Casameal logo ← Back to homepage

Privacy Policy

Effective Date: November 28, 2025

Lux Mentis Limited ("Company," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use the Casameal mobile application, website, and related services (collectively, the "Service"). It also describes your rights and choices regarding your personal data, including important information for residents of certain jurisdictions like California (under the CCPA) and the European Economic Area (under the GDPR).

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our practices, please do not use the Service. We encourage you to read this Policy carefully and contact us if you have any questions.

1. Information We Collect

We collect several types of information from and about users of our Service. This includes information you provide directly, information collected automatically, and information from third parties.

Information You Provide to Us:

  • Account Information: When you register or use our Service, you may provide personal identifiers such as your name, email address, username, and password. If our Service allows social or third-party logins, we may receive your basic profile info (like name and email) from those services with your consent.
  • Profile and Health Data: You might provide us with personal details related to nutrition and health to personalize the Service. For example, you may input data such as your age, gender, height, weight, fitness level, dietary preferences or restrictions (e.g., vegetarian, gluten-free), health goals, or any relevant medical conditions. You may also log or enter information about foods you eat, ingredients you have, recipes, meal plans, exercise routines, or other lifestyle information.
  • User-Generated Content: If the Service includes features like allowing you to write notes, save meal plans, upload photos (e.g., of meals or ingredients), or any other content, we will collect whatever content you choose to upload or save. This can include text, images, or other media you provide. Note that content you generate may reveal personal information about you (for example, a note about a meal might indicate a health condition or dietary choice).
  • Communication Data: If you communicate with us (for example, via customer support requests, emails, or in-app feedback forms), we will collect the information you provide in those communications. This may include your contact details and the contents of your message or inquiry.
  • Payment Information: If you purchase a subscription or make other payments through the Service, you may provide payment details. Payments are processed by third-party processors (such as Apple App Store, Google Play, or Stripe). We do not store full credit card numbers or payment account information on our own servers. However, we may store limited payment-related information, such as your transaction history, the type of subscription purchased, and billing address (if needed for tax or billing purposes).

Information We Collect Automatically:

When you use our Service (especially the mobile app or website), certain information is collected automatically about your device and usage of the Service. This may include:

  • Device Information: We receive data about the device and software you use to access the Service. This may include your device type (e.g., iPhone, Android phone, computer), operating system version, device identifiers (such as IDFA or Android Advertising ID, if you have not limited ad tracking), device language and region, network type, and app version.
  • Usage Data: We collect information on how you interact with the Service. This includes features you use, pages or screens you view, the date/time of your visits, the recipes or content you click on, and the referring webpage or app that led you to our Service. For example, we might log how often you use the app each week, or which AI-generated suggestions are requested.
  • Analytics Data: We use analytics tools (for example, built-in analytics or third-party services) that record events and usage information. This can include crash reports, performance metrics, and user interface interactions. Such data helps us understand and improve app performance and user experience.
  • Location Information: We do not ask for precise GPS location, but we might infer your general location (country, city) based on your IP address or region selection to tailor content (e.g., showing local units of measure or language) or for compliance (like regional legal requirements). If we ever desire to collect precise location for specific features, we would ask for your explicit consent. In any case, approximate location may be collected through analytics or ad networks for purposes like analytics and targeted advertising (as allowed by your device settings).
  • Cookies & Similar Technologies: Our website (if you use it) and possibly the app (for certain functionalities) use cookies, pixels, and similar tracking technologies. Cookies are small data files stored on your browser or device. We (and authorized third parties) use these to remember your preferences, secure your account, and collect information about your usage of the Service. For example, we may use cookies to keep you logged in on our website, or to track aggregate usage. We also use tracking pixels and SDKs from advertising partners (like AdMob or TikTok Pixel) which might set cookies or use device identifiers to track user behavior across apps and sites for ad targeting and analytics (see Section 3: Third-Party Services & Advertising for details).

Information from Third Parties:

  • Third-Party Login Providers: If you register or log in via a third-party account (like Sign in with Apple, Google, or others), we receive information from those providers as authorized by you (typically your name and email, possibly a profile photo).
  • Service Providers: We may receive additional information about you from service providers and partners we work with. For instance, our analytics providers might provide aggregated demographic insights (e.g., estimated age range or interests based on your usage patterns). Or if you make a payment, our payment processor might send us confirmation of your payment and subscription status.
  • Advertising Partners: We may obtain information from third-party advertising networks or social media platforms about your interactions with our ads (for example, if you clicked on an ad for our Service on a platform and then signed up). This helps us evaluate the effectiveness of our advertising campaigns.
  • Combined Data: We may combine information from these various sources (information you provide, information collected automatically, and information from third parties) to form a more complete profile of your preferences, to better customize the Service and our communications to you. For example, combining your input preferences with usage data could help us suggest better content.

