Skip to content
RockQuest logo RockQuest
Home How it works Get the app

RockQuest Privacy Policy

Last updated: 1 July 2026

This Privacy Policy explains how ROCKQUEST LIMITED (“RockQuest”, “we”, “us” or “our”) collects, uses, stores and shares personal data when you use the RockQuest mobile application, the RockQuest website, public rock pages and related services (together, the “Service”).

RockQuest is a real-world treasure-hunt service that lets people create, hide, discover, mark as found and re-hide painted rocks, share photos and clues, comment on rocks and follow their journeys.

Please read this Privacy Policy carefully. Children and younger users should read it with a parent or guardian.

1. Who is responsible for your data?

The data controller is:

ROCKQUEST LIMITED
Company number: 16212475
2nd Floor, College House
17 King Edwards Road
Ruislip, London
United Kingdom, HA4 7AE

Privacy contact: please use the contact form available at https://en.rockquest.org/contact-us

2. Data we collect

Depending on how you use RockQuest, we may collect the following categories of personal data.

2.1 Account and identity information

This may include:

  • your username;
  • your email address and email-verification information;
  • your date of birth;
  • your profile picture, avatar and biography;
  • your account status and role;
  • encrypted or hashed authentication information;
  • parental or guardian contact and approval information, when required;
  • information received from an identity provider when you use Sign in with Apple, Google or Facebook, such as an account identifier, name, email address, profile image or locale, depending on the information you choose to share and the provider’s settings.

We do not receive your password from Apple, Google or Facebook.

2.2 RockQuest activity and user-generated content

We process information you create or submit through the Service, including:

  • photos and other media associated with painted rocks;
  • rock names, captions, descriptions, clues and secret codes;
  • rock creation, hiding, discovery, found and re-hiding records;
  • approximate or precise rock locations;
  • comments, likes and not-found reports;
  • moderation reports, blocks and related safety actions;
  • the identity of a rock’s creator, finder or contributor;
  • the history and journey of a rock.

Do not include personal information in photos, clues, captions, comments or descriptions. In particular, do not share a home address, school, telephone number, private email address, daily routine or information that could identify a child’s real-world location.

2.3 Location information

RockQuest uses location to provide its core treasure-hunt features. With your device permission, we may process precise or approximate location information to:

  • show painted rocks near you;
  • let an eligible user record where a rock has been hidden;
  • record where a rock was found or re-hidden;
  • calculate distances and display map-based information;
  • help prevent misuse and investigate safety incidents.

A hidden rock’s location may be made available to other RockQuest users as necessary for them to find it. You should only hide rocks in safe, lawful and publicly accessible places.

RockQuest is not intended to create a continuous history of your movements. Location is processed when you use location-based features or when another location function that you have expressly enabled is active. You can control location permission in your device settings, but some features will not work without it.

2.4 Device, network and usage information

We may automatically collect technical and operational information, including:

  • Internet Protocol address;
  • connection port and request date and time;
  • device identifier used by RockQuest;
  • device type, operating system and app version;
  • language and locale;
  • push-notification token and notification provider;
  • pages, screens and features used;
  • diagnostic, crash, security and server-log information.

We use this information to operate, secure, troubleshoot and improve the Service. RockQuest does not use advertising identifiers from children or users whose age is unknown.

2.5 Camera, photo library and notifications

With your permission, RockQuest may access:

  • your camera, so you can photograph a painted rock;
  • selected photos or your photo library, so you can upload rock images or an avatar;
  • notifications, so we can send activity, account, safety and service messages.

You can change these permissions in your device settings. Disabling a permission may prevent the related feature from working.

2.6 Communications and support

When you contact us, we may collect your name, email address, message, attachments and any information needed to respond to or investigate your request.

3. How we collect data

We collect personal data:

  • directly from you when you register, create content, use location features, contact us or otherwise use the Service;
  • automatically from your device and from our servers;
  • from Apple, Google or Facebook when you choose one of those sign-in methods;
  • from other users, for example when someone comments on your rock, reports content or identifies themselves as having found a rock.

