Plainly written. No dark patterns.

Limetta exists to help you make safer decisions about what you eat. That only works if you trust us with your health profile — and that trust starts here.

• We collect the minimum we need to calibrate scans for your body — nothing more.
• Your health data is encrypted on your device and never sold, rented, or shared with advertisers, insurers, or data brokers.
• We have no advertising business. There’s no second product behind the curtain — you are not it.

We collect three categories of information, and only these three.

Health profile. The conditions, allergies, dietary preferences, and biometric inputs you choose to add when you set up Limetta. You decide what to share. You can edit or delete any field at any time.

Scan history. The products you scan and the safety scores we generated for them. This lets you revisit past verdicts and lets us improve calibration over time.

Operational metadata. Anonymised, aggregated usage data — crash logs, latency, feature adoption — used only to keep the app working. Never tied to your identity or health profile.

Your health profile is used to calibrate the safety score for every product you scan. The cross-reference happens on-device wherever possible. When server-side computation is required, the request carries only the calibration parameters needed for that scan — never your name, never your full profile.

Scan history is stored to let you revisit past results. You can clear individual entries or wipe the entire history from Settings.

Operational metadata is used to debug, measure performance, and prioritise the next set of clinical calibrations to ship. We do not use it for targeting, profiling, or behavioural advertising.

Your health profile and scan history live encrypted on your device. If you turn on iCloud or Google backup, an encrypted copy syncs to your personal cloud account — accessible to you, never to us.

The only data that touches our servers is the anonymised calibration payload required to compute a score for a given scan, and the operational metadata above. Both are encrypted in transit (TLS 1.3) and at rest.

Limetta uses a small number of third-party providers. We chose them for security posture, not just price.

Apple App Store / Google Play. Handle install, purchase, and subscription billing per their own privacy policies. We never see your full payment method.

Crash reporting. Stack traces and device metadata are sent to a self-hosted crash reporter to help us fix bugs. No health profile or scan content is ever included in a crash report.

Hosting. Calibration servers run on EU-resident infrastructure with isolated tenancy. We do not use third-party analytics SDKs that aggregate behavioural data across apps.

You can export everything we have on you, in machine-readable form, from Settings → Privacy → Export my data. You can erase your account and all associated data from the same screen — the request completes within 72 hours, including backups.

If you’re in the EU, UK, California, or another jurisdiction with comparable rights (GDPR, CCPA/CPRA, UK GDPR), the rights there — access, rectification, portability, erasure, restriction, objection — apply, and we’ll honour them without dark patterns.

Limetta is intended for users 16 and older. We do not knowingly collect data from children under 16. If you believe a child has provided us with personal information, contact us and we’ll delete it.

When something material changes — what we collect, who we share it with, where it’s stored — we’ll notify you in-app before the change takes effect. We won’t bury it in a shipping note.