Privacy
Privacy Policy
Last updated: June 6, 2026
In Plain English
We collect the minimum information needed to run Theme Park Foodie. We don't sell your data. You can delete your account at any time. If you have questions, contact us.
Information We Collect
When you create an account, we collect:
- Your email address (required for account access and verification)
- A password, stored as a one-way bcrypt hash — we never see or store the plain text
- Optional profile information you choose to add: display name, username, bio, location, country, profile photo, and links to your website or social media
When you use the site, we automatically collect:
- Pages you visit and search queries you run
- Reviews, photos, and lists you create
- Restaurants and menu items you favorite or save
- Users you follow and who follows you
- Your IP address and basic browser information (user agent, language) for security and abuse prevention
- Session cookies that keep you logged in
If you upload photos, we store the image file and any caption you provide.
How We Use Your Information
- To run the service: display your reviews, photos, and profile; deliver search results; keep you logged in
- To communicate with you: account-related emails (verification, password reset, account changes), and — if you opt in — periodic digest emails about new content. We will not email you about anything you haven't opted into.
- To prevent abuse: rate-limiting, spam detection, and moderation of reported content
- To improve the site: aggregated, non-identifying analysis of which features are used and where users get stuck
Information We Share
We do not sell your personal information.
Information you share publicly on Theme Park Foodie — your username, profile, reviews, photos, and lists marked public — is visible to anyone who visits the site.
We share information with the service providers we use to operate Theme Park Foodie:
- Amazon Web Services (hosting, file storage, content delivery)
- Cloudflare (security, DDoS protection)
- Email service providers for transactional and account emails
Each provider is bound by their own privacy commitments and is only given the information necessary to perform their function.
We will share information when required by law, in response to valid legal process, or to protect the safety of our users or the public.
Restaurant and Menu Data
Restaurant and menu information is synced from publicly available data, primarily Disney's own systems. We are not affiliated with The Walt Disney Company. Menus, prices, hours, and availability change frequently — always verify directly with the restaurant.
Your Rights
You can:
- Edit your profile information at any time from /settings
- Delete your account at any time. Until self-service deletion ships, use the contact form and we will process your request within 30 days.
- Export your data — request a portable copy of your reviews, photos, lists, and profile. Until self-service export ships, contact us for a manual export.
- Object to processing or request correction of your information by contacting us
- Withdraw consent for optional emails by clicking unsubscribe in any email, or by updating preferences in /settings
If you are in the European Economic Area, the United Kingdom, or California, you have additional rights under the GDPR, UK GDPR, and CCPA respectively. Contact us to exercise any of these rights and we will respond within 30 days.
Cookies and Tracking
We use:
- Essential cookies to keep you logged in and protect against cross-site request forgery. These cannot be disabled while you use the site.
We do not currently use:
- Advertising or marketing cookies
- Cross-site tracking pixels
- Third-party analytics
If we add analytics in the future, we will update this policy and provide an opt-in / opt-out mechanism for non-essential cookies.
Children's Privacy
Theme Park Foodie is not directed at children under 13, and you must be at least 13 years old to create an account. We do not knowingly collect information from children under 13. If you believe a child has provided us with information, please contact us and we will delete it.
Data Retention
- Active accounts are retained while the account is active
- Deleted accounts: profile and personal information are removed within 30 days. Anonymized review and photo records may be retained where they have been integrated into community-wide ratings; in those cases all personal identifiers are stripped.
- Logs: web server and application logs are retained for up to 90 days for security and debugging
- Email lists: addresses are removed within 30 days of an unsubscribe request
Security
We protect your information with:
- HTTPS encryption for all traffic
- Bcrypt password hashing
- Redis-backed sessions with secure, HTTP-only cookies
- Regular dependency updates and security reviews
No system is perfectly secure. If you discover a vulnerability, please report it to us privately via the contact form before disclosing it publicly.
Changes to This Policy
We may update this policy from time to time. When we make material changes, we will update the "last updated" date at the top of this page and, where appropriate, notify you by email or a site-wide notice. Continued use of Theme Park Foodie after a change constitutes acceptance of the updated policy.
Contact Us
Privacy questions, requests, or concerns — send a note via the contact form. For formal data subject requests (deletion, export, correction), please write "Privacy Request" in your message subject.