Privacy Policy
Lemon App OÜ · Last updated: 21 April 2026
1. Who we are
Lemon App OÜ (“lemon”, “we”, “us”, “our”) is a company registered in Estonia (EU) that operates the lemon mobile application (“the App”). We are the data controller for personal data processed through the App.
Contact: privacy@getlemon.app
2. What data we collect
| Data | Purpose | Legal basis |
|---|---|---|
| Email address and name | Account creation and authentication | Contract performance |
| Temperature logs, delivery records, checklist responses | Core food safety record-keeping service | Contract performance |
| Location name and team membership | Multi-user collaboration | Contract performance |
| Device push token | Sending reminder notifications (when enabled) | Legitimate interest |
We do not collect precise geolocation, contacts, photos, health data, financial data, advertising identifiers, crash reports, or usage analytics.
3. How we use your data
We process your data solely to:
- Provide and maintain the food safety record-keeping service.
- Authenticate your account and manage team access.
- Generate inspection-ready PDF reports on your device.
- Send push reminders for missed checks (if you opt in).
- Diagnose and fix technical issues.
We do not sell, rent, or share your personal data with third parties for marketing purposes.
4. Where your data is stored
Your data is stored on Google Cloud (Firebase) servers in the EU multi-region (eur3 - europe-west). Data does not leave the European Economic Area except where required by sub-processors listed below.
5. Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud / Firebase | Authentication, database, hosting | EU (eur3) |
| Apple Inc. | App distribution (App Store), push notifications | USA |
| Google LLC | App distribution (Play Store), push notifications | USA |
| Expo / EAS | Over-the-air updates, build service | USA |
| Neon | PostgreSQL database (marketing site CMS admin accounts and published content) | EU |
| Vercel Inc. | Marketing site hosting, build infrastructure, edge delivery | USA (global edge network) |
Standard Contractual Clauses (SCCs) are in place for any transfer outside the EEA.
6. Data retention
- Account data: retained while your account is active. Deleted within 30 days of account deletion.
- Food safety records: retained for the duration of your subscription plus 2 years (to cover the standard EHO inspection lookback period). You may export your data at any time via the App's export feature.
7. Your rights (GDPR)
As a data subject in the EU/EEA/UK, you have the right to:
- Access your personal data.
- Rectify inaccurate data.
- Eraseyour data (“right to be forgotten”).
- Port your data (export via the App).
- Object to processing based on legitimate interest.
- Restrict processing in certain circumstances.
- Withdraw consent at any time where processing is consent-based.
To exercise any of these rights, email privacy@getlemon.app. We will respond within 30 days.
8. Security
We use industry-standard security measures including:
- Encrypted connections (TLS) for all data in transit.
- Firebase Authentication with secure password hashing.
- Firestore security rules enforcing role-based access control.
- No storage of payment card data (subscriptions are handled by Apple/Google).
9. Children
The App is not directed at children under 16. We do not knowingly collect personal data from anyone under 16.
10. Changes to this policy
We may update this policy from time to time. We will notify you of material changes via the App or email. The “Last updated” date at the top indicates the current version.
11. Contact and complaints
Lemon App OÜ
Email: privacy@getlemon.app
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority or the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).