We will only collect sensitive personal data (like health information, e.g., medical conditions or biometric data) if you voluntarily provide it and with your consent, as needed for the Service's functionality (for example, if you input a medical condition to avoid certain foods). We treat such information with extra care.

2. How We Use Your Information

We use the personal information we collect for a variety of purposes in operating our Service and business. The primary purposes include:

  • To Provide and Personalize the Service: We use your data to operate the Service's core functions. For example, your profile information (age, weight, goals, etc.) and input data help generate personalized meal plans, recipes, nutritional advice, and AI-driven content tailored to you. The Service may use your inputs to analyze nutrition or suggest adjustments. Without your data, these personalized features cannot function.
  • To Improve and Develop the Service: Usage and analytics data help us understand how users interact with our Service, which features are popular, and where issues may be occurring (such as crashes or confusing interfaces). We use this information to troubleshoot problems, optimize performance, and develop new features. For instance, if many users request a particular nutrition analysis, we might focus development efforts there. We may also use recipes and your related information to train and improve the AI model, and this is strictly anonymized.
  • To Communicate with You: We may use your contact information (email or in-app notifications) to send you service-related communications. This includes confirmations (such as welcome emails or purchase receipts), technical notices, updates on changes to terms or policies, security alerts, or support messages. We may also send motivational messages or tips if you have opted in (for example, a weekly summary of your progress or new recipe suggestions). If you contact us with questions or for support, we will use your information to respond.
  • To Send Marketing Materials: With your consent (or as otherwise permitted by law), we might send you promotional communications about new features, special offers, newsletters, or other products and services that may be of interest. You can opt out of marketing emails by using the unsubscribe link in those emails or adjusting your account settings. We will not spam, and we typically only send marketing if you've agreed to it or have an existing relationship with us that permits it.
  • For Advertising and Analytics: We may use collected data to serve you personalized advertisements and measure how effective our advertising is. For instance, we might use information about your use of the app to show you ads that are more relevant, either within our app (through AdMob, etc.) or on other platforms (like showing you an ad on social media for a premium feature if you're a free user). We also use data to analyze and report on the reach and effectiveness of our marketing campaigns (e.g., seeing how many people clicked an ad and installed the app).
  • To Enforce Our Terms and Protect Our Rights: We may use your information to enforce our Terms of Service and other usage policies. This includes monitoring for potential violations, fraud, or misuse of the Service. If necessary, we will use data to investigate and address unlawful activities, security issues, or technical problems. We may also use information as evidence in legal or regulatory proceedings affecting us.
  • To Comply with Legal Obligations: If we are subject to certain legal requirements, we might need to use or retain your data to comply. For example, maintaining transaction records for tax and accounting purposes, or responding to lawful requests by public authorities (such as complying with court orders or lawful subpoenas).
  • Aggregated and De-Identified Uses: We may aggregate or anonymize personal data so it can no longer be linked to any specific individual (for example, compiling user statistics or survey results). We use such aggregated information for research, analysis, and improvement of the Service, and we may also use it for business insights. This kind of data does not identify you personally and may be shared with third parties (such as research partners or in public reports) in its anonymized form.

Legal Bases for Processing (GDPR): If you are in a region governed by GDPR (such as the EEA or UK), we process your personal data under the following legal bases:

  • Contractual Necessity: Much of our data processing is to provide the Service per our contract (the Terms of Service) with you. For example, processing your data to give personalized diet recommendations is necessary to perform our contract by delivering the promised Service.
  • Legitimate Interests: We process certain data for our legitimate business interests, which include improving our Service, understanding our users, and marketing our services. We ensure that our legitimate interests are balanced with your data protection rights. For instance, using analytics to improve functionality falls under this basis.
  • Consent: In some cases, we rely on your consent. For instance, we obtain your consent to send you marketing emails, or to collect any sensitive health information you choose to input. You have the right to withdraw your consent at any time (for example, by unsubscribing from marketing or deleting sensitive data from the app), which will not affect the lawfulness of processing based on consent before its withdrawal.
  • Legal Obligation: When required, we process data to comply with laws and regulations, such as keeping records for tax, legal requests, or to meet accountability obligations under privacy laws.

If you have any questions about the specific legal basis for a particular processing activity, you can contact us for more information.

3. How We Disclose or Share Information

We understand that your personal information is important, and we only share it with others in certain circumstances. We do not sell your personal information to third parties for money. However, some sharing of data is necessary for the Service to function and for other purposes described below. The categories of third parties with whom we may share your information include:

  • Service Providers (Processors): We share information with third-party companies and individuals who perform services on our behalf (commonly known as "service providers" or data processors). These parties assist us in operating and supporting the Service and only process your data under our instructions and for the purposes we specify. Key service providers include:

