1. Introduction
Welcome to EyeCandy ("EyeCandy," "we," "us," or "our"). EyeCandy is a personal media-tracking application that helps you discover, organize, rate, and schedule movies, TV shows, anime, manga, comics, books, video games, and sports. This Privacy Policy explains what information we collect when you use EyeCandy, why we collect it, how it is stored and protected, and the rights you have over your data.
We designed EyeCandy to be privacy-respecting by default. We do not sell your personal information, we do not share it with advertisers, and we do not embed third-party advertising SDKs in the app.
By using EyeCandy, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the app.
This policy is published by the developer (an independent developer), contactable at eyecandyiossupport@gmail.com.
2. Information We Collect
We only collect the information that is necessary to provide the features you use. The categories below describe everything that may be collected and stored while you use EyeCandy.
2.1 Account Information
Your EyeCandy account uses Sign in with Apple. We do not use email-and-password login, Google Sign-in, or other social identity providers. There is no password to create or remember. When you sign in, your device sends an Apple identity token to our backend, which verifies it and issues a private session token for your device.
When you create an EyeCandy account, we collect:
- Email address. Provided by Sign in with Apple on your first sign-in only (you may choose to share Apple's private relay address instead). Used to identify your account and, if you allow, to send important account notices. It is not used as a login credential.
- No password. EyeCandy has no passwords. Sign in is handled entirely by Apple via Sign in with Apple, so there is no password for us to receive, store, hash, or log.
- Display name. Derived from the name Apple returns on your first sign-in, shown in the app to personalize your experience.
- Account identifier. Your account is keyed to the stable, app-specific user identifier (the Apple "sub") that Sign in with Apple provides. It is unique to EyeCandy.
2.2 Your Library and Activity Data
EyeCandy stores the content you choose to save on your device and backs it up to our server so it can be restored and synced across your devices:
- Watchlists, reading lists, and play lists. The titles you add, their status (e.g., "watching," "completed," "plan to watch"), and any personal notes you attach.
- Ratings and reflections. Numeric ratings and free-form reflections you create.
- Schedule and calendar entries. Items you have scheduled or pinned to your personal calendar.
- Tracked items and progress. Episodes watched, chapters read, pages completed, hours played, favourite teams and leagues followed, and similar progress indicators.
- Preferences and settings. App configuration such as theme, default list view, notification preferences, and enabled features.
2.3 Integrations and User-Supplied Credentials
Some features require connecting to third-party services. These integrations are optional linked accounts for data sync. They are not identity providers for your EyeCandy account. When you enable these integrations, we store only what is needed for the integration to function:
- OAuth tokens issued by services you link (for example, MyAnimeList, RAWG, TMDB, Open Library, Apple Music, Spotify, Deezer). These tokens are stored on your device and included in your library backup, and used solely to read or write the data you have authorized.
- User-supplied API keys. If you supply your own API key for a service (for example, a personal DeepSeek key, a TTS key, or a TMDB key), the key is stored on your device and included in your library backup, and used only for requests you initiate.
You can revoke any integration at any time from within the app, which deletes the associated tokens and keys from your device and from your next library backup.
2.4 Notifications
- Push notification token issued by Apple Push Notification service (APNs). We store this token, along with the sports teams you follow, so we can deliver notifications you have opted into (for example, goal alerts and schedule reminders). Notifications are disabled by default until you grant permission.
2.5 Candy AI Assistant Usage
EyeCandy includes an optional AI assistant called Candy AI. When you use Candy AI, we collect:
- Chat prompts and responses. The text you send and the replies generated. Your chat history is stored on your device; only per-day usage counts are kept on our server to enforce fair-use rate limits.
- Photos you submit for image-based identification. Candy AI lets you attach up to four photos to ask it to identify movies, TV, anime, manga, comics, books, games, or albums. Photos are resized and compressed on your device, then forwarded to Google's Gemini model through our Cloudflare Worker backend, used only to produce the identification result for that request, and are not retained beyond the request lifecycle. Image identification is limited to 5 requests per day per account.
- Usage counters. The number of text, voice, and image requests you have made within a given day, kept on our server exclusively to apply daily rate limits.
- User-supplied DeepSeek API key (optional). If you choose to supply your own DeepSeek API key, your Candy AI text requests are sent directly to DeepSeek and are subject to DeepSeek's own privacy policy. In this mode, requests do not pass through our backend. Your key is stored on your device and is used only for requests you initiate.
- EyeCandy does not use your chat history or submitted photos to train any models. Requests are processed by third-party providers (DeepSeek, Google Gemini) under their own privacy policies.
