Privacy Policy

1. Summary

This policy describes what information CruiseSignal collects, why, who we share it with, and how you can exercise your rights. We try to collect the minimum we need to monitor cruise prices and notify you about price drops on bookings you've recorded. We do not sell your personal information, and we do not "share" it for cross-context behavioral advertising as those terms are defined under U.S. state privacy laws.

2. Who is responsible for your data

The data controller is Overclock Studio ("CruiseSignal", "we", "us"). Contact:

• Email: support@cruisesignal.app

For users in the United Kingdom or the European Economic Area, please see section 19 for our representative under Article 27 of the UK GDPR and EU GDPR if and when we appoint one.

3. Information we collect

3.1 Account information

• Email address (required to sign in via one-time code).
• Name (provided by Sign in with Apple, or by you).
• Apple user identifier (a stable opaque ID returned by Apple if you use Sign in with Apple) and the OAuth tokens issued by Apple to verify your sign-in. We do not see or receive your Apple ID password.
• Account timestamps (created, updated, last sign-in, deleted-at).

3.2 Booking and price-watch information you enter

• Cruise line, ship, sail date, sailing length, region.
• Reservation / booking number.
• Cabin class and category, number of adults, number of children.
• Fare type, rate code, deposit type (refundable / non-refundable), guarantee flag, paid-in-full flag, booked-at date.
• Price you paid, currency.

The reservation number is treated as confidential — it is stored only to identify your booking when you reference it (we do not call the cruise line or file claims on your behalf).

3.3 Subscription and entitlement

• Whether you have an active subscription, the product identifier, the entitlement period, and a stable user identifier we share with our subscription provider (RevenueCat) and our paywall provider (Superwall) to attribute purchases to your account.
• We do not receive or store your payment-card information, your Apple ID password, or your Apple Pay token. Apple processes the transaction.

3.4 Device and technical information

• Device model, operating-system version, app version, language and locale, time zone, and a stable installation identifier.
• Push-notification permissions and, when enabled, tokens issued by Apple Push Notification service or other platform notification services.
• IP address (used by our auth and edge layers for rate-limiting and abuse prevention; see section 3.5).
• User-agent string from any web requests.
• Diagnostic and crash data, log lines, and anonymous performance traces.

3.5 Authentication and security data

• Session tokens and the IP address and user-agent of the device that created the session (used to detect abuse and to log you out of compromised sessions).
• One-time email codes (deleted after they expire or are used).

3.6 Product-analytics events

• Pseudonymous events about how you use the app (for example: "started onboarding", "added booking", "viewed paywall", "tapped notification"). Events include a stable user identifier, a device identifier, the event name, and contextual properties needed to interpret it (for example, the screen name).
• We try to avoid putting free-text or sensitive content into analytics events. We do not put your reservation number, payment information, or password-equivalent secrets in analytics events.

3.7 Communications with us

• If you email support@cruisesignal.app, we receive your email address, the contents of the message, and any attachments.

3.8 What we do not collect

We do not collect precise location, contacts, photos, microphone, camera, health, or biometric data. The app does not include third-party advertising SDKs and does not track you across other companies' apps and websites for advertising.

4. Where we get it

• Directly from you (account creation, booking entry, support emails).
• From your device (technical and diagnostic data).
• From Apple (the user identifier, name, and email returned by Sign in with Apple, plus subscription receipts and entitlement events).
• From RevenueCat (subscription state for your account).
• From Superwall (paywall events for your account).
• From Mixpanel (product-analytics events keyed to a stable user identifier).
• From cruise-line public listings (sailing and pricing data — this is not personal data, but we associate it with your booking when monitoring).

5. How we use it

• To create and authenticate your account.
• To monitor cruise pricing on the sailings you've recorded and to send price-drop and policy-deadline notifications.
• To provide, maintain, secure, and improve the Service (including debugging, reliability monitoring, and fraud prevention).
• To process and validate your subscription via Apple, RevenueCat, and Superwall.
• To respond to your support requests.
• To send transactional messages (sign-in codes, account messages, alerts you have enabled).
• To enforce our Terms and protect the rights, safety, and property of CruiseSignal, our users, and the public.
• To comply with legal obligations.