    • OpenAI: We send the content you input (such as your questions or prompts) and relevant context to OpenAI's API in order to generate AI-driven responses and suggestions. OpenAI will process that data to return an output. We do not send directly identifying information like your name or email to OpenAI, but your use of the AI features means that data you input for those features (which could indirectly include personal information if you include it in a prompt) is handled by OpenAI. OpenAI is a service provider to us for AI functionality, and their use of the data is governed by their own terms and privacy policy. We have agreements in place to protect your data to the extent possible when using their service.
    • Amazon Web Services (AWS): We utilize AWS cloud infrastructure to host our application and store data. Thus, any data you provide may be stored on AWS servers (which may be located in data centers outside of your home country, e.g., in the United States or other regions). AWS acts as our data storage provider. They do not access your data except as needed for storage and computing purposes.
    • RevenueCat: We use RevenueCat to manage in-app subscriptions and purchases across platforms. RevenueCat helps us handle subscription status (e.g., whether you are a free or paid user) by integrating with Apple's and Google's in-app purchase systems. RevenueCat receives identifiers related to your account and device and subscription status, but generally not sensitive personal data beyond what's needed to validate purchases. Their role is to ensure your subscription is active and coordinate with the app stores.
    • Stripe: If we offer web-based purchases or subscription payments outside of the app stores, we use Stripe as our payment processor. When you provide payment details on our website, those details go directly to Stripe (not through our servers, except perhaps a token or transaction ID). Stripe may process your name, card info, billing address, and email for payment processing and will inform us of the result (success/failure). Stripe is PCI-DSS compliant and is prohibited from using your personal information for any purpose other than to provide payment services.
    • Email/Communication Providers: We may use third-party email services (like SendGrid, Mailchimp, or others) to send verification emails, newsletters, or support messages. These providers would have access to your email address and the content of emails we send to you.
    • Firebase: We use Firebase services provided by Google, including Firebase Cloud Messaging ("FCM") for sending push notifications. Firebase may collect device identifiers, IP addresses, and general device information to deliver notifications. For more information, please see Google's Privacy Policy: https://policies.google.com/privacy

    • Analytics Services: We might use analytics tools such as Google Analytics (for web) or other mobile analytics SDKs to collect and analyze usage information. These tools may set cookies or use device identifiers to gather usage data. The data shared with them typically includes things like device info, actions taken in the app, and general location info. They help us understand user engagement and improve the Service.

      All our service providers are bound by appropriate confidentiality and data protection obligations. They cannot use your information for their own purposes and must process it only for the specific tasks we've hired them to do.

  • Advertising and Marketing Partners: We may allow third-party advertising networks and marketing partners to collect information on our Service to help us serve ads and promote our Service. For example:

    • Advertising Networks: We have integrated AppLovin (and possibly similar ad networks like AdMob, Liftoff) into our app to show ads. These partners may collect device identifiers (like your Advertising ID), coarse location (e.g., via IP address for regional targeting), and information about your interactions with ads in our app. They use this information to serve you relevant ads within the app and to measure ad performance. Ad networks may also combine this info with data from other apps or websites to build ad profiles (subject to your device privacy settings). We do not share directly identifying personal data (like your name or email) with ad networks, but they might collect pseudonymous identifiers from your device.
    • Analytics/Tracking Pixels: We use tools like the TikTok Pixel or Facebook Pixel on our website or marketing pages. These trackers help us understand how effective our ads are on those platforms by informing us if users who saw or clicked an ad took actions like signing up or purchasing. The pixels may send hashed identifiers or cookie information back to the platform (e.g., TikTok, Facebook) to match users and track conversions. This could be considered a "sale" or "sharing" of data under some privacy laws (because we're allowing another company to use data for cross-context advertising), even though we do not exchange money for it. We honor applicable laws for such tracking (see "Do Not Sell/Share" below).

    • Marketing Partners: If we run a promotion jointly with another company or use a service to manage surveys, contests, or referrals, we might share relevant information with those partners solely for the purpose of that activity. We will inform you at the time of collection if your information will be shared in such a way and get consent if required.

      Your Choices: You can often control or limit data sharing with advertising partners by adjusting your device privacy settings (e.g., reset or limit ad identifier tracking on your phone) or through in-app settings if we provide them (such as toggling personalized ads off, where required). For web tracking, you can use browser settings or extensions to block cookies/pixels. See Section 5: Your Rights and Choices for more opt-out options, including the "Do Not Sell My Personal Information" link for California residents.

  • Affiliates: We may share your information with our subsidiaries, parent company, or other companies under common ownership or control (i.e., our corporate "family"), if any exist in the future. Any such affiliates will be required to honor this Privacy Policy and only use your information as we direct. For example, if Lux Mentis Limited establishes a branch or affiliate in another country to help provide customer support or marketing, your data might be accessed or processed by that affiliate.

