Privacy Policy

#### Information You Provide

• Account registration: name (or username), email address, password. You may alternatively sign in via Google or Apple (“Sign in with Google” / “Sign in with Apple”), in which case the provider supplies your email address and basic profile information (name and, where available, profile photo) to us, and you do not create a Questyz-specific password.

• Profile information: display name, avatar, location (city/ZIP), biography

• Identity verification: When identity verification is required under the Terms of Service, Questyz initiates a verification session through Stripe Identity, an independent third-party identity verification service operated by Stripe, Inc. Stripe Identity collects government-issued identification documents and biometric selfie data (including liveness detection) directly from you, and processes that data under Stripe's own privacy policy. Questyz receives only a verification status signal (verified or not verified), and never receives, views, or stores your government-issued identification documents or biometric data. The verification status signal is retained for the life of your account and deleted when your account is deleted (see Section 4).

• Quest and listing content: quest descriptions, images, reward amounts, skills

• Payment information: For Patrons, card payments are processed exclusively by Stripe. For Heroes, payouts are processed by PayPal, which requires Heroes to provide a PayPal email address to Questyz. The PayPal email address is transmitted to PayPal for payout processing and is retained by Questyz only as needed to initiate payouts and reconcile transactions. Tips, when given by Patrons, are processed as separate Stripe payment intents distinct from the original quest payment. Questyz does not store card numbers, bank account numbers, or payment credentials.

• Communications: messages sent through our inbox system, feedback, and support requests

• Community / social content: optional guild participation including guild names, tags, mottos, banner color preferences, and trophy showcases featuring user-earned virtual items

#### Information Collected Automatically

• Log data: IP address, browser type, pages visited, time and date, referring URL

• Device information: device type, operating system, mobile device identifiers

• Usage data: features used, quests viewed, search queries, session duration

• Cookies and similar tracking technologies (see Section 6)

#### Information from Third Parties

• Stripe: payment status, transaction IDs, merchant account status

• PayPal: payout status, transaction IDs

• Stripe Identity: verification status only (no document data)

• Supabase: our database provider stores your account and activity data in secure cloud infrastructure

• Google (when “Sign in with Google” is used): email address, name, profile photo, and a stable Google-assigned identifier

• Apple (when “Sign in with Apple” is used): email address (or Apple-generated relay email if the user chose to hide their address), name as provided by the user at first sign-in, and a stable Apple-assigned identifier

• PostHog: see Section 6 for analytics-related data collection

• Sensitive categories of information. The following data Questyz collects warrants additional handling and is not used for any purpose beyond those listed in Section 2:

• (a) approximate location (city and ZIP), collected for quest matching and proximity display purposes;

• (b) profile photos uploaded by users to the user's avatar or profile; and

• (c) government-issued identification and biometric selfie data submitted to Stripe Identity for identity verification. As described above, this data is collected and processed directly by Stripe Identity and is never received or retained by Questyz.

• Questyz does not use the categories listed in this subsection for any purpose beyond those listed in Section 2 (How Questyz Uses Your Information), and Questyz does not sell or rent this information to any third party.

• Anthropic AI content moderation. Images uploaded by Patrons to quest listings, by Heroes to hero listings, and by users to profiles may be analyzed by Questyz's AI content-moderation provider (Anthropic) for the purpose of detecting policy violations including illegal content, adult content, and prohibited items. This processing occurs on Questyz's behalf under a data-processing arrangement with Anthropic. Anthropic is not permitted to use uploaded images for its own purposes.

• Guild and community content visibility. The optional guild and community content listed above (guild names, tags, mottos, banner color preferences, accent colors, and trophy showcases) is public-facing and visible to other users of the platform, and to non-authenticated visitors who can browse guild and quest listings. Hero listings, hero profile content, ratings, and quest activity history are also public-facing. Private messages are not public.

Questyz uses collected information for the purposes listed below. Each purpose lists the specific data categories used:

• Account creation and management (data categories: name, email, password or single-sign-on identifier, profile information).

• Quest transaction facilitation (data categories: name, email, location, quest content, payment authorization status, identity verification status).

• Payment processing (data categories: card payment data via Stripe for Patrons, PayPal email and payout transaction status for Heroes, transaction amounts).