4. Why we use your data

We use personal data to:

  • create, authenticate and manage accounts;
  • provide nearby-rock, hiding, finding, re-hiding and journey features;
  • display user profiles and user-generated content;
  • send account, activity, moderation, safety and security notifications;
  • apply age-appropriate features and child-safety restrictions;
  • obtain or record parental or guardian action where required;
  • moderate content, process reports, enforce blocks and prevent abuse;
  • detect fraud, spam, unauthorised access and other security threats;
  • provide support and answer requests;
  • maintain, diagnose and improve the Service;
  • comply with legal duties and respond to lawful requests;
  • establish, exercise or defend legal claims.

We do not sell personal data. We do not use personal data for third-party behavioural or targeted advertising. RockQuest does not currently display third-party advertising.

5. Legal bases for processing

Where the UK GDPR, EU GDPR or similar laws apply, we rely on one or more of the following legal bases:

  • Contract: processing that is necessary to provide the Service you request and manage your account.
  • Legitimate interests: operating, securing and improving RockQuest; preventing abuse; moderating content; protecting users; and defending legal rights, where those interests are not overridden by your rights.
  • Consent: optional permissions, optional communications and processing for which consent is required. You may withdraw consent at any time, although this does not affect processing already carried out lawfully.
  • Parental or guardian consent or action: where required by the law applicable to a child.
  • Legal obligation: processing needed to comply with law, court orders, regulatory duties or valid requests from public authorities.
  • Protection of vital interests: in rare situations where processing is necessary to protect someone’s life or physical safety.

6. Public content and interactions with other users

RockQuest includes public or community features. Depending on the feature, the following may be visible to other users or on a public RockQuest web page:

  • username, avatar and biography;
  • rock photos, captions, descriptions and clues;
  • comments and selected activity;
  • likes and counters;
  • whether a rock is hidden, found or inactive;
  • a rock’s journey, creator and finder information;
  • location information needed for the treasure hunt.

Public content may be copied, photographed, indexed, shared or redistributed by other people outside RockQuest. Think carefully before posting.

Blocking a user limits certain interactions but may not remove copies of content already viewed, shared or stored by others.

7. Children and family privacy

RockQuest is designed for families and may be used by children. We treat children’s personal data with additional care and aim to apply privacy-protective defaults.

7.1 Age information

We ask for a date of birth so that we can provide an age-appropriate experience, comply with applicable rules and determine whether parental or guardian action is required.

The age at which a child can independently consent to certain data processing varies by country. RockQuest may therefore apply different restrictions depending on the user’s age, location and applicable law.

Users must provide an accurate date of birth and must not attempt to bypass age protections.

7.2 Restricted child features

For younger users, RockQuest may:

  • restrict the ability to publish or exchange freeform information;
  • require a parent or guardian to hide a rock in a safe public place;
  • require adult approval, action or supervision for certain features;
  • display online-safety reminders before content can be shared;
  • limit contact with unknown users;
  • restrict profile, location or communication options;
  • review or remove content that may reveal personal information.

RockQuest does not offer private one-to-one messaging between children and unknown users.

7.3 Parents and guardians

A parent or guardian may contact us to:

  • ask what personal data we hold about their child;
  • request correction or deletion;
  • withdraw consent where consent is the legal basis;
  • report an account created without the required permission;
  • raise a safety or privacy concern.

We may take reasonable steps to verify the identity and authority of the person making the request.

8. When we share data

We may share personal data in the following circumstances.

8.1 Other users and the public

We share profile information, rock content, comments, activity, journey information and location information as described in Section 6 and as required to provide the Service.

8.2 Service providers

We may use vetted service providers to provide:

  • application and website hosting;
  • database, storage, backup and content-delivery services;
  • image processing;
  • email delivery;
  • push notifications;
  • security, monitoring, diagnostics and customer support;
  • identity and sign-in services.

These providers may process data only for the services they supply to us, subject to contractual and legal safeguards where required.

8.3 Sign-in and platform providers

When you use Apple, Google or Facebook sign-in, those companies process information under their own terms and privacy policies. Apple and Google may also process information when providing app-store, operating-system and push-notification services.

8.4 Legal, safety and enforcement reasons

We may disclose information when reasonably necessary to:

  • comply with law, legal process or a valid governmental request;
  • investigate suspected crime, abuse, fraud or a safety incident;
  • protect a child, a user, RockQuest or the public;
  • enforce our terms and policies;
  • establish, exercise or defend legal claims.