  • Business Transfers: If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your information may be disclosed or transferred as part of that transaction. We would ensure that any new owner or successor entity is bound by terms protecting your personal information consistent with this Privacy Policy. You would be notified via email or a prominent notice on our Service of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information in such an event.
  • Legal and Safety Reasons: We may disclose your information if required to do so by law or in the good-faith belief that such action is necessary to:
    • Comply with a legal obligation, such as a court order, subpoena, or other government demand (we will attempt to notify you of such requests when permitted to do so).
    • Protect and defend the rights, property, or safety of Lux Mentis Limited, our users, or others. This includes enforcing our Terms of Service or other agreements, or investigating potential violations thereof.
    • Detect, prevent, or otherwise address fraud, security, or technical issues (for instance, if you report a security vulnerability or we detect malicious activity in your account, we might share details with law enforcement or security consultants).
    • Cooperate with law enforcement or regulatory agencies in case of an investigation (e.g., regarding public safety, illegal activities, or if someone's life or health is at risk).
  • With Your Consent: In cases where we want to share your information in ways not covered by this Privacy Policy, we will seek your consent. For example, if we ever wanted to post a user testimonial or success story on our site using your name or personal details, we would ask for your explicit permission. Or if a new feature involves sharing data with a third party not already listed, we might present you with a consent mechanism.
  • Aggregated or De-Identified Data: We may share aggregated, anonymized data that cannot reasonably be used to identify you. For instance, we might publish reports or insights like "X% of our users follow a vegetarian diet" or average nutritional intake statistics among our user base. This information will not contain personal details and is typically used for industry research, marketing, or trend analysis.

No Sale of Personal Information (for Monetary Consideration): We do not sell your personal details (name, email, etc.) to data brokers or telemarketers for money. However, as explained, certain uses of data for advertising may be considered a "sale" or "sharing" under broad privacy laws definitions. Please see the next section for your rights to opt-out of such practices.

4. Cookies and Tracking Technologies

Our Service uses cookies and similar tracking technologies to distinguish you from other users, to improve your experience, and to analyze and promote our Service.

Cookies: Cookies are small text files stored on your browser or device. Our website (and possibly certain parts of the app) uses cookies for various purposes:

  • Necessary Cookies: These are essential for the Service to function, such as remembering your login session or preferences. Without them, certain features (like staying logged in) would not work.
  • Analytics Cookies: We use these to count visitors and see how users move around our site or app. This helps us improve the way our Service works (for example, by ensuring users find what they need easily). We might use Google Analytics cookies to collect aggregated information about usage.
  • Functional Cookies: These help personalize your experience, for example by remembering choices you've made (like your preferred unit of measurement or language).
  • Advertising Cookies: These cookies record your visit to our Service, the pages you have visited, and the links you have followed. They are used to deliver ads more relevant to you and your interests, both on our Service and on other sites or apps. They also limit the number of times you see an ad and help measure the effectiveness of ad campaigns. We integrate with third-party advertising networks (like Google AdMob) that may set cookies or use device identifiers to track ad performance.

If you use our mobile application, instead of cookies, we and our partners may use device identifiers and SDKs for similar tracking purposes. For example, the app might store a unique user ID or token on your device to remember your session, and AdMob uses your device's Advertising ID for ad personalization (subject to your device settings).

Web Beacons and Pixels: Our emails and website may contain tiny electronic files known as web beacons (or clear gifs, pixel tags, tracking pixels) that track actions like whether an email was opened or a link was clicked. This helps us gauge the effectiveness of our communications and marketing. On our website, pixels from platforms like Facebook or TikTok may track if you take certain actions (like clicking a sign-up button), which then allows us to measure conversions from our ads on those platforms.

Your Choices for Cookies:

  • Browser Settings: You can set your web browser to refuse all or some browser cookies, or to alert you when cookies are being set. Each browser is different, but look at your browser's Help or Settings menu for instructions on how to modify cookie preferences. Please note: if you disable or refuse cookies, some parts of our Service (especially on the web) might become inaccessible or not function properly (like staying logged in).
  • Device Settings: On mobile devices, you can usually limit ad tracking or reset the advertising identifier in your privacy settings (for example, on iOS go to Settings > Privacy > Tracking, or on Android go to Google Settings > Ads). This won't eliminate ads but will limit personalized ads tied to your device.
  • Analytics Opt-Out: For Google Analytics, you can install the Google Analytics Opt-Out Browser Add-on if you want to prevent your data from being used by Google Analytics on websites.
  • Do Not Track: Our website does not currently respond to "Do Not Track" (DNT) signals. DNT is a setting in some browsers that sends a signal to websites requesting not to track your activities. Because there is not yet a universal standard for recognizing and implementing DNT signals, we treat DNT signals like other browser requests (we do not respond differently to them). However, we respect Global Privacy Control (GPC) signals for California residents to the extent required (see below in CCPA section).
  • Cookie Banner: If required by law (for example, in EU jurisdictions), our website will display a cookie consent banner on your first visit, allowing you to accept or reject certain categories of cookies. You can adjust those preferences at any time via our Cookie Settings link.

