Privacy

We collect the minimum data needed to contact you about a request and issue a quest access code. We don't share data with third parties, don't use it for advertising (unless you've separately subscribed to news), and store it in a secure database on EU servers.

The document below is a detailed description of the same thing, in the form required by the Serbian personal data protection law (ZZPL) and the equivalent European GDPR.

The controller is the Walktofind project. For any questions about your data, write to hello@walktofind.com.

When you submit a request on a quest page, we store:

• name — so we can address you by name;
• email — required field, the main channel of communication;
• phone with country code, plus WhatsApp and Viber flags — if you've filled in those fields;
• Telegram username — if you've provided it;
• preferred channel of communication;
• number of participants and a comment;
• consent to the terms and (separately) subscription to news;
• IP address and browser type (User-Agent) of the request — for protection against automated bots and spam.

When we issue you an access code, the system records:

• name and email (if provided in the request) — so both you and we can see whose code this is;
• time of first access and quest completion time — technical telemetry, so the status «not started / in progress / completed» is correct;
• the number of unique IP addresses that accessed the code — we use this to spot if a code has been mass-shared. The IPs themselves are not shown to you or to our admin panel — only their count.

Name, email, phone, Telegram, preferred channel — to contact you about your request, send payment details, confirm payment and issue the access code. Legal basis: performance of a contract with you.

IP address and request User-Agent — for protection from spam and fraud. Legal basis: legitimate interest.

Token telemetry (timing, unique IPs) — to correctly show you the progress of the quest and detect mass violation of access terms. Legal basis: contract performance and legitimate interest.

News subscription (separate checkbox in the form) — only with your explicit consent. Without this consent we don't send newsletters, only service emails about your specific request. Legal basis: your consent.

Nobody, beyond the technical contractors without which the project couldn't exist:

• Supabase — PostgreSQL database provider (EU region). Requests, codes and quest progress are physically stored here.
• Vercel — site hosting (servers in EU/US). Traffic passes through it and form data is processed transiently.
• Vercel Analytics — anonymous visit statistics (countries, devices, referrers). No cookies in the browser, no user identification; the temporary IP + User-Agent pairing is deleted on Vercel's side within 24 hours.

We don't hand data to ad networks or data brokers. The only analytics in use right now is Vercel Analytics (see above) — an anonymous aggregate that doesn't identify visitors. If we ever add deeper analytics (for example, PostHog with funnels and session recording), we'll ask for explicit consent via a cookie banner before turning it on.

The site currently uses only two functional cookies. No tracking, no third-party cookies.

wtf_locale — remembers the language you selected via the switcher in the header (lifetime — 1 year). Without it the site re-guesses your language from the browser header on every visit.

wtf_admin — a technical HMAC session, set only in the administrator's browser after logging into the admin panel (lifetime — 7 days). It does not apply to visitors.

We don't use analytics, advertising or third-party cookies. Vercel Analytics (see the previous section) runs without cookies in the browser. If we add analytics that does set cookies (for example, PostHog with funnels and session recording) — we'll ask for explicit consent via a cookie banner before any such cookie is set.

We keep request data and issued codes for as long as needed to fulfill the contract and a reasonable post-support period — typically two years. We'll delete sooner on your request (see next section).

Technical access logs (request IP, User-Agent) we trim or delete as soon as we no longer need them for spam protection.

Under ZZPL and GDPR you have the right to:

• know what data of yours we store;
• correct inaccurate data;
• delete your data (the «right to be forgotten»), if we have no legal basis to keep it further;
• withdraw consent to marketing newsletters at any time — you can unsubscribe via a link in any email or simply by writing to us;
• receive a copy of your data in a machine-readable format;
• lodge a complaint with the supervisory authority. In Serbia this is the Commissioner for Information of Public Importance and Personal Data Protection.

To exercise any of these rights, write to us at hello@walktofind.com. We'll try to respond within 30 calendar days — this period is set by law.

The site runs over HTTPS, the database is closed from direct internet access and only available to our application. Access to the admin panel is protected by a password and a signed cookie session. We don't send passwords by email and don't store any user passwords — on the client side, authentication is via the quest access code.

If we change processes — add analytics, new form fields, change retention periods — we'll update this page and bump the «In effect since» date at the top. We'll try to highlight significant changes separately.