We do not use your data to make automated decisions that produce legal or similarly significant effects on you.

6. Legal bases (UK / EEA users)

If UK or EU GDPR applies to you, our legal bases are:

• Contract (Article 6(1)(b)): to provide the Service you signed up for, including monitoring your bookings and processing your subscription.
• Legitimate interests (Article 6(1)(f)): to keep the Service secure, prevent abuse, debug errors, measure reliability and usage at an aggregate level, and improve features. You can object at any time (see section 12).
• Consent (Article 6(1)(a)): for push notifications and any optional analytics or communications that require consent in your jurisdiction. You can withdraw consent at any time without affecting the lawfulness of processing carried out before the withdrawal.
• Legal obligation (Article 6(1)(c)): to comply with applicable laws, court orders, and regulatory requests.

7. Who we share it with

We share personal information with the categories of recipients listed in section 8 ("sub-processors and service providers"), and additionally:

• Compliance and law enforcement. We may disclose information when we believe in good faith it is required by law, legal process, or government request, or to investigate or prevent a violation of our Terms, fraud, or a threat to safety.
• Business transfers. If we are involved in a merger, acquisition, financing, reorganization, or sale of assets, your information may be transferred to the successor entity, subject to confidentiality and continued protection consistent with this policy.
• With your direction. If you ask us to share information (for example, to a travel agent), we will.

We do not sell personal information for money, and we do not "share" it for cross-context behavioral advertising.

8. Sub-processors and service providers

We use the following service providers to operate CruiseSignal. They process personal information on our instructions, under written contracts that require them to protect it.

• Apple Inc. — App Store distribution, Sign in with Apple, in-app purchase processing, Apple Push Notification service.
• RevenueCat, Inc. — subscription entitlement management.
• Superwall, Inc. — paywall delivery and conversion analytics.
• Mixpanel, Inc. — pseudonymous product-analytics events.
• Cloudflare, Inc. — Workers compute, edge delivery, Hyperdrive, KV (session cache), and Email Service for transactional sign-in codes.
• Axiom, Inc. — log and OpenTelemetry trace ingestion (used for debugging and reliability).
• Our PostgreSQL database provider — primary application data store.
• Apple Inc. (iCloud Keychain) — local secure storage on your device when you choose to sync your account credentials via iCloud.

A current list of sub-processors and any material changes will be kept on this page. If we add a new sub-processor that materially expands the categories of data processed about you, we will update this section before the change takes effect for your account.

9. International data transfers

CruiseSignal is operated from the United States, and several of our sub-processors are also based in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States and other countries with data-protection laws different from those in your country.

Where required, we rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and other lawful transfer mechanisms with our sub-processors. You can request a copy of the safeguards we use by emailing support@cruisesignal.app.

10. How long we keep it

• Account data — kept while your account is active. If you delete your account, we deactivate it promptly and stop active use of the account for the Service. We then delete or anonymize personal information when it is no longer needed for the purposes below and as required by applicable law.
• Booking and price-watch data — kept while the sailing is active and for up to 12 months after the sail date so you can reference history and to allow late-arriving claim adjustments.
• Subscription receipts and billing records — kept for at least 7 years for tax, audit, and dispute purposes (or longer if required by law).
• Authentication logs and security events — kept for up to 90 days for abuse prevention.
• Application logs and traces — typically kept for 30–90 days, depending on the system, for debugging and reliability.
• One-time email codes — deleted on use or expiry, whichever is sooner.
• Backups — encrypted and rotated; deletions in production propagate to backups within the backup-rotation window.
• Support correspondence — kept for up to 3 years after the last interaction.

We may retain information for longer where required by law, to enforce our Terms, to defend legal claims, or to investigate fraud or abuse.

11. How we protect it

We use technical and organizational measures designed to protect your information, including encryption in transit (TLS), encryption at rest where supported by the underlying provider, restricted access to production systems, OAuth-based access from the app, short-lived bearer tokens with session-cache invalidation, environment isolation between development and production, and routine vulnerability and dependency review.

