protect personal information, including encryption in transit (HTTPS), server-side role-scoped access controls, and password hashing for admin accounts. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security. If we become aware of a security incident affecting your information, we will notify you as required by applicable law.

9. International Data Transfers

GuestQuest is operated from the United States. If you use the Service from outside the U.S., your information will be transferred to and processed in the U.S. By using the Service, you consent to such transfer.

10. Do-Not-Track

Our Service does not currently respond to Do-Not-Track browser signals, because there is no consistent industry standard for them. We honor the opt-outs described in Section 6 above.

11. Changes to This Policy

We may update this Policy from time to time. When we do, we will revise the “Last updated” date and, for material changes, notify admin account holders by email and show an in-product notice. Continued use of the Service after the effective date constitutes acceptance of the revised Policy.

12. Contact

For privacy questions, data requests, or to reach our privacy contact, email hello@guestquest.app.

Questions about this document? Email hello@guestquest.app.