Legal
Privacy Policy
Effective Date: May 4, 2026 Last Updated: May 4, 2026
Musical Mycology, LLC ("Musical Mycology," "we," "us," or "our") respects your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard personal information across:
- Our websites, including
musicalmycology.organdren-quest.com(the "Sites") - The RenQuest software-as-a-service platform and any of its branded "skins" deployed by event operators (the "Service")
- Our mobile applications for iOS and Android ("Apps")
- Email and other communications we send
Together, the Sites, Service, and Apps are the "Offerings." This Policy is incorporated into our Terms of Service and our Mobile App EULA.
If you have questions, contact us at privacy@musicalmycology.org or Musical Mycology, LLC, Attn: Privacy Officer, 36 S 18th Ave, Ste D, Brighton, CO 80601, US.
1. About RenQuest's white-label structure
RenQuest is a multi-tenant platform we operate. Renaissance faires, conventions, and other event operators ("Operators") license RenQuest to run quests, faction games, and related experiences for their attendees ("Players").
- For Players: Musical Mycology is the operator-of-record of the underlying platform; the Operator running the event you're attending is the data controller for event-specific decisions (which quests exist, which prizes are offered, etc.). This Policy explains what Musical Mycology does with your data.
- For Operators: When you use RenQuest as an Operator, Musical Mycology processes Player data on your behalf as a service provider/processor. Our Data Processing Addendum governs that relationship.
2. Information we collect
We collect information in three ways: directly from you, automatically as you use the Offerings, and from third parties.
2.1 Information you provide
- Account information: name, email, password, phone (optional), role (Operator vs. Player), Operator/event affiliation.
- Profile information: display name, avatar, character/persona name, faction affiliation, badges earned.
- Payment information: for paid subscriptions, name on card, billing address, last-four digits and card brand. Full card numbers are processed by our payment processor (Stripe / Apple App Store / Google Play) and not stored by us.
- Communications: messages you send to support, survey responses, feedback.
- User-submitted content: photos and other content you upload through the Offerings (the "User Content"). In the current release, User Content is stored privately to your account (for example, profile avatars and saved badge or quest screenshots) and is not displayed to other users. We may, in a future release, introduce features that let you choose to share specific User Content with other users, an Operator, or other audiences. We will give you advance notice and a chance to consent before any change in default visibility, and we will not retroactively share content that was uploaded under a private-only model without your consent.
2.2 Information collected automatically
- Device and usage data: device model, OS version, app version, IP address, language, time zone, crash logs, page views, taps and clicks, session duration, referring URL.
- Location data:
- Approximate location (city/region) inferred from IP, used to localize content.
- Precise location (GPS-level), only after you grant permission, used for quest features that require knowing where you are at an event (proximity-based check-ins, geo-fenced quest steps).
- NFC and QR scan data: when you scan a tag or code as part of a quest, we record which tag was scanned, when, and your account ID — necessary for crediting quest progress.
- Push token: an opaque identifier issued by Apple/Google that lets us deliver push notifications you've opted into.
- Cookies, local storage, SDK identifiers: see Section 11.
2.3 Information from third parties
- Operators: if an event Operator imports a participant list, we receive the names/emails on that list.
- Authentication providers: if you sign in with Apple or Google, we receive your name, email, and a stable identifier from that provider.
- Payment processors: transaction status, last-four/card brand, fraud signals.
- Service providers: see Section 5.
2.4 Sensitive personal information
For California and other states that recognize the "sensitive personal information" category, we collect the following sensitive PI for the listed purposes only and do not use it to infer characteristics about you:
- Account login + password (to authenticate you).
- Precise geolocation (only with permission, only for event-proximity features).
We do not collect information about racial/ethnic origin, religious beliefs, union membership, health, sex life or sexual orientation, genetic data, contents of communications, immigration status, or biometric identifiers used for unique identification, except where you voluntarily submit it as User Content (e.g., a photo).
3. How we use your information
We use the information described above for these purposes:
| Purpose | Examples |
|---|---|
| Provide and operate the Offerings | Create your account, run quests, deliver in-app messages, process payments, sync progress across devices |
| Personalize the experience | Show you the quests, factions, and badges associated with your event; display your earned items |
| Communicate with you | Transactional email (receipts, password resets, account notices), push notifications you've enabled, optional marketing email if you've opted in |
| Provide customer support | Diagnose issues, respond to questions, manage refunds |
| Operate event analytics for Operators | Aggregate Player engagement data so Operators can run their event better — Operators see their own event data only |
| Ensure security and prevent fraud | Detect cheating, abuse, or unauthorized access; protect accounts |
| Comply with law and enforce our terms | Respond to legal process, enforce our Terms of Service, defend legal claims |
| Improve our products | Internal analytics, debug crashes, plan new features |
We do not use your information to:
- Train artificial intelligence models on identifiable personal information.