No system is perfectly secure. If we learn of a security incident affecting your personal information, we will notify you and any regulator as required by law.

12. Your rights and choices

Depending on where you live, you may have rights to:

• Access the personal information we hold about you.
• Correct inaccurate information.
• Delete personal information.
• Port a copy of your information in a structured, commonly used format.
• Object to or restrict certain processing, including processing based on legitimate interests.
• Withdraw consent at any time, where processing is based on consent.
• Lodge a complaint with your local supervisory authority (in the UK, the Information Commissioner's Office at ico.org.uk).

To exercise these rights, email support@cruisesignal.app or use the in-app account-deletion option. We may need to verify your identity before completing your request. We will respond within the timeframe required by applicable law (typically 30–45 days), and we will not discriminate against you for exercising a right.

13. U.S. state-specific rights

Residents of California, Virginia, Colorado, Connecticut, Utah, and other U.S. states with comprehensive privacy laws have specific rights, including the right to know what personal information is collected, the right to correct, delete, port, and to opt out of "sale" or "sharing" of personal information. Because we do not sell personal information and do not engage in cross-context behavioral advertising, the opt-out right does not apply in practice; if that ever changes we will update this section and offer a clear opt-out.

13.1 Categories of personal information (CCPA/CPRA)

In the past 12 months we have collected:

• Identifiers (name, email, account IDs, device IDs, IP).
• Commercial information (subscription state, purchase history via Apple).
• Internet or other electronic network activity (app interactions, diagnostics).
• Geolocation only at the country/region level inferred from IP — no precise location.
• Inferences drawn from the above to provide and improve the Service.

We collect these for the purposes described in section 5. We have not "sold" personal information in the preceding 12 months and have not "shared" it for cross-context behavioral advertising.

13.2 Sensitive personal information

We do not collect or use "sensitive personal information" as defined by the California Privacy Rights Act, except for the limited purposes expressly permitted without an opt-out (for example, account authentication and security).

13.3 Authorized agents

California residents may use an authorized agent. We will require written authorization and may verify directly with you.

13.4 Shine the Light

California Civil Code §1798.83 permits residents to request information about disclosures to third parties for direct-marketing purposes. We do not share personal information with third parties for their direct marketing.

14. Children

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will delete it promptly. If you believe a child has provided us information, contact us at support@cruisesignal.app.

15. Push notifications and email

With your permission, we send push notifications about price drops, policy deadlines, account events, and other Service-related messages. You can disable them at any time in your device settings. Transactional emails (sign-in codes, account messages) are required to use the Service and cannot be disabled while you have an account; closing your account stops them.

16. Analytics and advertising identifiers

We use Mixpanel for pseudonymous product analytics. We do not include third-party advertising SDKs or use the iOS Identifier for Advertisers (IDFA) for tracking, and the app does not request App Tracking Transparency permission to track you across other companies' apps and websites. If that ever changes we will update this section and request your permission as required by Apple's policy and applicable law.

17. Do Not Track and Global Privacy Control

Our website at cruisesignal.app is a marketing site that does not set advertising cookies and does not track you across sites. Browsers' "Do Not Track" and "Global Privacy Control" signals are honored to the extent applicable: because we do not sell or share personal information for cross-context behavioral advertising, there is nothing to opt out of for these signals on the website.

18. Changes to this Policy

We may update this Policy from time to time. If a change is material, we will give reasonable advance notice (in-app or by email) and, where required by law, obtain consent. The "Last updated" date at the top of this page reflects the date of the most recent change.

19. Contact

Privacy questions, requests under section 12 or 13, and complaints about how we handle personal information:

• Email: support@cruisesignal.app
• Controller: Overclock Studio
• EU/UK Article 27 representative: not appointed unless required by applicable law.

If you are in the EU/EEA, the UK, or Switzerland and we have not resolved your concern to your satisfaction, you may contact your local data-protection authority.