Privacy & Compliance

Treasure Quest Privacy Policy

Last updated: October 22, 2025

Treasure Quest (“we”, “our”, “us”) provides a Shopify app that helps merchants run interactive treasure hunt experiences, capture shopper information, award discounts, and deliver transactional communications. This policy explains how we collect, use, store, and disclose information when merchants install or use Treasure Quest or when shoppers engage with a merchant’s Treasure Quest experience.

1. Information We Collect

Merchant information

  • Shop data supplied by Shopify during OAuth (shop domain, access tokens, scopes).
  • Configuration data entered in the admin interface, including quest settings, reward details, sender display name, and custom email HTML. Stored in our database and synced to a shop metafield $app:quest_config.settings.
  • Quest email settings (flags such as sendSuccessEmails, delivery mode, sender display name, subject line, optional custom HTML). These are stored in the QuestReward.emailSettings JSON column in our managed Postgres database, accessible only to authenticated backend services and on-call engineers.
  • Usage analytics such as quest activations, session timestamps, API usage counts, and error logs stripped of personal data.

Shopper information (processed on behalf of merchants)

  • Contact data submitted in the Treasure Quest popup (email, optional name or phone, opt-in checkbox value).
  • Quest interaction data such as sticker impressions, clicks, progress, and reward redemptions recorded with pseudonymous identifiers.
  • Transactional message metadata covering discount codes issued, template identifiers, and delivery status for communications sent through our email delivery provider.
  • Consent state indicating whether shoppers opted into marketing. We pair the opt-in checkbox value with a timestamp and store it alongside quest email settings, then sync the result to the Shopify customer marketingConsent object.

We do not collect payment card data or browsing history outside of quest interactions, and we never sell personal information.

When consent is provided, we persist the decision in our Postgres datastore and propagate marketingState, marketingOptInLevel, and consentUpdatedAt values to the Shopify customer record so merchants can evidence permission.

2. How We Use Information

  • Provide and operate the service: configure quests, render storefront experiences, issue discounts, and create Shopify customer records when merchants opt in.
  • Deliver communications: send quest completion emails or notifications containing discount codes through our email delivery provider.
  • Maintain service integrity: debug issues, enforce rate limits, detect abuse, and produce aggregate analytics.
  • Document marketing consent: retain each opt-in decision with the accompanying timestamp inside QuestReward.emailSettings and mirror that state to Shopify’s emailMarketingConsent payload.
  • Legal compliance: respond to Shopify privacy and data deletion webhooks and assist with data subject requests.

3. Legal Bases

Where GDPR applies:

  • Legitimate interests (Art. 6(1)(f)) for merchant account management and app security.
  • Compliance with legal obligations (Art. 6(1)(c)) for responding to lawful requests.
  • Consent (Art. 6(1)(a)) for marketing communications initiated via the quest form. Merchants are responsible for documenting consent, which we surface to Shopify APIs.

4. How We Share Information

  • Shopify: quest configuration synced to shop metafields and customer records created via the Admin GraphQL API.
  • Email delivery infrastructure: sender details, recipient contact information, discount codes, and templated content shared with our chosen email service provider.
  • Infrastructure partners: hosting, database, and storage vendors bound by confidentiality and security obligations.
  • Legal disclosures: data shared to comply with laws, enforce our terms, or protect rights.

5. Retention

  • Quest configurations: maintained while the merchant subscribes plus 90 days for backup and audit, including QuestReward.emailSettings records that capture consent decisions.
  • Shopper quest submissions: retained for 180 days unless merchants request earlier deletion.
  • Communication logs: email delivery metadata retained for 60 days within our systems; external providers follow their published retention schedules.
  • Backups: encrypted database backups purged within 30 days.

Merchants can request deletion of stored data at any time, and we automatically honor Shopify’s data deletion webhooks.

6. Data Subject Rights

Where applicable (GDPR, CCPA/CPRA, and similar laws), individuals can:

  • Request access, correction, deletion, or portability of their personal data.
  • Object to or restrict processing.
  • Withdraw consent for marketing communications.

Requests should be directed to the merchant (data controller). When we receive a request, we notify the merchant and assist with fulfillment.

7. Security

  • TLS encryption for data in transit and industry-standard encryption for data at rest.
  • Least-privilege access enforced via scoped API keys and Prisma database controls.
  • Multi-factor authentication for internal tooling.
  • Continuous logging, monitoring, and incident response procedures with 24-hour initial assessments.

8. International Transfers

We may process data in the United States and other jurisdictions. Where GDPR applies, we rely on Standard Contractual Clauses or equivalent safeguards with our service providers.

9. Children

Treasure Quest is not intended for children under 13. Merchants are responsible for ensuring compliance with child privacy laws on their storefronts.

10. Contact

Treasure Labs Privacy Team
Treasure Labs Inc.
935 Eldridge Rd #1052, SUGAR LAND, United States, 77478
Email: support@treasurequestapp.com

11. Changes

We may update this policy to reflect legal, technical, or business changes. Material updates will be communicated through the app admin or email, and continued use after notice constitutes acceptance.

← Return to main page