• Identity verification routing (data categories: account email and Stripe Identity verification session reference; Questyz does not receive the underlying documents).

• Transactional email delivery (data categories: name, email, quest activity, message content as needed to deliver the email).

• Public profile display (data categories: display name or username, avatar, verified badge, hero tier, rating, quest count, public quest history, hero listing content, guild and community content).

• Product improvement and feature development (data categories: usage data, anonymized analytics events, support and dispute communications, aggregate quest activity).

• Fraud detection, abuse prevention, and enforcement of the Terms of Service (data categories: account data, IP address, device information, transaction patterns, identity verification status, support tickets).

• Legal compliance and response to lawful requests (data categories: any data category necessary to comply with the request).

• Platform updates and service announcements (data categories: name, email; Heroes and Patrons may opt out of non-essential marketing communications).

• AI content moderation. Images uploaded by users may be analyzed by Questyz's AI content-moderation provider (Anthropic) for the purpose of detecting policy violations. The image content itself is the data category used for this purpose.

Questyz does not sell personal information to third parties, and does not rent or trade personal information to third parties. Questyz does not use personal information for advertising or marketing purposes by third parties.

• With other users. Your public profile (username, verified badge, hero tier, rating, quest count) is visible to other users on the platform. Your legal name, email address, PayPal email address, and payment information are not shared with other users.

• With service providers. Questyz shares data with the following third-party providers who process data on Questyz's behalf, each under a written agreement or data-processing arrangement:

• Stripe — card payment processing (PCI-DSS Level 1 certified)

• PayPal — hero payouts

• Supabase — database and authentication infrastructure

• Stripe Identity — identity verification (receives your documents; we receive only status)

• Resend — transactional email delivery

• Netlify — hosting and serverless functions

• Anthropic — AI-powered content moderation for images

• PostHog — product analytics and funnel measurement (see Section 6)

• Google and Apple — identity provider services for users who sign in with Google or Apple

Each of these service providers is bound by a written agreement or data-processing arrangement that limits their use of personal data to the purposes for which Questyz engaged them and prohibits their use of personal data for their own marketing or advertising purposes. Questyz maintains a current list of sub-processors and the related agreements; see Section 6(c) for how to request the list.

• Legal Requirements We may disclose your information if required by law, court order, or government authority, or to protect the rights, property, or safety of Questyz, our users, or the public.

• Business Transfers If Questyz is acquired by, merges with, sells substantially all assets to, or undergoes reorganization with another entity, personal data may be transferred as part of that transaction. Questyz will provide notice to registered users at least thirty (30) days before personal data is transferred. During that thirty (30) day window, registered users may delete their account, which will prevent transfer of personal data to the acquiring entity to the extent permitted by applicable law. Financial transaction records that Questyz retains under Section 4 for legal and tax purposes will still transfer with the business.

Questyz retains personal data only for as long as needed to provide the platform, satisfy the legal and operational purposes described below, or comply with applicable law. The retention period depends on the data category:

(a) Account data (name, email, profile information, login credentials): retained while the account is active and permanently deleted within thirty (30) days after a deletion request executes (see the deletion process below).

(b) Quest history records: retained while the account is active and, after account deletion, anonymized and retained as described in subsection (d) below to preserve counterparty transaction history.

(c) Identity verification status signal (verified or not verified): retained for the life of the account and deleted with the account. The underlying documents and biometric data are processed by Stripe Identity and never retained by Questyz.

(d) Support and dispute communications: retained for three (3) years after the related quest closes or the related account is deleted, for legal and platform-integrity purposes.

(e) Waitlist email addresses (for users who joined the waitlist before launch): retained until unsubscribe or for six (6) months following the public launch of the platform, whichever is earlier.

(f) Financial transaction records: retained for seven (7) years as required by U.S. tax and financial reporting law.

(g) Anonymized aggregate analytics data: retained indefinitely, only after personally identifying fields have been removed as described in subsection (d) below.

You may delete your account at any time from the side menu (Sign Out → Delete my account). Account deletion follows a structured 30-day process designed to protect both you and other users on the platform:

• Pre-deletion check We will not accept a deletion request while you have unresolved obligations to other users — open quests you posted, accepted quests in progress, open disputes, pending payouts, or guild leadership. The interface lists what needs to be resolved first.

