Privacy

What we collect, why, and how to delete it

Last updated: 2026-05-11

What we collect on the website

When you sign up for launch updates on curiosy.app, we collect:

• Your email address.
• Optionally, the name of a museum you'd like Curiosy to support next, if you choose to tell us.
• The page you signed up from (/met or /) so we can measure which page works.
• Your IP country code (e.g. US) — never your full IP address, never your city. Cloudflare gives us only the country.
• Your browser's user agent string (e.g. "Mozilla/5.0 ... Safari ...") so we can tell roughly which devices people use.
• The date and time of signup.

We do not collect your name, address, phone number, location, or anything else you didn't type into the form.

Why we collect it

To email you a single launch announcement when Curiosy ships in the App Store. We may also email you if a museum you specifically asked about becomes available. We will not sell, share, or rent your email to anyone.

How long we keep it

Until you ask us to delete it, or until 24 months after the launch announcement is sent — whichever comes first.

How to delete your data

Email hello@curiosy.app from the address you signed up with. We'll delete every record associated with that email within 30 days and reply to confirm. No questions asked.

What the iOS app collects

The Curiosy iOS app does not require an account. Tours you build, seminars you plan, language preferences, and which artworks you've viewed all stay on your device. We never see them.

Purchases. If you buy the Artworks Pass, Seminars Pass, or Bundle, the transaction is handled entirely by Apple via StoreKit. Apple shares only the entitlement status with the app (which products you own) so we know what to unlock. Apple's privacy policy governs the transaction data itself.

Analytics. The app ships with usage analytics off by default. On first launch, the app shows a brief sheet explaining what analytics does and asking whether you'd like to share anonymous usage data. If you tap Not now, analytics stays off. If you swipe the sheet away without choosing, we may ask once more after you save your first plan — and then never again. The Settings → Privacy toggle (Help improve Curiosy) lets you change your mind at any point. When you turn it off mid-session, we drop everything queued and stop sending. We never share analytics with third parties.

When analytics is on, the app sends the following kinds of events to our own Cloudflare Analytics Engine instance:

• Which artworks and seminars you view, so we know what content people care about.
• When you build a plan and which artworks are in it, so we can see which routes work.
• Paywall views and purchase outcomes, so we can tell if our pricing and copy are making sense.
• App language switches and consent toggles, so we can debug the consent flow itself.

Each event carries an installation ID: a random UUID generated on your device the first time analytics is enabled, stored only in this app's container (no iCloud sync). It is not your Apple ID, your IDFA, your IDFV, or any cross-app identifier. When you turn analytics off and back on, we generate a new UUID, so your prior usage cannot be joined with future usage.

One caveat: if you restore this device from an iCloud or encrypted backup, the installation ID is restored with the rest of the app container. A new device installed fresh gets a fresh UUID. We surface this here because honest semantics matter for any retention or churn numbers we might compute.

Network requests. The app fetches museum content (artwork descriptions, images, gallery routes) from curiosy.app. Those requests carry standard HTTP metadata (IP address, user agent, timestamp). Cloudflare retains request logs for operational reasons; we do not.

Feedback you send us. If you tap Settings → Send Feedback and submit a message, we store the text of your message along with optional reply email, app version, iOS version, device class (e.g. "iPhone"), and your chosen app/content languages. This is user-initiated submission, not background telemetry — it happens only when you tap Send. We use it to fix bugs and improve the app, and we may email you back if you provided an email. We retain submissions for as long as they're useful for those purposes; you can email feedback@curiosy.app to request deletion of any message you sent us.

Plans you share. When you tap the share button on a tour and pick a recipient (Messages, Mail, etc.), we create a short link like curiosy.app/s/aB3kF12 that points to a public web page showing the tour name and its artwork list. Anyone with the link can view that page — that's the whole point of a shareable link. Share pages for individual artworks (/met/art/<id>) and seminars (/met/seminar/<slug>) work the same way but reference only public Met catalog identifiers, not personal information. We store the tour name, ordered Met artwork IDs, and the language code you were using at share time. We do not attach your identity to a share. Email feedback@curiosy.app with the short code to remove a share you created.

A note on terminology. Curiosy has no account system — no sign-up, no login, no profile. The installation ID described above is the only identifier the app generates. Apple's App Store Privacy Nutrition Label uses the umbrella term User ID to cover any persistent identifier an app keeps, even an anonymous random UUID like ours. We declare it under that category because Apple's vocabulary requires it, not because we have user accounts.

Specifically, the app's privacy manifest (PrivacyInfo.xcprivacy) declares three things:

• User ID — the installation UUID described above. Anonymous, app-scoped, rotates on consent revoke→regrant.
• Purchase History — the StoreKit product ID and price for successful purchases, so we can tell which unlock paths people actually use.
• Product Interaction — the four event categories listed above.

All three are marked linked to user, not used for tracking. We use them only to improve Curiosy. We never share them with ad networks, data brokers, or any third party, and we never build a cross-app graph. The App Store Privacy Nutrition Label at launch will mirror these declarations.

Cookies and analytics

We use Cloudflare's privacy-respecting analytics, which does not set any cookies and does not track you across sites. We do not use Google Analytics, Facebook Pixel, or any third-party advertising trackers.

Cloudflare Turnstile

The signup form uses Cloudflare Turnstile to block automated bots. Turnstile is invisible to you and processes a small amount of browser signal data (mouse movements, page interactions) to determine whether a request is human. Cloudflare's privacy policy covers what they handle.

Contact

Questions about anything on this page: hello@curiosy.app