Privacy Policy
Last updated: 30 May 2026
The short version
Cubby is built to keep your data with you, not us. Your vehicles, service history, fuel logs, mileage, photos, and scanned receipts are stored on your device and — if you enable it — synced through your own private iCloud account, which we cannot access. Receipt and invoice scanning happens entirely on your device; the images are never uploaded.
The only information that ever leaves your device is a small amount of anonymous diagnostic and usage data (to fix crashes and understand which features are used), feedback you choose to send us, and purchase status handled by Apple. We do not sell your data, we do not show ads, and we do not track you across other apps or websites.
This policy explains the details.
Who is responsible
The “data controller” for Cubby under the EU General Data Protection Regulation (GDPR) is:
Thomas Brandhorst, an individual developer based in the Netherlands. Contact: privacy@cubby.mediokr.uk
Data stored on your device and in your iCloud
Everything you enter into Cubby — vehicles, service records, fuel fill-ups, mileage, important dates, notes, and any photos or scanned documents — is stored locally on your device.
If you turn on iCloud sync, this data is synced through Apple CloudKit to your private iCloud database. That data is tied to your Apple ID and is accessible only to you on your own devices. We operate no server that can read it, and we have no ability to access, view, or recover it. Apple’s handling of iCloud data is governed by Apple’s Privacy Policy.
You stay in control of this data at all times: you can edit or delete entries in the app, and deleting the app (and removing its iCloud data from your Apple ID settings) removes it entirely.
On-device receipt and invoice scanning
Cubby can read details from fuel receipts and service invoices using Apple’s on-device Vision and Foundation Models technology. This processing happens locally on your device. The photos and the extracted text are not uploaded to us or to any third party, and we never receive them.
Scanning is a convenience feature and is best-effort — see the Terms of Service for what that means.
Camera and photos
To scan a receipt or invoice, Cubby needs access to your camera (to take a photo) or your photo library (to pick an existing image), and iOS will ask your permission the first time. Cubby accesses photos only to read the document you choose; it does not browse, upload, or retain your photo library. Any image you scan stays on your device and is processed there, as described above.
Information that leaves your device
| What | Sent to | Purpose | Personal data? |
|---|---|---|---|
| Crash & diagnostic data (crash reports, device model, OS version, app version) | Sentry (EU region) | Find and fix crashes and bugs | No — configured to exclude IP addresses and personal identifiers |
| Anonymous usage events (e.g. a screen was opened, a scan was started) | TelemetryDeck (EU) | Understand which features are used and where people get stuck | No — anonymous and aggregated; no profile of you is created |
| Feedback you submit (your message, and your email only if you provide it) | Sentry (feedback inbox) | Read your feedback and reply if you asked us to | Only if you choose to include identifiable content |
| Purchase / subscription status | Apple (StoreKit) | Unlock and maintain Cubby+ features | Handled by Apple; we receive only aggregated/anonymised sales data |
That is the complete list. Cubby contains no advertising SDKs, no analytics beyond the above, no social-login, and no other third-party trackers.
Diagnostics (Sentry)
We use Sentry to capture crash and error reports so we can fix problems. Sentry is configured to collect only crash diagnostics — IP address collection and personal identifiers are switched off, and we do not run behavioural session tracking. The Sentry project is hosted in the EU. Sentry acts as our data processor under a data processing agreement.
Usage analytics (TelemetryDeck)
We use TelemetryDeck to understand, in aggregate, which parts of Cubby are used and where people run into friction. TelemetryDeck is privacy-first and anonymous by design: it does not store IP addresses and does not build a profile of you. All events are grouped under a random, anonymous identifier generated on your device that cannot be linked to you, your Apple ID, or your other accounts. TelemetryDeck is hosted in the EU and acts as our data processor under a data processing agreement. TelemetryDeck’s own privacy policy is at telemetrydeck.com/privacy.