- Sell your information to third parties for monetary consideration.
- Engage in cross-context behavioral advertising or "share" your information for that purpose, as those terms are defined in the California Consumer Privacy Act.
- Engage in profiling that produces legal or similarly significant effects about you.
We do not knowingly collect or use information from children under 13 for behavioral or targeted advertising under any circumstances.
4. Legal basis and retention
We collect and use information for the purposes listed above based on (a) the contract with you to provide the Offerings, (b) our legitimate interest in operating and improving the Offerings, (c) compliance with legal obligations, and (d) your consent (which you can withdraw at any time, e.g., by revoking app permissions or unsubscribing).
Retention. We keep personal information only as long as needed for the purpose for which it was collected, plus a limited period to comply with legal obligations and resolve disputes:
| Category | Retention |
|---|---|
| Account profile (active) | While the account exists |
| Account profile (after deletion) | Up to 30 days for restore window, then deleted from production within 90 days |
| Backups | Up to 90 days, then overwritten |
| Quest scan logs | 24 months from event end (so Operators can resolve disputes), then anonymized |
| Payment records | 7 years (tax/audit) |
| Marketing email lists | Until unsubscribed; suppression list retained indefinitely so we don't email you again |
| Support tickets | 3 years |
| Security/fraud logs | Up to 24 months |
5. Who we share information with
We share personal information only as described below.
- Operators (for RenQuest Players): the Operator running the event you joined sees your in-event activity (quest progress, scans, badges) and the profile fields you've shared with that event. The Operator is responsible for what they do with that information; their privacy notice may apply in addition to ours.
- Service providers acting on our behalf under contract: cloud hosting (AWS), email delivery (Amazon SES), payment processing (Stripe, Apple, Google), customer support tools, error monitoring, analytics. These providers may only use the information to perform services for us.
- Authentication and platform providers: Apple and Google, when you use Sign in with Apple or Google, or when you make in-app purchases.
- Legal and safety: law enforcement and regulators when required by law; counsel and auditors; potential acquirers in connection with a transaction (with notice to you and a chance to delete first).
- With your consent or at your direction.
We do not sell your personal information for monetary consideration. We do not share your personal information for cross-context behavioral advertising.
6. Your privacy rights
Depending on where you live, you may have the rights below. We honor these rights for all US users regardless of state.
- Right to know / access — request a copy of personal information we hold about you.
- Right to delete — request deletion of personal information we hold about you.
- Right to correct — request correction of inaccurate personal information.
- Right to data portability — receive personal information in a portable, machine-readable format.
- Right to opt out of sale or sharing — we do not sell or share, but the right is honored if you submit it.
- Right to limit use of sensitive personal information — restrict our use of sensitive PI to providing the Offerings.
- Right to opt out of profiling — we do not engage in profiling that produces legal or significant effects.
- Right to non-discrimination — we will not deny service, charge a different price, or provide a different level of quality because you exercised a right.
How to exercise rights
- Email
privacy@musicalmycology.orgwith the subject line "Privacy Rights Request." - Use the in-app "Privacy & Data" screen.
- Submit our online form at
https://musicalmycology.org/privacy-request. - Mail us at the address in Section 14.
We will verify your identity (typically by sending a confirmation email to the address on file or by asking you to confirm account information). Authorized agents may submit requests with written authorization.
We will respond within 30 days for most requests (45 days for California requests, with one 45-day extension if necessary; we will tell you if we need the extension).
Global Privacy Control (GPC)
We honor the Global Privacy Control browser signal as a request to opt out of any "sale" or "sharing" of personal information for the browser/device sending the signal, in compliance with California, Colorado, Connecticut, and other state laws that recognize the signal.
California-specific
In the previous 12 months we collected the categories of personal information listed in Section 2 for the purposes in Section 3 from the sources in Section 2.3, and disclosed to the recipients in Section 5. We did not sell or share personal information.
You may submit two requests to know per 12-month period at no charge.
7. Children's privacy (users under 13)
The Offerings are not directed to children under 13, and we do not knowingly collect personal information from anyone under 13. Our Terms of Service and Mobile App EULA require all users to be at least 13 years old, with a parent or legal guardian's supervision required through age 17 and the account holder of record at least 18.
If we learn that we have collected personal information from a user under 13:
- We will delete that information from our systems within a commercially reasonable time, and will direct any service providers in possession of that information to delete it as well.
