Privacy Policy

Last updated: April 28, 2026

PopcornStack is built and operated by Michael Reynolds as an individual developer ("we," "our," "us"). This policy explains what data the PopcornStack iOS app collects, why, where it's stored, and what rights you have over it. We've kept it short and in plain language. If anything is unclear, email us at the address at the bottom.

What we collect

We collect only what's needed to make PopcornStack work for you.

Your email address. When you sign in via the email-code flow, you give us your email so we can send you a one-time login code. We use this email solely as your account identifier and to deliver login codes — never for marketing.

Your Apple identifier (only if you use Sign in with Apple). If you choose Sign in with Apple, Apple gives us either your real email or a private relay address (your choice). We use it the same way as a regular email — it identifies your account. We never see your Apple password or any other Apple Account information.

Your library. The movies, TV shows, and games you add to PopcornStack, along with their metadata (title, poster URL, release year, content rating, streaming providers, platforms) and your watched/played status for each. We need this to actually be the app — without it, your list wouldn't sync.

A login session. After you sign in, an authentication token is stored locally on your device's Keychain so you don't have to sign in again every time you open the app. This token is invalidated when you sign out or delete your account.

We do not collect: your location, contacts, photos, calendar, microphone, camera, advertising identifier, device identifier (beyond what Apple's standard auth flow provides), payment details, or any analytics about how you use the app.

Where your data is stored

Supabase, Inc. (supabase.com) hosts our database and handles authentication. Your email and library items are stored there in a database protected by row-level security so that your account can only access its own rows. Supabase processes data on AWS in the United States.

Sign in with Apple (only if used): Apple processes the authentication request itself. We never see your Apple credentials.

That's it for storage. The app on your phone keeps a local cached copy of your library for offline reads, but the source of truth is Supabase.

Third-party services we call

To enrich your library with posters, ratings, and platforms, the app makes anonymous API calls to two metadata providers:

• TMDB (themoviedb.org) — for movies and TV show metadata, including streaming-availability information powered by JustWatch.
• RAWG (rawg.io) — for video game metadata, ESRB ratings, and platforms.

These calls send only the search term you typed, or the public ID of an item already in your library. They contain no information that identifies you: no email, no IP-address-based identifier we control, no user ID. The receiving service may log the request itself per their own privacy practices.

How long we keep your data

We keep your account and library indefinitely while your account exists. The moment you delete your account (Account → Delete account in the app), we permanently remove your authentication record and every saved library item. There is no soft-delete and no recovery — once it's deleted, it's gone.

If you stop using the app without deleting your account, we still keep your data so it's there if you come back. You can delete at any time.

Your rights

You can:

• See your data — every item we have on you is visible in the app's three list tabs and on the Account screen.
• Delete your data — Account → Delete account in the app removes everything immediately. We do not require a request via email or any other channel.
• Stop sign-in codes from being sent — simply stop using the email-OTP flow; we won't send a code unless you request one.
• Export your data — not yet built into the app. If you'd like an export, email us at the address below and we'll send a JSON file of your library within 30 days.

If you're in the EU/UK, you also have the right to: access, rectification, erasure (covered above), restriction of processing, data portability (covered above), objection, and lodging a complaint with your supervisory authority. The legal basis for our processing is the contract you have with us when you create an account (GDPR Article 6(1)(b)).

If you're in California, the CCPA gives you the rights to know, delete, and not be discriminated against for exercising your rights. We do not sell your personal information and never have.

Children

PopcornStack is not directed at children under 13 (or under 16 in the EU). We don't knowingly collect data from children. If you believe a child has created an account, contact us and we'll delete it.

Changes to this policy

If we materially change this policy we'll update the "Last updated" date at the top and, where required by law, notify you in the app. Continued use of PopcornStack after the change means you accept the updated terms.

Contact

For any privacy question, request, or complaint, email michael@michaelreynolds.com. We aim to respond within 7 days.