• 30-day grace window After you submit a deletion request, your account enters a 30-day grace window. During this window your account remains accessible. You can sign back in and cancel the deletion at any time during the 30 days. After the 30 days elapse, deletion executes automatically and irreversibly via a daily process.

• What is deleted When deletion executes, the following are permanently removed from our active systems:

• Your name, email, profile photo, biography, and location

• Your private messages

• Your gear inventory, equipped items, and saved quests

• Your notifications and guild memberships

• Your sign-in credentials (account login is permanently disabled)

• What is anonymized and retained. The following records are retained but stripped of fields that personally identify you: your name is replaced with "Deleted User," and your email, phone number, profile photo, and account identifier are removed from the retained records. Retention here is to preserve the legitimate interests of the other users you interacted with. After this anonymization, the retained records contain no fields that, alone or in combination with other data Questyz retains, can reasonably be used to identify you, and Questyz treats those records as outside the definition of "personal data" under applicable state privacy laws:

• Quest records you posted or accepted, so your counterparties retain their own transaction history

• Reviews you wrote or received, so other users retain accurate reputation data

• Dispute records and dispute messages, retained for legal and platform-integrity reasons

#### What is retained for legal and tax compliance

• Financial transaction records (payments, payouts, refunds, fees) are retained for the period described in subsection (a)(f) above (seven (7) years as required by U.S. tax and financial-reporting law)

• Anonymized aggregate analytics data may be retained indefinitely

• Manual deletion requests If you cannot use the in-app deletion flow, you may email privacy@questyz.com to request deletion. Manual requests are subject to the same 30-day timeline and the same retention rules described above.

Depending on your state of residence, you may have the following rights with respect to personal data Questyz holds about you. Questyz responds to verifiable rights requests within forty-five (45) days of receipt, and may extend this period by an additional forty-five (45) days when necessary, with notice to the requestor. To exercise any of these rights, contact privacy@questyz.com. Questyz verifies the identity of requestors by matching the email address in the request to a registered Questyz account, and may request additional verification for deletion or portability requests involving sensitive data.

• Access: Request a copy of the personal data we hold about you

• Correction: Request correction of inaccurate data

• Deletion: Request deletion of your account and personal data

• Portability: Receive your data in a portable, machine-readable format.

• Questyz will not penalize users for exercising any of these choices. Marketing-communications opt-out is available at any time.

• Opt-out: Opt out of marketing communications at any time To exercise these rights, contact us at: privacy@questyz.com

Virginia residents. Virginia residents have the right under Virginia law to access, correct, and delete personal data Questyz holds about them, to obtain a portable copy, and to opt out of sale. Questyz does not sell personal data. To exercise these rights, contact privacy@questyz.com.

California residents. The categories of personal information Questyz collects from California residents, and the categories of third parties with whom Questyz shares that information, are described in Sections 1 and 3 of this Privacy Policy. California residents may review and change their personal information by accessing their account or by contacting privacy@questyz.com. Questyz does not sell personal information to third parties. Questyz's response to browser-based "Do Not Track" signals is described in Section 6.

• Cookies. Questyz uses cookies and similar technologies on the platform. Cookies fall into the following categories:

• (i) Strictly necessary cookies are used to authenticate signed-in users and maintain session state. The platform cannot function without these and they cannot be disabled.

• (ii) Functional cookies remember user preferences such as display settings and language. These can be controlled through browser settings.

• (iii) Analytics cookies measure platform usage on an anonymized basis through PostHog (described in subsection (b) below). These are optional. To opt out of analytics cookies on the platform, follow the opt-out instructions in subsection (b) below, transmit a Global Privacy Control signal (see subsection (d) below), or disable analytics cookies through browser settings.

• (iv) Advertising cookies. The platform does not use advertising cookies. Questyz does not allow any third party to set advertising cookies on the platform.

• The specific cookie purposes are:

• Keep you logged in (authentication cookies)

• Remember your preferences

• Analyze platform usage (anonymized)

We do not use third-party advertising cookies. You can control cookies through your browser settings. Disabling cookies may affect platform functionality.