5. Your Rights and Choices

Depending on your location and applicable privacy laws, you have certain rights regarding your personal information. We strive to provide all users with transparency and control over their data. This section describes general rights that apply to many users and then provides specific information for residents of the European Economic Area/United Kingdom (GDPR) and California (CCPA).

General Privacy Choices for All Users:

  • Access and Correction: You can access and update much of your account information directly in the app (for example, your profile data, such as weight or dietary preferences). If any personal information we have about you is inaccurate or has changed, please update it in your account or contact us to request correction. We may ask for verification to ensure the request is legitimate.
  • Account Deletion: You have the right to delete your account and personal data. You can initiate deletion through the account settings in the app (if such option is provided) or by contacting us at privacy@casameal.cc with your request. Upon verification of your identity and deletion request, we will delete or anonymize your personal data from our active systems, except for information we are required to retain for legal or legitimate business purposes (see Data Retention below). Note that deletion is permanent and cannot be undone, your profile, history, and any saved content will be erased, and you will lose access to any paid features unless you subscribe again in the future.
  • Opt-Out of Marketing Communications: If you receive promotional emails from us and no longer wish to, you can unsubscribe at any time by clicking the "unsubscribe" link in those emails or by adjusting your notification settings in the app (if available). Even after you opt out of marketing, we may still send you transactional and service-related communications (e.g., account notices, security alerts, subscription confirmations).
  • Opt-Out of Push Notifications: With your consent, we may send push notifications to your mobile device for things like reminders or updates. If you choose to stop receiving these, you can disable notifications for our app in your device settings.
  • Opt-Out of Personalized Ads: We support the ability to opt out of personalized advertising. If you wish to disable interest-based ads within our app, you can adjust your device's advertising preferences as described above (limiting ad tracking) or use any in-app switch we provide in settings (if available, e.g., "Personalized Ads" toggle). Keep in mind you will still see ads, but they may be less relevant to your interests.
  • Do Not Sell/Share (California and similar laws): We provide a "Do Not Sell or Share My Personal Information" option for users who wish to opt out of certain data transfers that are considered "sales" or "sharing" under U.S. state privacy laws. See the California section below for details on how to exercise this right.

If you have any trouble exercising these general choices through the tools provided, you can always contact us at privacy@casameal.cc for assistance, and we will do our best to honor your request to the extent required and allowed by law.

Rights of Users in the EEA, UK, and Other GDPR Jurisdictions:

If you are located in the European Economic Area (EEA), United Kingdom, or other jurisdictions with similar data protection laws, you have the following rights regarding your personal data, under the General Data Protection Regulation (GDPR) or equivalent laws:

  • Right to Access: You have the right to request confirmation of whether we process personal data about you, and if so, to request a copy of the personal data we hold about you. We will provide it in a commonly used electronic form.
  • Right to Rectification: You have the right to request that we correct or update any inaccurate or incomplete personal data concerning you.
  • Right to Erasure: You have the right to request deletion of your personal data, under certain conditions. This is also known as the "right to be forgotten." We will honor such requests to the extent we are not legally required to retain the data. See "Account Deletion" above for general process.
  • Right to Restrict Processing: You can ask us to suspend processing of your personal data in certain situations, for example if you contest the accuracy of the data or have objected to our processing (pending resolution of our assessment of your interests vs. ours).
  • Right to Data Portability: You have the right to request a copy of personal data you have provided to us in a structured, commonly used, machine-readable format, and you can ask us to transmit it to another data controller where technically feasible. This right applies to data we process by automated means, based on your consent or in performance of a contract.
  • Right to Object: You have the right to object, on grounds relating to your particular situation, to our processing of your personal data where that processing is based on legitimate interests. If you object, we will consider whether our compelling legitimate grounds override your rights and freedoms. You also have an unconditional right to object to your data being used for direct marketing purposes at any time (which we will always honor).
  • Right not to be subject to Automated Decision-Making: We do not make any legally significant decisions about you solely by automated means (without human involvement). If that changes, you would have rights related to such profiling or automated decisions.
  • Withdrawal of Consent: In cases where we rely on your consent to process data (e.g., for sending marketing emails or processing health data you provided), you have the right to withdraw your consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.

Exercising Your GDPR Rights: You can exercise these rights by contacting us at privacy@casameal.cc with the subject "GDPR Data Request" and clearly stating your request. We may need to verify your identity before fulfilling the request (to protect your privacy, we wouldn't want to give your data to an imposter). We will respond to your request within 30 days or as required by law, and will inform you if we need additional time. If you believe we have not complied with your data protection rights, you have the right to lodge a complaint with your local data protection authority (for example, in the EU you can contact the supervisory authority of the country where you live or work, or where we are based; in the UK, this is the Information Commissioner's Office).

