Privacy by architecture
Your meals, your family, your kitchen — none of it leaves your iCloud.
Meal planning is intimate. Who’s home tonight, what your kid won’t eat, what your spouse is allergic to, what you cook when you’re tired. We didn’t want to be the company that has that file on you.
So we built WFD on top of your own iCloud, not on a server we control.
How your data flows
Every meal in your library, every dinner you’ve logged, every shopping check, every Queue item, every shared household — all of it lives in your private CloudKit container. That’s a per-user data store provided by Apple. We don’t have a database. We literally cannot see your library because there’s no place for us to look.
When you share a household with your spouse, the data sync happens between your two iCloud accounts using Apple’s CloudKit sharing. We aren’t in the middle. Your spouse sees your meals because Apple’s infrastructure delivered them — not because our server forwarded a copy.
How the AI features work
WFD uses three kinds of intelligence, in this order of preference:
Apple Intelligence (on-device). Voice transcription, the “Ask WFD” voice assistant, the meal photo matching — these run entirely on your iPhone. Nothing leaves the device.
Your iCloud (the CloudKit mirror). Household sync, photo sync, allergy info, shared meal libraries — all moves device-to-device through your Apple ID. We don’t host any of it.
Our recipe assistant API. A handful of features ask our Worker on api.donbon.com for help — auto-filling ingredients for a new meal, suggesting cooking instructions for a recipe, fetching a stock photo. When this happens, we send:
- The meal name (e.g., “Spaghetti Bolognese”)
- A list of ingredients (when you have them)
- The cuisine and approximate cooking time
We don’t send your name, your account, your device identifier, your other meals, your family info, your shopping list, or your history. Our Worker logs only a hash of the request (for caching) — not the content.
What we don’t do
We don’t run analytics. We don’t have ads. We don’t sell your data because we don’t have your data. We don’t recommend brand-name ingredients because no brands pay us to do that. Our recipe suggestions come from a general-purpose model with no commercial bias toward what Whole Foods is selling this week.
There’s no community feed because there’s no community we’re cultivating. We don’t want to be the social network of dinner. We want to help your family decide what to eat tonight and then move on with our day.
The architecture in one line
If we deleted our database tomorrow, your app would still work. Because we don’t have a database.
If “we take privacy seriously” makes you skeptical, you’re our customer.