We log only that an event happened, plus a small, non-identifying label describing the kind of event — never the contents of your records, scans, photos, or notes. Specifically:
Events (what you did, never what you wrote):
- App launched
- Onboarding started, each setup step completed, onboarding finished
- Whether you enabled iCloud sync and notifications during setup
- Which main tab you opened (garage, reminders, insights)
- An entry was logged, and its type only (fuel, service, mileage, or important date) — never the amounts, dates, notes, or other details you entered
- A vehicle was added or removed
- An export was completed, and its format only (PDF or CSV)
- The monthly recap was viewed
- A scan was started, and whether it succeeded or failed — including the kind of scan (invoice or fuel receipt), the input used (camera, photo, or file), and, for failures, the stage that failed — never the image or any extracted text
- Whether you edited a scan result (a yes/no signal we use to gauge accuracy — never what you changed)
- The paywall was shown, and which feature prompted it
- A purchase was started, completed, cancelled, failed, or restored, and the plan only (monthly or yearly)
- A reminder notification was opened, and its type only
Device context (sent automatically with events by TelemetryDeck): app version, iOS version, device model, screen size, and light/dark appearance.
Never collected: your name, email, Apple ID; the contents of any record, scan, photo, or note; your location; or your IP address.
You can turn both diagnostics and usage analytics off at any time: Settings → Share anonymous diagnostics & usage.
Feedback
If you send feedback from within the app, your message — and your email address if you choose to enter it — is sent to our feedback inbox (handled by Sentry). We use it to understand your feedback and to reply if you provided an email. Leaving the email field blank means we have no way to contact you, and that’s fine.
Purchases
Cubby+ is sold as an in-app purchase through Apple. Apple is the seller and processes all payments. We never see or handle your payment details. Apple provides us with anonymised and aggregated sales information. Apple’s processing is governed by Apple’s Privacy Policy.
Why we are allowed to process this data (legal bases)
- Performance of a contract — to provide the app and its features to you.
- Legitimate interests — to keep the app stable and improve it, using anonymous diagnostics and usage data. Because this data is anonymised and you can opt out, the impact on your privacy is minimal.
- Consent — when you voluntarily send us feedback that includes your email or other identifiable content. You can withdraw it by asking us to delete it.
How long we keep it
- On-device and iCloud data: for as long as you keep it — you control it.
- Crash diagnostics: retained by Sentry for up to about 90 days, then deleted.
- Usage analytics: retained by TelemetryDeck in aggregate per their retention policy; it is anonymous and not linked to you.
- Feedback: kept until your feedback is dealt with, then deleted.
International transfers
Our diagnostics and analytics processors are hosted in the EU. Apple may process certain data (such as iCloud and purchase data) outside the EU under appropriate safeguards, including the EU Standard Contractual Clauses, as described in Apple’s own privacy documentation.
Deleting your data
Because your records live on your device and in your own iCloud, you are always in control of them:
- Delete individual entries — remove any vehicle, service, fuel, mileage, or reminder entry directly in the app.
- Delete everything — delete the Cubby app from your device. This removes the app’s on-device data. To also remove the copy in your iCloud, delete Cubby’s data in Settings → [your name] → iCloud on your device.
- Diagnostics or feedback held by us — email privacy@cubby.mediokr.uk and we will delete it.
Your rights
Under the GDPR you have the right to access, correct, delete, restrict, or object to our processing of your personal data, to data portability, and to withdraw consent at any time. In practice:
- Your in-app and iCloud data is already fully in your control — view, edit, or delete it in the app, or delete the app and its iCloud data.
- For feedback or diagnostic data held by us, email privacy@cubby.mediokr.uk and we will help.
You also have the right to lodge a complaint with your data protection authority. In the Netherlands that is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).
Children
Cubby is not directed at children and is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
Changes to this policy
We may update this policy as Cubby evolves. The “Last updated” date at the top always reflects the current version. If we make a material change, we will surface it in the app on next launch.
Contact
Questions about this policy or your data: privacy@cubby.mediokr.uk