2.6 Decide (Swipe and Spin)
EyeCandy's Decide feature helps you choose what to watch, read, or play next by surfacing items already in your library through swipeable cards or a randomised spin. Decide reads only the lists, ratings, and tracked items you have already saved in EyeCandy. Your not-interested and decided selections are stored on your device. It does not collect new personal data and does not transmit your choices to third-party services.
2.7 Device and Diagnostic Information
To deliver push notifications, we collect a small amount of technical metadata when you register for them:
- Platform and push environment. With your push registration we send a platform value and a push environment hint so notifications can be delivered correctly.
- Diagnostics. We do not operate our own crash-reporting service. Any crash or diagnostic information is shared only if you have Apple's own optional diagnostic sharing enabled, under Apple's terms.
We do not collect your precise location, your contact list, your microphone, your advertising identifier (IDFA), or any biometric data. We access a single photo only when you choose one for Candy AI image identification, and the camera only when you take a photo for that feature; we do not read your photo library otherwise.
Calendar access (optional, off by default). If you turn on calendar sync in Settings, EyeCandy asks permission to add events to your device's calendar and mirrors your schedule into a dedicated "EyeCandy" calendar so your watch, read, and play plans show up in Apple's Calendar app. This happens entirely on your device through Apple's Calendar; your calendar and its events are never sent to our servers. You can turn it off at any time, and you can delete the EyeCandy calendar from the Calendar app. iOS also requests Reminders access because Apple's calendar module requires it, but EyeCandy does not create or read any reminders.
2.8 Information We Do Not Collect
For clarity:
- We do not track you across apps or websites.
- We do not use advertising SDKs.
- We do not create marketing profiles about you.
- We do not sell any data.
3. How We Use Your Information
We use the information described above only for the purposes listed here:
- To provide the core app experience. Storing your lists, ratings, schedule, tracked progress, and preferences so they appear correctly on every device where you sign in.
- To authenticate you. Verifying your identity through Sign in with Apple and issuing a private session token to your device.
- To back up and sync your data. Storing your library as a private backup on our server so it can be restored and merged across your devices.
- To send notifications you have opted into. Release reminders, schedule alerts, and other alerts tied to items you track.
- To enable optional integrations. For example, importing your MyAnimeList library or syncing ratings with TMDB, RAWG, Open Library, Apple Music, or Spotify when you have authorized those services.
- To power Candy AI. Forwarding your prompt or photo to the AI provider through our backend and returning the response.
- To enforce fair use and prevent abuse. Counting requests to Candy AI, detecting automated abuse, and preventing credential misuse.
- To diagnose problems and improve reliability. Using crash reports and aggregate usage signals to fix bugs and compatibility issues.
- To communicate with you about your account. Security notices, service changes, or responses to support requests.
We do not use your information for advertising, marketing profiling, or resale.
4. Third-Party Services and Data Sources
EyeCandy relies on carefully chosen third parties to deliver its features. Each has its own privacy practices, which govern the data they receive.
4.1 Infrastructure Processors
- Apple (Sign in with Apple). Handles sign-in and verifies your identity. Our own Cloudflare Worker backend issues and validates the session token used by the app.
- Cloudflare (Workers and D1). Hosts our backend and stores your library backup (lists, ratings, schedule, collections, preferences, and integration tokens) as a single per-user record.
- Cloudflare Workers. Runs our server-side logic, such as verifying Sign in with Apple, proxying AI and content requests, and enforcing rate limits.
- Apple Push Notification service (APNs). Delivers push notifications you have opted into.
- DeepSeek. Provides the text large language model (deepseek-chat) that powers the Candy AI chat assistant.
- Google Gemini (via Google's generative language API). Provides the model (Gemini 2.5 Flash) that powers Candy AI's image-based identification when you attach photos. Requests are proxied through our Cloudflare Worker, which holds the API key.
- Google Cloud Text-to-Speech. Converts selected text into spoken audio when you use the voice feature (limited to 15 listens per day per account).
These providers process data on our behalf or under their own terms to deliver their service. Each is governed by its own privacy policy.
4.2 Content Data Sources
EyeCandy queries public content catalogs through our backend proxy to show you metadata such as titles, cover art, release dates, cast, and descriptions. Your account identity and personal data are not disclosed to these catalog providers.
- The Movie Database (TMDB). Movies, TV shows, and people.
- Jikan (MyAnimeList). Anime and manga metadata. Optional list syncing if you connect your MyAnimeList account.
- AniList. Anime airing schedules.
- MangaDex. Manga chapter tracking.
- RAWG and IGDB. Video game metadata.
- Comic Vine. Comics metadata.
- Open Library. Book metadata and reading-list sync.
- ESPN. Sports schedules, scores, and team data.
- Deezer. Music metadata, album/song look-up, and 30-second previews.
