Privacy Policy

Last Updated: December 24, 2025

1. Introduction

Welcome to Mold Cake ("we," "our," or "us"). We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how information about you is collected, used, stored, and shared when you use the Mold Cake website, mobile applications (including iOS), and related services (collectively, the "Services").

By using Mold Cake, you agree to the practices described in this Privacy Policy.

2. Information We Collect

2.1 Information from Authentication Providers

We use third-party OAuth providers (Google and Apple) to authenticate users. When you sign in, we receive:

  • Email address (used for account identification and communication)
  • Full name (as provided by the provider)
  • Profile picture URL (received but not used or stored)
  • OAuth provider used (Google or Apple)

We do not receive your passwords.

For information on how these providers handle your data, see:

2.2 Information You Provide

Depending on how you use the Services, you may provide:

  • Display name (required, set on first login, public)
  • Profile photo selection (choose from six pre-selected cheese images)
  • Reviews, ratings, and comments
  • Photos you upload
  • Events you create
  • Saved cheeses (private bookmarks)
  • Cheese requests (private submissions, never publicly displayed)
  • Email address and country for the Mold of the Month Club interest list

Cheese requests are never publicly displayed. If we determine a requested cheese is a fit for our database, it will be manually added by an administrator.

2.3 Automatically Collected Information

  • Account creation date
  • Last profile update timestamp
  • Temporary IP address processing by Cloudflare (our infrastructure provider) for security and performance

Cloudflare processes IP addresses as our data processor but does not store them in our application database. See Cloudflare's Privacy Policy for details on their processing practices.

2.4 Information We Do Not Collect

We do not collect or store:

  • Precise location data
  • Device identifiers
  • Advertising IDs
  • Cross-app tracking data
  • Browser fingerprinting
  • Behavioral profiling
  • Third-party analytics SDK data

3. How We Use Your Information

We process personal data based on the following legal grounds:

  • Contract Performance: To provide the Services you've requested
  • Consent: Where you've given explicit permission (e.g., interest list, push notifications)
  • Legitimate Interests: To operate, secure, and improve our Services
  • Legal Obligation: To comply with applicable laws

We use information to:

  • Provide and maintain the Services
  • Authenticate and secure accounts
  • Display user-generated content
  • Enable social features (reviews, photos, events)
  • Manage moderation and enforce Terms of Service
  • Communicate with users who join the interest list
  • Send one-time email notifications when a cheese you requested is approved and added to our database
  • Comply with legal obligations

4. Mobile App Privacy & Permissions (iOS)

4.1 Camera Access

Used only when you choose to take a photo to upload. No background camera usage.

4.2 Photo Library Access

Used only to allow you to upload photos you select. No automatic scanning or access.

4.3 Push Notifications (Future Use)

Push notifications are not currently used. If enabled in the future, they will be optional and used only for:

  • App updates
  • Account-related notifications

You will be able to manage notifications via device settings.

4.4 Permissions We Do Not Use

  • No location services
  • No background refresh
  • No motion or sensor data
  • No in-app crash reporting SDKs (Apple may collect limited diagnostic data independently)

5. Public vs Private Information

5.1 Public Information

Visible to other users:

  • Display name
  • Profile photo (selected from pre-set cheese images)
  • Reviews, ratings, and comments
  • Uploaded photos
  • Events you create

5.2 Private Information

Never publicly displayed:

  • Email address
  • Saved cheeses
  • Cheese requests
  • Interest list subscription details

6. Content Moderation

We reserve the right to:

  • Remove reviews, photos, or events
  • Remove inappropriate or violating content
  • Block or suspend accounts
  • Enforce our Terms of Service

These actions may be taken if content violates our policies or applicable laws.

7. Data Deletion & Account Closure

7.1 Account Deletion

When you delete your account:

  • Your account data (email, name, identifiers) is permanently deleted
  • Your reviews, photos, and events are completely removed
  • Aggregate metrics (e.g., cheese rating averages, review counts) may remain in a non-identifiable form
  • Saved cheeses are deleted
  • You can no longer log in

Deleted data may persist in backups for up to 30 days.

7.2 Interest List (Separate from Accounts)

  • The Mold of the Month Club interest list is not tied to user accounts
  • Anyone may subscribe without logging in
  • Deleting an account does not remove an interest list subscription
  • Every email includes an unsubscribe link for immediate removal

8. Data Retention

We retain personal data only as long as necessary:

  • Active accounts: Data retained while account is active
  • Deleted accounts: Data immediately deleted (except backups retained up to 30 days)
  • Interest list: Retained until unsubscribe
  • Aggregated/anonymized data: May be retained indefinitely

9. Cookies & Tracking

9.1 Essential Cookies

We use a single essential cookie for authentication:

  • Cookie name: moldcake_session (or __Host-moldcake_session on HTTPS)
  • Purpose: Maintains your login session
  • Duration: 30 days
  • Type: HTTP-only, Secure, SameSite

This cookie is strictly necessary for the Services to function.

9.2 Analytics

Cloudflare Analytics and server logs may collect aggregate traffic and performance data. We do not configure user-level tracking or profiling.

No advertising or marketing cookies are used.

10. Data Storage & Security

10.1 Storage Locations

  • Cloudflare D1 (database)
  • Cloudflare R2 (image storage)

Data may be processed across Cloudflare's global network.

10.2 Security Measures

  • HTTPS encryption
  • Secure cookies
  • Encrypted secrets
  • Access-controlled admin tools
  • Regular security updates

11. Your Privacy Rights (GDPR & Similar Laws)

You have the right to:

  • Access your data
  • Request a copy of your data
  • Correct your data
  • Delete your account
  • Object to processing
  • Withdraw consent

To request a copy of your data or exercise any of these rights, email [email protected]. We will respond to your request within 30 days.

12. Children's Privacy

Mold Cake is not intended for children under 13 (or under 16 in the EU). We do not knowingly collect personal data from children. If we learn we have collected data from a child, we will delete it promptly.

13. International Transfers

Data may be processed internationally through Cloudflare's global network. Cloudflare complies with applicable data protection frameworks and implements appropriate safeguards for international transfers.

14. Changes to This Policy

We may update this Privacy Policy periodically. Updates will be reflected by the "Last Updated" date.

15. Contact Us

For privacy questions or to exercise your rights: [email protected]

For general support: [email protected]

Operator: Dubanalog, Inc.

16. Data Controller

Dubanalog, Inc. is the data controller for your personal information.