Rights of California Residents (CCPA/CPRA):

If you are a California resident, you have specific privacy rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). The rights for California residents include:

  • Right to Know: You have the right to request that we disclose what personal information we collect, use, disclose, and sell or share about you. This includes the specific pieces of information we have collected, as well as the categories of sources, the purposes for collecting it, and the categories of third parties with whom we share it. You may request this information for the 12-month period prior to your request, and in certain cases, for information collected beyond that 12-month period.
  • Right to Delete: You have the right to request that we delete personal information we have collected from you (and direct our service providers to do the same), subject to certain exceptions (for example, we may retain data as required by law, or to complete transactions you have requested, or for security purposes). See account deletion above for details on how to request deletion.
  • Right to Correct: You have the right to request that we correct inaccurate personal information that we maintain about you. As described earlier, you can often do this through your profile, or by contacting us.
  • Right to Opt-Out of Sale or Sharing: You have the right to opt-out of the "sale" or "sharing" of your personal information. The CCPA's definition of "sale" includes any exchange of personal information for valuable consideration (not just money), and "sharing" covers providing data for cross-context behavioral advertising. While we do not sell personal data for money, we may share certain identifiers and usage data with advertising and analytics partners (as described earlier) which could be considered a "sale" or "sharing" under CCPA's broad definitions. You can request to opt-out of such data sharing at any time. See below for how to exercise this right via our "Do Not Sell or Share" mechanism.
  • Right to Limit Use of Sensitive Personal Information: If we collect "sensitive personal information" (SPI) as defined by CCPA (e.g., precise geolocation, health information, etc.), California residents may have the right to direct us to limit the use of SPI to only what is necessary to perform the services or provide the goods. In our case, any sensitive data (such as health metrics you input) is used only to provide the Service (e.g., giving you nutritional guidance) and not for additional purposes like profiling or secondary use. We do not use or disclose sensitive info for purposes that would trigger a "Right to Limit" under CCPA (like using health info for targeted advertising or sharing precise location without consent).
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. This means we won't deny you our services, charge you different prices, or provide a lesser quality of service just because you exercised your privacy rights. However, please note that if you request deletion of data that is necessary to provide the Service, we may not be able to continue providing you with the Service (for example, if you delete your account data entirely, you will not be able to log in or use personalized features).

Exercising Your California Rights: To make a request to know, delete, or correct under CCPA, you (or your authorized representative) can contact us at privacy@casameal.cc with the subject "CCPA Request" and state the nature of your request. We will need to verify your identity to a reasonable degree of certainty before fulfilling such requests (for example, by confirming information we already have on file like your last interaction or a code via email). For an authorized agent making a request on your behalf, we may require proof of the agent's registration with the California Secretary of State (if applicable) or a written authorization and may still ask you to verify your identity directly.

For opt-out of sale/sharing requests, you can click the "Do Not Sell or Share My Personal Information" link on our website footer (if using our website), or use the privacy settings in the app (if provided), or send us an email as described. We also honor Global Privacy Control (GPC) signals, which is a browser setting that signals your desire to opt out of data selling/sharing. If our website detects a GPC signal from your browser, we will treat it as a valid opt-out request for that specific browser or device.

Once you opt out of sale/sharing, we will, as applicable, stop sharing your data with third parties for cross-context advertising and refrain from doing so unless you later opt-in. Note that if you use multiple browsers or devices, you may need to opt out on each one, or log into your account settings which apply globally.

Categories of Personal Information Collected and Disclosed (CCPA): For transparency, in the last 12 months, we have collected the following categories of personal information (as defined by CCPA) from users:

  • Identifiers (like name, email, device IDs);
  • Characteristics of protected classifications under California or federal law (possibly gender or age if provided in profile);
  • Personal information described in the California customer records law (contact details, payment information – though processed by third parties);
  • Internet or other electronic network activity (usage data, interactions with our app/website, cookies);
  • Geolocation data (approximate location from IP);
  • Sensory data (if you uploaded photos, that's a kind of sensory data);
  • Inferences drawn from the above (preferences, behavior patterns to personalize content).

We collect these for the business and commercial purposes described in Section 2 (to provide and improve the Service, etc.). We disclose these categories to service providers and partners as described in Section 3 (e.g., identifiers to payment processors and analytics providers, usage data to advertising partners, etc.). In the past 12 months, we have not sold personal information for monetary value, but we have "shared" identifiers and internet activity with advertising partners for cross-context behavioral advertising (which CCPA terms a "sale/share"). You have the right to opt out of this as described.

If you are a California resident under age 18 and a registered user of our Service, California's "Online Eraser" law (Business & Professions Code § 22581) allows you to request removal of content or information you have publicly posted. However, our Service is not intended for under-18 use without supervision, and we generally do not have public forums where content is posted publicly by minors. If this does apply and you want content removed, please contact us.

