Privacy Policy
Last updated: loading...
Consent bundle version: loading...
This policy explains what data Kuestify collects, why, and the choices you have. The version currently in force is identified by the version number above.
1. Who we are
Kuestify is operated by xSolia LLC, a Texas limited liability company ("xSolia", "we", "us"). For the data described here, xSolia LLC is the data controller. This policy applies to the Kuestify website (kuestify.com) and mobile applications.
2. Data we collect
Account and profile
Email address, a securely hashed password, username, display name, and any optional profile details you add (such as a bio or avatar).
Content and activity
The projects, validation responses, innovation ideas, votes, partner/collaboration interactions, and chat messages you create or send through the Service, along with related metadata.
Payments and subscriptions
We do not store full payment-card numbers. Card payments on the web are processed by Stripe; mobile purchases are handled through the Apple App Store or Google Play via RevenueCat. We store your subscription tier and status and the customer/transaction identifiers needed to manage your plan.
Identity verification (sensitive)
If you undergo creator verification, it is performed by Stripe Identity and may involve a government-issued ID and a biometric likeness check. The identity documents and biometric data are collected and processed by Stripe as part of the verification; xSolia does not receive or store the raw documents or biometric identifiers. We receive and store only the verification result, status, reference identifiers, and timestamps. We process this sensitive category only with your explicit consent (see "Legal bases" and "Data retention").
Technical and security data
IP address, device and browser information, log and diagnostic data, error reports (via Sentry), and signals used for rate limiting, abuse prevention, and new-device alerts. We use Cloudflare Turnstile to distinguish humans from bots on certain actions.
Cookies, local storage, and communications
We use cookies and local storage for authentication/session, your theme preference, and your consent choices (see "Cookies and your choices"). We also store transactional email activity and, if you opt in, your web-push subscription token to send notifications.
Connected social accounts
If you connect a social account (such as X, LinkedIn, a Facebook Page, or Instagram) so that Kuestify can publish on your behalf, we store that account's identifier and handle/display name, the permissions (scopes) you granted, the connection status, and the access/refresh tokens needed to post. These tokens are encrypted at rest, and we never receive or store your social account password. When you choose to publish, we also store the post content you submit and the result the platform returns (such as a post identifier or an error message). You can disconnect at any time, which removes the stored tokens.
3. How we use your data
- Provide, operate, and improve the Service and its features.
- Process subscriptions, payments, and refunds, and verify identity where required.
- Secure the Service: authentication, fraud and abuse prevention, rate limiting, and new-device alerts.
- Communicate with you about your account, transactions, and (with consent) notifications.
- Publish posts to the social accounts you connect, only at your direction.
- Understand usage and diagnose errors to keep the Service reliable.
- Comply with legal obligations and enforce our Terms.
4. Legal bases (EEA/UK)
Where the GDPR or UK GDPR applies, we rely on: performance of a contract (to provide the Service you request); legitimate interests (security, abuse prevention, and improving the Service); consent (for optional cookies, push notifications, and certain communications, which you may withdraw at any time); and legal obligation (e.g., financial record-keeping). For identity verification involving biometric or other special-category data, we rely on your explicit consent (GDPR Article 9); you can decline, though some features may then be unavailable.
5. Service providers and sub-processors
We share data with vendors only as needed to run the Service, under contracts requiring appropriate protection. Key providers include:
- Stripe — payment processing (web) and identity verification (Stripe Identity).
- RevenueCat and the Apple App Store / Google Play — mobile subscription processing.
- GetStream — chat and messaging.
- X (Twitter), LinkedIn, and Meta (Facebook / Instagram) — only if you connect one of these accounts: when you choose to post, we send your authorized content to that platform through its official API to publish on your behalf. Each platform handles the data you publish under its own privacy policy.
- Sentry — error and performance monitoring.
- Cloudflare (Turnstile) — bot and abuse prevention.
- Email delivery and web-push infrastructure — to send transactional messages and notifications.
- Content delivery networks (for fonts and libraries) — which may receive your IP address when assets load.
We do not sell your personal information.
6. International transfers
We are based in the United States, and our providers may process data in the United States and elsewhere. Where we transfer personal data from the EEA, UK, or other regions with transfer restrictions, we rely on appropriate safeguards such as Standard Contractual Clauses where required.
7. Data retention and deletion
We retain personal data only as long as necessary for the purposes described above. Typical periods are:
- Account and profile data — kept while your account is active; deleted or anonymized within 90 days of account deletion.
- Member content — removed or anonymized on account deletion, though anonymized or aggregated data may remain.
- Payment and subscription records — retained as required for tax and accounting purposes, typically up to 7 years.
- Identity verification records (status and references) — kept for the life of your account; the underlying biometric data is not stored by xSolia and is retained by Stripe under its own schedule.
- Connected social account tokens — kept (encrypted) while the connection is active; deleted when you disconnect the account or delete your account.
- Logs, security, and anti-abuse data — typically up to 12 months.
You can request deletion by deleting your account or by contacting support@kuestify.com. We honor statutory deletion rights, subject to records we must retain to meet legal, tax, security, or fraud-prevention obligations.
8. Cookies and your choices
We use cookies and similar local storage in these categories:
- Strictly necessary — authentication/session and core security; required for the Service to work.
- Preferences — for example, your light/dark theme choice.
- Security and anti-abuse — including Cloudflare Turnstile to tell humans from bots.
- Diagnostics — error and performance monitoring (Sentry) to keep the Service reliable.
We ask for your consent for non-essential categories through our consent banner, and you can review or change your choices at any time through the cookie/consent settings in the Service. Your current selection is recorded under the consent bundle version shown at the top of this page.
9. Your rights (EEA/UK — GDPR)
If you are in the EEA or UK, you have the right to access, rectify, erase, restrict, or port your personal data; to object to certain processing; and to withdraw consent at any time. You may also lodge a complaint with your local data protection supervisory authority. To exercise these rights, contact support@kuestify.com.
10. Your rights (California — CCPA/CPRA)
Notice at collection. We collect the categories of personal information described in "Data we collect" — identifiers, account and profile data, commercial/subscription information, internet and network activity, and, for verification, sensitive information (a government-issued ID and biometric data) — for the business purposes described in "How we use your data," and we retain each category as described in "Data retention." We do not sell or share personal information for cross-context behavioral advertising, and we do not use or disclose sensitive personal information beyond the purposes permitted by the CCPA.
Your rights. California residents may request to know/access, delete, or correct their personal information, and may limit the use of sensitive personal information. Submit a request to support@kuestify.com; we will verify your identity (typically by confirming control of your account email) and respond within the timeframe the CCPA requires (generally 45 days, extendable once). You may use an authorized agent, and we will not discriminate against you for exercising these rights.
11. Children's privacy
The Service is not directed to children, and we do not knowingly collect personal data from anyone under 18 (or under the minimum age in your jurisdiction). If you believe a child has provided us data, contact us and we will delete it.
12. Security
We use industry-standard measures including encryption in transit (HTTPS), password hashing, access controls, and monitoring. No method of transmission or storage is completely secure, but we work to protect your data and to respond promptly to incidents.
13. Changes to this policy
We may update this policy from time to time. The current version is identified by the version number above. For material changes we will provide notice through the Service or by email and, where required, request renewed consent.
14. Contact
For privacy questions or to exercise your rights, contact support@kuestify.com (xSolia LLC, Texas, USA).