• Product analytics (PostHog) We use PostHog, a third-party product analytics service, to understand how visitors and authenticated users move through the platform. PostHog collects the following:

• Pageviews and routes navigated

• Clicks and form interactions (autocapture)

• Custom events corresponding to product funnel steps (for example, when an authentication modal is opened, when a quest card is clicked, when signup completes)

• Approximate location derived from IP address

• Browser and device information (user agent, viewport size)

• A persistent identifier (“distinct_id”) that is anonymous for non-authenticated visitors and is associated with your Questyz user ID once you sign in

PostHog data is processed on our behalf for the limited purpose of measuring product usage and improving the platform. We do not use PostHog for advertising, retargeting, or sharing your data with third parties.

Privacy posture for analytics:

• Password fields and other inputs flagged as sensitive are automatically redacted before being captured

• Session video recording. Session video recording is disabled by default platform-wide. If Questyz enables session video recording in the future, Questyz will provide registered users with advance notice by email at least thirty (30) days before the feature is activated, and session video recording will not be enabled on verification screens, payment screens, or dispute screens

• PostHog respects the browser-level "Do Not Track" (DNT) signal; users whose browsers transmit a DNT signal will not be tracked.

• Anonymous pre-signin analytics events become associated with the user's Questyz user ID after sign-in. This association is performed solely for internal product analytics (funnel measurement) and the pre-signin data is not shared with third parties for advertising or any other purpose. Users whose browsers transmit a DNT signal are excluded from this identity-linking process entirely. If you do not wish for pre-signin browsing to be associated with your account, you may use private/incognito browsing prior to signing in, or contact privacy@questyz.com.

• Sub-processor list A current list of analytics and infrastructure sub-processors is available on request from privacy@questyz.com.

We implement industry-standard security measures including:

• Encryption in transit (HTTPS/TLS)

• Encrypted storage via Supabase with Row Level Security

• Payment data handled exclusively by Stripe and PayPal (PCI-DSS Level 1 compliant)

• Identity documents handled exclusively by Stripe Identity (document authenticity checks, biometric selfie matching, and liveness detection)

• Regular security reviews

No system is completely secure, and Questyz cannot guarantee absolute security of personal data. In addition to the technical measures above, Questyz restricts access to personal data to authorized personnel on a need-to-know basis and conducts periodic access reviews. In the event of a data breach affecting personal information, Questyz will notify affected users and applicable state authorities in accordance with applicable state breach notification laws, including the timeframes those laws require.

Questyz is intended only for users who are at least 18 years old. The Terms of Service require all users to affirm they are at least 18 years old at account creation, and account creation is the gating mechanism for collection of personal data on the platform. Questyz does not knowingly collect personal information from children under 13 years of age within the meaning of the Children's Online Privacy Protection Act (COPPA) If Questyz becomes aware that personal information has been collected from a user under 13, Questyz will promptly terminate that account and delete all personal information associated with it from Questyz's active systems, subject to the retention obligations described in Section 4. The COPPA prohibition on collection from children under 13 applies in addition to, and separately from, the Questyz minimum-age requirement of 18 set in the Terms of Service. If you believe a minor has provided us with personal information, contact us at privacy@questyz.com.

Our platform may contain links to third-party websites. We are not responsible for the privacy practices of those sites. We encourage you to review their privacy policies.

Questyz may update this Privacy Policy from time to time. For any material change, Questyz will provide registered users with email notice at the email address associated with the user's account at least thirty (30) days before the change takes effect. "Material change" means any change to the categories of personal data collected, the purposes for processing, the categories of third parties to whom personal data is disclosed, the data retention periods, the rights of users under this policy, or the third-party service providers (sub-processors) listed in Section 3. Users who do not accept the modified Privacy Policy within the thirty (30) day notice period may close their account without penalty, in which case their personal data will be handled in accordance with Section 4. For changes that are not material (such as typographical corrections, clarifications, or updates to contact information), Questyz may update this Privacy Policy by posting the revised version on the platform.

If you have questions about this Privacy Policy or our data practices: Questyz LLC privacy@questyz.com questyz.com

1075 Garrisonville Road STR 108 PMB 1015, Stafford, Virginia 22556, United States

Privacy-related inquiries and rights requests should be directed to the Questyz Privacy Team at privacy@questyz.com. Jeff Y., founder of Questyz LLC, serves as the responsible person for privacy compliance at this stage of the company.

This policy was reviewed by outside counsel and updated effective May 18, 2026.