Rights of Other Jurisdictions:

  • Nevada Residents: We do not sell personal information for monetary consideration, but Nevada law allows consumers to opt out of future sales. If you are a Nevada resident, you can request to be placed on a do-not-sell list by contacting us.
  • Canadian Users: If Canadian privacy laws apply, you have similar rights to access and correct your data. Our practices are aligned with PIPEDA if applicable. We will not collect, use, or disclose your personal information without your consent, except as allowed by law. Canadian users can contact us with any questions or requests regarding their personal information.
  • Other Locations: If you are in a jurisdiction not explicitly listed here, but your local law grants you certain data rights, we will happily honor valid requests to the extent required by applicable law. You can contact us to inquire about your rights.

We will not charge you for exercising your rights, unless the requests are manifestly unfounded or excessive (in which case we may charge a reasonable fee or refuse). We aim to complete requests as soon as possible, typically within 30-45 days. If we need more time, we will inform you of the reason and extension period.

6. Data Security

We take the security of your personal information seriously. We implement a variety of technical, administrative, and physical safeguards designed to protect your data from unauthorized access, use, or disclosure. These measures include:

  • Encryption: We use encryption to protect data in transit and at rest where appropriate. For example, our app and website employ HTTPS/TLS encryption for data transmission, which protects information exchanged between your device and our servers. Sensitive information (such as passwords) is stored hashed or encrypted rather than in plain text.
  • Access Controls: We restrict access to personal data to authorized personnel, contractors, and service providers who need to know that information in order to operate, develop, or improve our Service. All such persons are subject to confidentiality obligations. Administrative access to systems is protected via strong authentication and logging.
  • Secure Infrastructure: Our Service is built on reputable cloud providers (like AWS) that maintain high industry standards for security and comply with relevant certifications. We regularly update our software and systems to apply security patches and mitigate vulnerabilities.
  • Monitoring: We monitor for potential security breaches and have systems in place to detect and respond to suspicious activities. In the event of any data breach that affects your personal information, we will notify you and the appropriate authorities as required by law.
  • Employee Training: Our team is trained on data privacy and security practices. We have internal policies in place to ensure that privacy and security are considered in our product development and operational processes.

Despite all these precautions, no method of transmission over the Internet or electronic storage is 100% secure. Therefore, while we strive to protect your personal data, we cannot guarantee absolute security. It is important that you also play a role in keeping your information safe. Please use a strong, unique password for our Service and do not share it. Notify us immediately if you suspect any unauthorized access to your account.

7. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes we collected it for, including to provide you with the Service and for legitimate business or legal purposes. The criteria used to determine our retention periods include:

  • Duration of Use: We will keep your information for as long as you maintain an account with us or use the Service. Profile information and content you have provided will be kept until you delete the account or we no longer need the data to provide the Service.
  • Consent Duration: If we process personal data based on consent, we retain the data until you withdraw your consent (and then for a short period thereafter to comply with your request).
  • Legal Obligations: We may need to retain certain information to comply with legal and regulatory obligations (for example, records of transactions for accounting/tax, or information related to consumer rights requests to demonstrate compliance with law). Such requirements may apply even if you request deletion of your data.
  • Dispute Resolution and Enforcement: If we need to retain information to resolve disputes, enforce our terms, or investigate misuse of the Service, we will keep the necessary data for the period of time required to address the issue. For example, if an account is terminated for violating terms, we might retain certain information to prevent that user from re-registering, or to comply with law enforcement inquiries.
  • Backup and Archival: Even after you delete information from your account or profile, residual copies may take a period of time to be purged from our active servers and may remain in our backup systems. We maintain backups to ensure service continuity and disaster recovery readiness.

When personal information is no longer needed for the purpose it was collected, and we have no legal obligation to retain it, we will either delete it or anonymize it. If deletion is not immediately possible (for example, because the data is stored in archived backups), we will securely store and isolate it from further processing until deletion is feasible.

8. International Data Transfers

We are a company based in Hong Kong, but our users are global. The personal information we collect from you may be transferred to, stored in, and processed in countries other than your own, including the United States and other jurisdictions where our service providers (such as AWS, OpenAI, etc.) have operations or servers. Data protection laws in these countries may be different from, and less protective than, the laws in your country.

However, we take steps to ensure that your data is handled securely and in accordance with this Privacy Policy and applicable law, wherever it is processed. Measures we rely on may include:

  • Contractual Safeguards: If you are in a region like the EEA or UK, we may rely on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms when transferring your data to countries not deemed adequate by the European Commission. These clauses contractually obligate the recipient of your data to protect it to EU standards.
  • Service Provider Assessments: We choose reputable service providers in jurisdictions with robust security practices. We also include data protection addendums in our contracts with them where needed.
  • Your Consent: In some cases, we may ask for your consent to transfer your information to a third country if no other legal mechanism is available and required by law (for example, if you're using the Service from the EU and data must go to a third country, we might rely on your explicit consent as a last resort).
  • Adequacy Decisions: Where applicable, we may transfer data to countries that have been officially deemed to provide an adequate level of data protection by relevant authorities (though currently the U.S. does not have a blanket adequacy decision, specific frameworks like the EU-U.S. Data Privacy Framework might be used once fully in force if applicable to our context).