- We will terminate the account.
- We will not use the information for any purpose during the deletion period beyond what is required to identify and remove it.
If you are a parent or legal guardian and believe a user under 13 has provided personal information through the Offerings, please contact us at privacy@musicalmycology.org so we can promptly remove it.
We do not knowingly engage in behavioral or interest-based advertising directed at children under 13.
Operators (renaissance faires and other event organizers using RenQuest) are contractually required not to enroll participants under 13 through the platform. The Operator agreement includes representations and obligations to that effect.
Future updates. We may, in the future, add features that allow children under 13 to participate under a parent-managed model with verifiable parental consent under the Children's Online Privacy Protection Act ("COPPA") and the FTC's amended COPPA Rule. If and when we do, we will publish a separate Children's Privacy Notice and Direct Notice to Parents at https://musicalmycology.org/coppa-notice, and we will not begin collecting any personal information from a child under 13 until we have obtained verifiable parental consent. Until then, the Offerings remain restricted to users 13 and older.
8. Permissions on mobile devices
The Apps request the following permissions. You can deny or revoke any of them in your device settings; some features will not work without them.
| Permission | What it's for | What happens if denied |
|---|---|---|
| Location (when in use) | Verifying you're at an event venue, completing geo-fenced quest steps, finding nearby quests | Geo-based quests unavailable |
| Camera | Scanning QR codes that are part of quests | QR scanning unavailable |
| NFC | Reading NFC tags placed at event waypoints | NFC quests unavailable |
| Push notifications | Quest invitations, event announcements, account notices | No notifications |
| Photo library (read) | Letting you upload a profile picture or quest photo | Profile picture upload disabled |
| Photo library (add) | Saving quest screenshots or earned-badge images | Screenshot save disabled |
We do not request access to your contacts, microphone, calendar, motion, health data, or files outside what you explicitly choose.
9. Security
We use commercially reasonable administrative, technical, and physical safeguards designed to protect personal information:
- TLS 1.2+ in transit; encryption at rest for production databases and backups.
- Role-based access control with least-privilege defaults.
- Multi-factor authentication for staff accessing production systems.
- Regular review of access logs, vulnerability scanning, and patching.
- Written information security program covering incident response, vendor management, and employee training, consistent with the FTC's amended COPPA Rule.
- Designated Privacy Officer responsible for our information security and privacy program.
No system is perfectly secure. If we discover a breach affecting your personal information, we will notify you and, where applicable, regulators in the timeframes required by law.
10. International users
The Offerings are operated from the United States. If you access them from outside the US, you understand that personal information will be transferred to and processed in the US. We do not currently target the EU/UK/EEA market and have not implemented GDPR transfer mechanisms; if you are located in those regions, please do not use the Offerings.
11. Cookies, analytics, and similar technologies
We use cookies, local storage, and SDK identifiers to keep you signed in, remember preferences, measure usage, and operate the Offerings. We do not use cookies or SDKs for cross-context behavioral advertising.
| Type | Purpose | Examples |
|---|---|---|
| Essential | Authentication, security, basic functionality | Session cookies, CSRF tokens |
| Functional | Remember preferences | Theme, language |
| Analytics | Aggregate, de-identified usage measurement | First-party analytics; we do not enable cross-site tracking |
| Crash and performance | Diagnose errors | First-party crash reporting |
You can manage cookies via your browser settings. Mobile users can reset advertising identifiers via OS settings, although we do not currently use them for advertising.
12. Email communications
- Transactional email (receipts, password resets, security alerts, account notices) is sent as part of the Service and is not subject to unsubscribe.
- Marketing email is sent only with your opt-in consent. Every marketing email contains an unsubscribe link and complies with the CAN-SPAM Act. We honor unsubscribes within 10 business days (typically immediately).
13. Changes to this Policy
We will post any changes to this Policy on this page and update the "Last Updated" date. For material changes, we will provide additional notice (e.g., email to your account, in-app banner). Your continued use of the Offerings after the effective date of an update constitutes your acceptance of the updated Policy.
We will retain prior versions of this Policy at https://musicalmycology.org/privacy/archive for at least three years.
14. Contact us
Musical Mycology, LLC
Attn: Privacy Officer
36 S 18th Ave, Ste D, Brighton, CO 80601, US
Email: privacy@musicalmycology.org
If you are a parent or legal guardian who believes a user under 13 has accessed our Offerings, email privacy@musicalmycology.org with the subject "Under-13 Removal Request" and we will delete any personal information collected and terminate the account.