Privacy Policy

MidnightQuest s.r.o. is the data controller responsible for personal data processed through the Platform. We are registered as a data controller with the Office for Personal Data Protection of the Czech Republic (UOOU). For any questions about our data practices, please contact our Data Protection Officer at the address above.

We collect personal data in several ways: information you provide directly, data generated by your use of the Platform, and data received from third-party services.

2.1 Account and Identity Data

When you register, we collect: email address, chosen username, display name, and password (stored as a cryptographic hash — never in plain text). Optionally, you may provide a profile photograph and biography. This data is necessary to create and maintain your account.

2.2 Location Data

When you perform a check-in through the Platform, we collect the GPS coordinates you submit (latitude and longitude) at the time of the check-in. This data is used to verify the check-in and award experience points. We do not continuously track your location. Location data is only collected when you actively initiate a check-in.

2.3 Booking and Transaction Data

When you make or receive a booking, we collect: stay details, check-in and check-out dates, number of guests, booking status, pricing information, and any messages exchanged between guest and host. Payment card details are processed and stored by our payment provider (Stripe) — we do not store full card numbers or CVV codes.

2.4 Usage and Analytics Data

We collect data about how you use the Platform, including: pages visited, features used, search queries, time spent on pages, referring URLs, browser type, operating system, IP address, and approximate geographic location derived from IP. This data is used in aggregated and anonymised form to improve the Platform.

2.5 User-Generated Content

Any content you create on the Platform — including reviews, check-in notes, photographs, location descriptions, and messages — is stored and processed by us.

2.6 Communication Data

If you contact us by email, through support tickets, or via in-platform messaging, we retain those communications for up to 3 years for customer service and dispute resolution purposes.

2.7 Data We Do Not Collect

We do not collect special categories of personal data (sensitive data) such as health information, racial or ethnic origin, political opinions, religious beliefs, or biometric data, except where strictly necessary and with your explicit consent.

• ·Account Management: Creating and maintaining your account, authenticating you when you sign in, and enabling you to use Platform features.
• ·Booking and Payments: Processing booking requests, calculating fees, facilitating host payouts, and maintaining booking records.
• ·Gamification System: Tracking XP, check-ins, mission completions, level calculations, and key tier progression.
• ·Communications: Sending transactional emails (booking confirmations, check-in reminders), important service notices, and — with your consent — marketing communications.
• ·Safety and Trust: Detecting and preventing fraud, abuse, and violations of our Terms of Service. Verifying host listings.
• ·Platform Improvement: Analysing usage patterns to improve the user experience, fix bugs, and develop new features.
• ·Legal Compliance: Complying with applicable laws, responding to lawful requests from authorities, and enforcing our Terms.
• ·Customer Support: Responding to your requests, questions, and resolving disputes.

Under GDPR Article 6, we rely on the following legal bases for processing your personal data:

Legitimate Interests: Where we rely on legitimate interests, we have assessed that our interests are balanced against your rights and freedoms, and do not override them. You may object to processing based on legitimate interests at any time (see Section 6).

We retain your personal data only for as long as necessary for the purposes set out in this Policy, or as required by law. Our retention periods are:

• ·Account data: Retained for the lifetime of your account plus 2 years after deletion (to handle any outstanding legal claims or disputes).
• ·Booking and financial records: Retained for 7 years from the transaction date in accordance with Czech accounting and tax law (Act No. 563/1991 Coll.).
• ·Check-in and XP data: Retained for 3 years from the date of the check-in.
• ·Analytics data: Aggregated data retained indefinitely. Individual usage data retained for 13 months.
• ·Marketing consent records: Retained for 3 years from the date of consent or until withdrawn, whichever is earlier.
• ·Support communications: Retained for 3 years from the date of the last communication.
• ·Deleted accounts: Upon account deletion, your personal data is removed from active databases within 30 days. Backups are purged within 90 days.

As a data subject under GDPR, you have the following rights. To exercise any of these rights, contact us at privacy@midnightquest.app. We will respond within 30 days.

Note: Some rights are subject to exceptions under applicable law. Where we are unable to fulfil a request, we will explain why. Identity verification may be required before we action certain requests.

We share personal data with the following trusted third-party service providers who act as data processors on our behalf. Each has been assessed for GDPR compliance and operates under a Data Processing Agreement (DPA) with MidnightQuest.

We do not sell your personal data to third parties. We do not share data with advertisers or data brokers.

Some of our data processors operate outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place in accordance with GDPR Chapter V:

• ·Adequacy decisions issued by the European Commission (e.g. for USA under the EU-US Data Privacy Framework where applicable).
• ·Standard Contractual Clauses (SCCs) as adopted by the European Commission.
• ·Binding Corporate Rules where applicable.

For more information about the safeguards we use for international transfers, or to obtain a copy of the relevant SCCs, contact privacy@midnightquest.app.

We use cookies and similar tracking technologies on our Platform. Cookies are small text files stored on your device. We use the following categories of cookies:

You can manage or withdraw your cookie consent at any time through your browser settings, or by using our Cookie Preference Centre (accessible via the footer of the Platform). Note that disabling essential cookies will prevent you from using the Platform.

Most browsers allow you to refuse cookies via their settings. For more information, visit aboutcookies.org.

The Platform is not directed at or intended for use by persons under 18 years of age. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided personal data to us, please contact us at privacy@midnightquest.app and we will delete the data promptly.

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, accidental loss, destruction, or damage. These measures include:

• ·Encryption of data in transit using TLS 1.3.
• ·Encryption of data at rest using AES-256.
• ·Passwords stored as cryptographic hashes using industry-standard algorithms (bcrypt).
• ·Row Level Security (RLS) policies on all database tables to ensure users can only access their own data.
• ·Regular security audits and penetration testing.
• ·Access controls limiting staff access to personal data on a need-to-know basis.
• ·Multi-factor authentication for administrative access.
• ·Automated monitoring for suspicious activity and data breach detection.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33.

To report a security vulnerability, contact security@midnightquest.app.

We may update this Privacy Policy from time to time. We will notify you of material changes by email (to the address on your account) or by prominent notice on the Platform, at least 14 days before the changes take effect.

We encourage you to review this Policy periodically. The “Last updated” date at the top indicates when the Policy was last revised. Your continued use of the Platform after the effective date constitutes acceptance of the updated Policy.

For any questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact:

We aim to respond to all privacy requests within 30 days. In complex cases, this may be extended by a further 60 days — we will inform you if this is necessary.