Privacy Policy

HeroQuest (“we,” “our,” or “us”) operates the HeroQuest web application at heroquest.app. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you access or use our service. By using HeroQuest, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the service.

We collect the following categories of information:

• First name — collected when you complete the quiz, used to personalize your reading.
• Email address — collected when you complete the quiz, used to deliver and authenticate access to your reading.
• Gender (optional) — you may optionally provide gender so we can use appropriate pronouns in your reading. You may decline to provide this.
• Quiz answers — your responses to the quiz questions, used to determine your primary and secondary archetype. Until you complete a purchase, your answers are stored only in an encrypted, HTTP-only cookie on your own device. After purchase, only your computed archetype results (not the raw answers) are stored in our database alongside your account.
• Payment information — processed securely by Stripe. We do not store your card details on our servers. Stripe may collect billing address and payment method information.
• Marketing preferences — whether you have opted in to receive occasional reflections by email.
• IP address and user agent — automatically collected and stored alongside your session for security and authentication purposes.
• Device and browser information — may be collected anonymously by analytics services to help us understand aggregated usage patterns.

We use the following cookies:

• Quiz state cookie — an encrypted, HTTP-only cookie that stores your in-progress quiz answers on your own device until you complete the quiz. This cookie is essential for the quiz to function.
• Session cookies — HTTP-only, secure cookies managed by our authentication system to maintain your access to your purchased reading. These are essential for the service to function.
• Analytics — we may use anonymous, privacy-respecting analytics that collect aggregated usage data (page views, device type, browser). No personally identifiable information is collected by analytics.

We do not use advertising cookies or third-party tracking cookies.

• To deliver your personalized reading.
• To authenticate your access to your reading via email-based one-time password.
• To process payments through Stripe.
• To communicate with you about your account, your purchase, or service updates by email.
• To send occasional reflections, only if you have opted in.
• To maintain security, prevent fraud, and monitor for abuse using session data (IP address and user agent).
• To analyze anonymous, aggregated usage patterns and improve the service.

We rely on the following categories of third-party services to operate HeroQuest. Each service receives only the data necessary to perform its function:

• Stripe — payment processing. Stripe receives your payment and billing information. See Stripe’s Privacy Policy.
• Email delivery provider — used to deliver one-time password emails for authentication, your reading link, and any account-related communications. Your email address is shared with our email delivery provider solely for these purposes.
• Hosting and infrastructure provider — hosts the application and serverless functions. Your request metadata (IP, user agent) may be processed here for routing, security, and abuse prevention.
• Database hosting provider — your account record and computed reading metadata are stored in a securely hosted PostgreSQL database with SSL encryption.
• Analytics — we may use anonymous, privacy-respecting analytics to understand aggregated usage. No personally identifiable information is shared with analytics providers.

We do not sell, rent, or trade your personal information to third parties. We share data only with the service providers listed above, and only to the extent necessary to operate HeroQuest. We may also disclose information if required by law, legal process, or to protect our rights, safety, or property, or those of our users.

We retain your information as follows:

• Account data — retained for as long as your account is active so you can return to your reading. Upon account deletion, your account record is permanently removed from our database, subject to records that we are legally required to retain.
• Reading metadata — the computed primary and secondary archetype tied to your account is retained for as long as your account is active, so the reading can be re-displayed.
• Payment records — Stripe retains transaction records in accordance with their own data retention policies and legal obligations (typically several years for tax and anti-fraud purposes).
• Marketing email list — if you opt in, your email is retained on our marketing list until you unsubscribe or request deletion.

To request deletion of your account and associated data, please contact us at support@heroquest.app. Some records may be retained where required by law (e.g., tax, anti-fraud).

We implement industry-standard security measures to protect your data:

• All data is transmitted over HTTPS (TLS encryption).
• Quiz state is stored in an encrypted, HTTP-only cookie before purchase.
• Session cookies are HTTP-only and secure, preventing client-side script access.
• Payment information is handled entirely by Stripe, which maintains PCI DSS compliance.
• Database connections use SSL encryption.

While we strive to protect your information, no method of transmission or storage is one hundred percent secure. We cannot guarantee absolute security.

HeroQuest is not intended for use by anyone under the age of sixteen (16). We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal information, please contact us at support@heroquest.app.

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data and account.
• Withdraw consent for data processing (including marketing emails).
• Request a copy of your data in a portable format.
• Object to or restrict certain processing of your data.

To exercise any of these rights, contact us at support@heroquest.app.

HeroQuest is operated using infrastructure provided by global cloud and database providers. If you access the service from outside the country in which our infrastructure is located, your information may be transferred to and processed in jurisdictions where these providers operate. By using HeroQuest, you consent to this transfer and processing.

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the “Last updated” date at the top of this page. Your continued use of HeroQuest after changes are posted constitutes acceptance of the updated policy.

If you have questions or concerns about this Privacy Policy, contact us at support@heroquest.app.