By using our Service, you acknowledge that your personal information may be transferred to our facilities and those third parties with whom we share it as described in this Policy, which may be located in jurisdictions other than your own. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy.

If you have questions about our international data handling, or need more information about the safeguards in place, please contact us.

9. Children's Privacy

No Use by Children: Our Service is not intended for children under the age of 13, and we do not knowingly collect personal information from anyone under 13. If you are under 13, do not use the Service or provide any information about yourself (such as your name, address, or email). If we learn that we have inadvertently collected personal information from a child under 13, we will take steps to delete that information as soon as possible.

For minors above 13 but under the age of majority (for example, 13-17 in many jurisdictions), the Service should only be used with the consent and involvement of a parent or guardian, as stated in our Terms. We expect any minors in that range who use the Service to do so under parental supervision and with their guardian's consent to this Privacy Policy.

Parental Controls: If you are a parent or guardian and you are aware that your child has provided us with personal information without your consent, please contact us immediately at privacy@casameal.cc. We will work with you to remove that information and terminate the child's account if needed. We encourage parents to educate their children about online safety and to monitor their children's use of internet-connected devices and services.

Because we do not knowingly collect data from children, we do not have specific processes for parental access, deletion, or opt-out for child users beyond what is stated. If that ever changes, we will update this policy accordingly.

10. Do Not Sell or Share My Personal Information (For California and Similar Laws)

Under certain privacy laws (like the CCPA/CPRA in California and similar laws in other states), you have the right to direct us not to sell or share your personal information to third parties for valuable consideration or for cross-context behavioral advertising purposes.

As stated earlier, we do not sell your personal information for money. However, we do use third-party advertising and analytics services that involve sharing some data (like identifiers and usage information) which could be considered a "sale" or "sharing" under the law's broad definitions.

California residents (and those in jurisdictions with similar rights) can exercise this right by using the following methods:

  • Clicking the "Do Not Sell or Share My Personal Information" link on our website (typically found in the footer). That will take you to a web page or interface where you can opt out of the sharing of your data for advertising. If we have a web form, you can fill it out to submit your request.
  • If you have an account with us, you may also find a privacy setting or toggle within your account preferences in the app or on our website labeled "Do Not Sell/Share" or "Opt Out of Personalized Ads". Enabling this option will record your preference and we will stop sharing your data with advertising partners (after processing your request).
  • You can also send an email to privacy@casameal.cc stating that you want to opt out of the sale/sharing of your data. Make sure to include your name, associated email, or account info so we can identify you. Once we verify the request (to ensure it's really you), we will implement the opt-out.
  • Additionally, as mentioned, we honor Global Privacy Control (GPC) signals. If your browser has GPC enabled, our website will treat it as a valid opt-out for that browser by automatically disabling third-party tracking cookies on our site that would be considered sale/sharing.

Once we receive your opt-out request, we will stop sharing your personal information with third parties for advertising purposes as soon as feasibly possible (and at most within the timeframe required by law). Note that if you use multiple devices or browsers, you may need to submit separate opt-outs for each, or ensure you are logged in so that we can apply it to your account globally.

After you opt out, you may still see ads, but they will be generic rather than tailored to your interests based on data from our Service. Also, remember that this opt-out is specific to our Service's data practices – you might need to separately opt out of other companies' selling/sharing via tools like the Digital Advertising Alliance's opt-out portal for a more comprehensive approach.

We will not reduce the quality of our Service or discriminate against you for opting out of the sale/sharing of your personal information.

For further details or any issues with exercising this right, please contact us as provided in the Contact section.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will:

  • Change the "Effective Date" at the top of this Policy to indicate when the revisions were last made.
  • In the case of significant or material changes, we may provide a more prominent notice (such as an email notification to registered users or an in-app alert) to inform you of the update.
  • In some instances, if required by law, we may seek your consent to substantial changes that affect how we use your data.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of the Service after any changes to this Policy constitutes your acceptance of the updated terms, to the extent permitted by law.

If you do not agree with any updates or changes, you should stop using the Service and, if you wish, delete your account or exercise your data rights as described above.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please do not hesitate to contact us:

Email: privacy@casameal.cc (for general privacy inquiries or to exercise rights)

Postal Mail: Lux Mentis Limited, UNIT 1806, 18/F., 9 WING HONG STREET, CHEUNG SHA WAN, HONG KONG.

Data Protection Officer: Not Applicable (Note: As a Hong Kong company, we are not be legally required to appoint a DPO under GDPR unless we engage in large scale sensitive processing; if we do have one, their contact info would be listed here.)

We will address your inquiry as promptly as possible. If you contact us to exercise a privacy right, please include sufficient information for us to verify your identity (such as the email associated with your account and a description of your request).

Thank you for trusting us with your personal information. We are committed to safeguarding your privacy and providing a safe, transparent experience.