← limetta.app

Privacy Policy

Last updated: 25 April 2026  ·  Effective: 25 April 2026

Limetta ("we", "us", "our") is developed and operated by Karehub (sole trader, Düsseldorf, Germany). We take your privacy seriously. This policy explains what data we collect, why, and your rights under the General Data Protection Regulation (GDPR / EU 2016/679).

1. Who we are (data controller)

Karehub
Kruppstraße 95, 40227 Düsseldorf, Germany
Contact: privacy@karehub.io

2. What we collect and why

• Account data (email address, hashed password or OAuth identifier) — to create and authenticate your account. Legal basis: contract performance (Art. 6(1)(b) GDPR).
• Health profile (health conditions you voluntarily enter, e.g., diabetes, hypertension; allergies) — to personalise your nutrition analysis. Legal basis: your explicit consent (Art. 9(2)(a) GDPR). You can delete this at any time.
• Scan history (products you scan, analysis results) — to show your history and produce weekly reports. Legal basis: contract performance.
• Device push token (iOS APNs / Android FCM token) — to send you notifications you request. Legal basis: consent. You can revoke at any time via device settings.
• Measurement data (height, weight, date of birth, if voluntarily entered) — to provide contextual nutrition advice. Legal basis: consent.

We do not sell your data to any third party. We do not use your health data to train AI models.

3. AI / LLM processing

Product label images and extracted text may be sent to Groq (groq.com) for OCR and AI-powered nutrition explanations. We do not send personally identifiable information or health condition data to LLM providers — analysis is performed server-side with your profile data staying on our servers.

4. Third-party services

• Groq — AI inference (OCR, explanations). Data: food label text only.
• Open Food Facts — Product database (barcode lookups). Requests are anonymous.
• OpenFDA — Recall alerts (anonymous public API).
• Apple APNs / Google FCM — Push notification delivery.
• MailerSend — Transactional email (verification, password reset).
• Google Sign-In / Apple Sign-In — Optional OAuth login.

5. Data retention

Account data is retained while your account is active. You can permanently delete your account and all associated data from the Profile → Settings → Delete Account screen. After deletion, we purge your data within 30 days.

6. Your rights (GDPR)

• Access — request a copy of all data we hold about you.
• Rectification — correct inaccurate data.
• Erasure ("right to be forgotten") — delete your account and data.
• Portability — export your scan history as JSON.
• Restriction / Objection — restrict or object to certain processing.
• Withdraw consent — at any time for health data or push tokens.

To exercise any right, email privacy@karehub.io. We respond within 30 days. You also have the right to lodge a complaint with your local data protection authority (Germany: BfDI, bfdi.bund.de).

7. Security

All data in transit is protected by TLS. Passwords are never stored — only bcrypt hashes. Auth tokens are signed JWTs. Health data is stored in a PostgreSQL database on EU infrastructure.

8. Children

Limetta is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has created an account, contact privacy@karehub.io.

9. Changes to this policy

We will notify you of material changes via the email address on your account. The "last updated" date at the top of this page always reflects the most recent version.

---

Questions? privacy@karehub.io