Privacy Policy

Effective April 23, 2026

The short version

Cheese has no accounts, no sign-in, and no ads. Your trip data lives on your device and in your own iCloud. We use a handful of named service providers to run the backend, keep the app stable, manage subscriptions, and improve the product. We don't sell your data, and we don't share it with advertisers. Full stop.

Cheese is a Disney trip planning app for iOS, made by Moundsoft. This policy explains what information we handle, why, who helps us handle it, and the rights you have. It applies to everyone who uses the app, including people in the European Economic Area, the United Kingdom, Switzerland, California, and other regions with specific privacy rights.

1. What we handle

Cheese collects only what's needed to run the app. There's no account system, no sign-in, and we never ask for your name, email, phone number, postal address, Apple ID, or payment information.

Trip preferences — travel dates, park selections, priorities, and anything you enter while building a plan. This stays on your device.
Party composition — group size and whether your group includes small children (a yes/no toggle used to filter rides by height). Stays on your device.
Device identifier — the app generates a random UUID the first time you open it and stores it in your device's Keychain. We use it to authenticate your app's requests to our backend. It is not linked to your Apple ID, email, name, or any contact information.
Request metadata — when your app talks to our backend, the request includes your IP address, timestamp, user agent, and the technical parameters the request needs (like a park ID and a date). This is inherent to any HTTPS request.
Subscription status — if you purchase a subscription, the purchase is processed by Apple and our subscription manager (RevenueCat) records your entitlement against the device identifier above. We never see your payment details; Apple handles those.
Crash and error reports — if the app crashes or hits an error, an anonymized report is sent to Sentry so we can fix it.

2. Where your trip data lives

The trips you build stay on your device, in an Apple SwiftData store. If you have iCloud enabled on your Apple device, your trips sync to your personal iCloud account through Apple CloudKit's private database — meaning Moundsoft cannot access your iCloud data. If you sign out of iCloud or disable it, sync stops and your trips stay local to your device.

3. What we send to our backend, and what it does

Our backend (hosted on Railway, in the United States) handles the things that can't happen on your device alone: park schedules, live wait times, the AI itinerary refinement, and subscription entitlements. Each request carries your device identifier and request metadata as described in §1, plus the specific parameters needed for that request.

We don't attempt to join backend data with any external identifier, and we don't sell, share, or rent backend data to third parties.

4. AI itinerary refinement

When you use the AI refinement feature, your trip parameters (park, date, party composition, preferences, and the plan we're refining) are sent from our backend to Anthropic's Claude API to generate suggestions. We use Anthropic's standard API; Anthropic does not use API inputs to train models, and retains inputs and outputs for up to 30 days for trust and safety before deletion.

The AI's suggestions are advisory — you decide whether to accept them. Cheese does not make automated decisions about you that produce legal or similarly significant effects under GDPR Article 22.

5. Third-party services

These are the services Cheese relies on. Each one sees only the narrow slice of data it needs.

Apple (iCloud / CloudKit)

Syncs your trip data across your own Apple devices via your personal iCloud. We cannot access this data.

Anthropic (Claude API)

Receives trip parameters for AI itinerary refinement. Retains inputs up to 30 days; does not train on them.

Railway

Hosts our backend in the United States. Processes request payloads and server logs on our behalf.

RevenueCat

Manages in-app subscriptions and entitlements. Sees your device identifier and purchase records; never your payment details.

Sentry

Collects anonymized crash and error reports so we can fix bugs. Configured to not send personal information.

ThemeParks.wiki & Weather.gov

Public data sources our backend queries for park schedules and weather. Server-to-server only — they do not receive any data about you.

Public APIs

6. Why we process data (legal basis)

If you're in the European Economic Area, the United Kingdom, or Switzerland, the GDPR requires us to name a lawful basis for each processing activity. Ours are:

App configuration, park schedules, and wait-time data — legitimate interest (GDPR Art. 6(1)(f)). We need to deliver what you opened the app to see.
AI itinerary refinement — performance of a service you requested (Art. 6(1)(b)). We only send your trip parameters to Claude when you tap refine.
Subscription management — performance of a contract (Art. 6(1)(b)). We need to know whether you're a paying subscriber to unlock premium features.
Crash and error reporting — legitimate interest (Art. 6(1)(f)) in improving product quality, with minimal, pseudonymized data.
Security, abuse prevention, and operational logging — legitimate interest (Art. 6(1)(f)) in keeping the backend available and defending against misuse.
iCloud sync — your consent (Art. 6(1)(a)), given through your Apple device settings and managed entirely by Apple.

7. International data transfers

Our backend runs in the United States, and Anthropic, Sentry, and RevenueCat all process data in the United States. If you are in the EEA, the UK, or Switzerland, data sent to those providers is transferred to the United States under the European Commission's Standard Contractual Clauses (SCCs) — and the UK equivalent — combined with technical safeguards (HTTPS in transit, encryption at rest, access controls). You can request a copy of the transfer mechanism documentation by emailing us.

8. How long we keep things

On-device trip data — kept until you delete the app or clear its data in iOS Settings.
iCloud-synced trip data — kept according to your Apple iCloud settings; you can delete it any time through Apple's tools.
Backend request logs — retained for up to 30 days, then deleted or anonymized.
Claude prompts and outputs — retained by Anthropic for up to 30 days under their standard API terms, then deleted. We do not keep copies beyond our log window.
Crash reports — retained by Sentry per their standard retention.
Subscription records — retained as long as your subscription is active, and for up to 7 years after cancellation for tax and accounting purposes.

9. Your rights

Depending on where you live, you have some or all of the rights below. You can exercise any of them by emailing us — we'll respond within 30 days (or 45 days for California requests, extendable as permitted by law). Because Cheese doesn't collect contact information, we may need to verify your identity using the device identifier your app already uses.

EEA, UK, and Switzerland (GDPR / UK GDPR): right of access, rectification, erasure, restriction, data portability, and objection. You also have the right to lodge a complaint with your local data protection authority (for UK users, the Information Commissioner's Office; for EEA users, the authority in your country of residence).
California (CCPA / CPRA): right to know, delete, correct, opt out of sale or sharing (we don't sell or share personal information as defined by CCPA), limit use of sensitive personal information (we don't collect it), and non-discrimination for exercising these rights.
Virginia, Colorado, Connecticut, Utah, Brazil (LGPD), Quebec (Law 25), and other regions: we honor equivalent rights requests from residents of these jurisdictions.

10. Children's privacy

Cheese is not directed to children under 13 (or the age of digital consent in your region, which may be as high as 16 in some EU member states). We don't knowingly collect personal information from children under that age. Cheese does ask for party size and whether your group includes small children — a yes/no toggle used to filter rides by height — but this input doesn't identify any child. If you're a parent or guardian and believe we've inadvertently received data from a child under the applicable age, email us and we'll delete it.

11. Security

We protect the data Cheese handles with industry-standard safeguards: HTTPS (TLS 1.2+) for every network request, encryption at rest on the backend, least-privilege access for Moundsoft personnel, and periodic review of each third-party provider's security posture. No system is perfectly secure — but the smallest and safest thing we can do is not collect data we don't need, and that's the principle Cheese is built on.

12. Changes to this policy

If we add a new capability, a new service provider, or otherwise materially change how Cheese handles data, we'll update this policy and bump the effective date above before the change goes live. Material changes will also be called out in the App Store release notes. Continued use of the app after a change takes effect means you accept the updated policy to the extent permitted by law.

13. Contact

Questions, rights requests, or complaints — reach out and we'll give you a straight answer.

privacy@cheeseapp.io

Moundsoft
Data controller for Cheese: Theme Park Planner