- Account-link sync. Optional, only if you connect those accounts: full two-way rating sync with MyAnimeList and Open Library; Apple Music syncs as loves/favorites; RAWG pulls your score and pushes play status; Spotify saves items to your library.
If you explicitly authorize an integration, the relevant provider will receive the data you share through that integration under their own privacy policy.
4.3 No Advertising Partners
We do not integrate any advertising networks, analytics SDKs that profile users, or data brokers.
5. Data Storage and Security
We take reasonable and industry-standard measures to protect your data.
- Encrypted in transit. All communication between the app, our Cloudflare backend, and third-party APIs uses HTTPS/TLS.
- Encrypted at rest. Your library backup is stored on Cloudflare's infrastructure (Workers KV and D1), which encrypts stored data at rest.
- Access controls. Every backend request must carry a valid session token tied to your Apple account identifier, and each user's records are scoped to that identifier. A user cannot read or write another user's data.
- Secret handling. API keys we own are stored in secure server-side configuration on our backend and are never embedded in the app binary. User-supplied API keys are stored on your device and scoped to your account.
- Server-side proxying. Requests to third-party APIs that require credentials or rate limiting are proxied through our Cloudflare Worker backend.
- Principle of least privilege. Only authorized maintainers have administrative access to the backend, and administrative access is audited.
- No advertising trackers.
No online service can guarantee absolute security, but we work continuously to identify and mitigate risks. If we become aware of a security incident affecting your data, we will notify you as required by applicable law.
6. Your Rights and Choices
6.1 Access and Review
You can view all of the content you have added to EyeCandy (lists, ratings, schedule, tracked progress, and preferences) directly within the app at any time.
6.2 Correction
You can edit or update any entry you have created, change your display name, and update your preferences from within the app.
6.3 Deletion
- Delete individual items. Remove any list entry, rating, review, or scheduled item at any time.
- Disconnect integrations. Revoke OAuth tokens and delete user-supplied API keys from the app's Settings screen.
- Delete your entire account. You can delete your account from within the app at Settings → Account → Delete Account. Account deletion wipes all server-side data associated with your account: your library backup, your push registration and followed teams, your account record, and your AI usage counters. Some residual backup copies may persist for a short period before routine rotation overwrites them.
6.4 Export
You can export your library to CSV or MyAnimeList XML from within the app (Settings → Data → Export). The export includes your movies, shows, anime, and manga lists and ratings in a portable format you own and can take to another service.
6.5 Notification Controls
You can disable push notifications at any time, either within EyeCandy's Settings or in your device's system Settings app.
6.6 Regional Rights
Depending on where you live, you may have additional rights under laws such as the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and similar statutes. These may include the right to:
- Request a copy of the personal information we hold about you.
- Request correction or deletion of that information.
- Object to or restrict certain processing.
- Lodge a complaint with your local data protection authority.
To exercise these rights, contact us at eyecandyiossupport@gmail.com. We will respond within the timeframe required by applicable law. We will never discriminate against you for exercising a privacy right.
7. Children's Privacy
EyeCandy is not directed to children under 13 (or the equivalent minimum age in your jurisdiction, such as 16 in parts of the EU). As a matter of policy, we do not knowingly collect personal information from children. If you believe a child has provided us personal information without appropriate consent, please contact eyecandyiossupport@gmail.com and we will promptly delete the information and terminate the account.
8. Data Retention
- Active accounts. Your data is retained for as long as you continue to use EyeCandy.
- Deleted accounts. When you delete your account, we remove your account record and your library backup from our Cloudflare backend. Residual copies in routine backups are overwritten on normal rotation.
- Candy AI history. Chat history is stored on your device and retained until you clear it or delete the app. Server-side rate-limit counters reset daily.
- Diagnostic data. We do not operate our own crash-reporting service. Any diagnostic data is governed by Apple's own optional diagnostic sharing, under Apple's terms.
9. International Users
EyeCandy uses Cloudflare's global platform and Apple's services. Your data may be stored and processed in data centers outside your country of residence, including in the United States. We rely on the relevant providers' Standard Contractual Clauses for international transfers. For data-localization questions, please contact eyecandyiossupport@gmail.com.
10. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, new features, or legal requirements. When we make a material change, we will:
- Update the "Last Updated" date at the top of this page.
- Post the revised policy at this URL.
- Notify you in the app or via email if the change materially affects your rights or how we handle your data.
Continuing to use EyeCandy after an update means you accept the revised policy. If you do not agree, you can export your data and delete your account at any time.
11. Contact Us
If you have questions, concerns, or requests about this Privacy Policy or your data, please get in touch:
- Email: eyecandyiossupport@gmail.com
We do our best to respond to every privacy inquiry within 30 days.