8.5 Business transfers

If RockQuest is involved in a merger, financing, reorganisation, sale of assets or acquisition, personal data may be transferred as part of that transaction. We will require the recipient to protect the data and will provide notice when required by law.

9. International data transfers

ROCKQUEST LIMITED is established in the United Kingdom. Our service providers and users may be located in the United Kingdom, European Economic Area, Switzerland and other countries.

When personal data is transferred internationally, we use safeguards required by applicable law, which may include adequacy regulations or decisions, approved contractual clauses, transfer risk assessments and supplementary technical or organisational measures.

10. How long we keep data

We retain personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, including safety, dispute resolution, legal compliance and enforcement.

Generally:

  • account information is retained while the account is active and may be retained for up to 24 months after account closure where needed to resolve disputes, prevent abuse or meet legal obligations;
  • support correspondence may be retained for up to 24 months after the request is closed;
  • security, diagnostic and server logs may be retained for up to 24 months, or longer when necessary to investigate a specific security or legal matter;
  • parental approval and age-assurance records are retained only for as long as necessary to demonstrate compliance and protect the child;
  • rock content and journey records are retained while needed to provide the Service and preserve the shared history of a rock.

When an account is deleted, we delete or anonymise associated personal data unless retention is required by law, safety needs, fraud prevention or legal claims. To preserve a rock’s journey for other users, some rock records may remain in anonymised or de-identified form.

Residual copies may remain temporarily in protected backups until they are overwritten under our backup-rotation process.

11. Security

We use reasonable technical and organisational measures designed to protect personal data. These measures may include access controls, authentication protections, encryption in transit, hashed authentication tokens, restricted administrative access, monitoring and backup controls.

No Internet service or storage method is completely secure. You are responsible for protecting your device and account credentials and for notifying us if you suspect unauthorised access.

12. Your privacy rights

Depending on where you live and the law that applies, you may have the right to:

  • be informed about how your data is used;
  • request access to your personal data;
  • request correction of inaccurate or incomplete data;
  • request deletion of your data;
  • request restriction of processing;
  • receive certain data in a portable format;
  • object to processing based on legitimate interests;
  • withdraw consent at any time;
  • object to direct marketing;
  • complain to a data-protection authority.

These rights may be subject to legal limitations. We may need to verify your identity before completing a request.

You may use the account settings and account-deletion options available in the app. You may also contact us using the details in Section 1.

If you are in the United Kingdom, you may complain to the Information Commissioner’s Office. If you are in the European Economic Area, you may complain to your local supervisory authority. If you are in Switzerland, you may contact the Federal Data Protection and Information Commissioner.

13. Account and content deletion

You may request deletion of your account and personal data through the in-app deletion feature, where available, or by contacting us.

Deletion may not be immediate where information must be retained for safety, legal or fraud-prevention reasons. Public content may also remain temporarily in caches, backups or copies made by other users. Some rock-journey information may be anonymised instead of deleted so the journey remains understandable to other participants.

14. Push notifications

With your permission, we may send push notifications about comments, likes, rock activity, account matters, safety issues and important Service updates. You can disable notifications in your device settings. Essential account or legal messages may still be sent by email where appropriate.

15. Automated decision-making

RockQuest does not use personal data to make solely automated decisions that produce legal effects or similarly significant effects on users.

We may use automated rules to detect spam, suspicious activity, unsafe content or abuse. Where appropriate, these signals are reviewed or can be challenged through our support process.

16. Third-party links and services

The Service may contain links to third-party websites or services. Their privacy practices are controlled by those third parties, not by RockQuest. Review their privacy policies before providing information to them.

17. Changes to this Privacy Policy

We may update this Privacy Policy to reflect changes to the Service, our practices or applicable law. We will update the “Last updated” date and, when required, provide additional notice in the app, on our website or by email.

Material changes will apply from the date stated in the updated notice.

18. Contact us

Questions, requests and privacy concerns should be sent to:

ROCKQUEST LIMITED
Company number: 16212475
2nd Floor, College House
17 King Edwards Road
Ruislip, London
United Kingdom, HA4 7AE

Contact form: https://en.rockquest.org/contact-us

© 2026 RockQuest. All rights reserved.
Contact us Privacy Policy Terms
English Français