Privacy Policy (Draft)

Last Updated: January 24, 2026

Curly's technology Tmi ("we," "us," or "Maku"), located in Helsinki, Finland, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use the Maku iOS application ("App") and our services.

By using Maku, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

To provide you with accurate food analysis, we process the following types of data:

A. Health & Dietary Preferences (Sensitive Data)

To analyze food suitability, you provide us with specific health data, including:

• Dietary restrictions (e.g., Vegan, Keto).
• Allergies and intolerances.
• Religious dietary requirements (e.g., Halal, Kosher).
• Health goals.

We process this sensitive data solely to provide the core functionality of the App based on your explicit configuration.

B. User Content (Images)

• Photographs: We collect images of food packaging (ingredients lists, nutritional tables) that you capture via the App.
• Text Data: We extract text from these images using Optical Character Recognition (OCR) technology.

C. Account & Identity Information

• User UUID: A unique anonymous identifier assigned to your installation.
• Apple ID / Email: If you choose to link your account or sign in via Apple.
• Subscription Status: Data regarding your Free or Pro status (processed via Apple StoreKit).

D. Technical & Device Data

• Device Information: Model, iOS version, language settings, and region.
• Security Tokens: We use Apple’s App Attest API to verify that requests originate from a legitimate version of our App. This involves cryptographic keys but does not track your identity across other apps.
• Attribution Data: We may process limited data from Apple Search Ads to understand how you found our App (via AdServices).

2. How We Use Your Information

We use your data for the following specific purposes:

• Food Analysis (AI Pipeline): To analyze ingredients and detect hidden additives, allergens, or non-compliant ingredients based on your profile.
• Service Improvement: To refine our recognition algorithms and database (e.g., identifying common OCR errors).
• Security: To prevent fraud, abuse, and unauthorized access using App Attest and Rate Limiting.
• Subscription Management: To verify your purchase status and manage access to Pro features.

3. AI and Third-Party Processing

Important: To perform the analysis, your images and extracted text are processed by Artificial Intelligence models.

We share data with the following categories of third-party service providers:

• AI Providers (LLMs): We transmit text and images to providers such as OpenAI, Google (Gemini), or OpenRouter to generate the analysis report. These providers are not permitted to use your data to train their models.
• Cloud Infrastructure: Our servers and databases are hosted securely (e.g., Hetzner, MongoDB) within the European Economic Area (EEA) where possible.
• Storage: Images are stored in secure object storage (Minio).

4. Data Retention and Deletion

We retain your personal data only as long as necessary to provide the Service.

Your Right to Delete (Right to be Forgotten):

You have full control over your data. You can delete your entire account, including scan history, health profile, and images, directly within the App:

Go to Profile > Delete Account.

This triggers an immediate cascade deletion of your data from our databases (Users, Analyses, Images).

5. GDPR Rights (EEA Users)

Under the General Data Protection Regulation (GDPR), you have the right to:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Correct inaccurate data (you can do this in the Profile settings).
• Erasure: Request deletion of your data.
• Restriction: Restrict how we process your data.

To exercise these rights beyond the in-app controls, contact us at support@makuapp.ai.

6. Security

We implement industry-standard security measures, including:

• Encryption: All data is transmitted via HTTPS/TLS.
• Access Control: Strict limitations on who can access internal databases.
• App Integrity: Use of Apple App Attest to ensure request authenticity.

However, no method of transmission over the internet is 100% secure.

7. Children's Privacy

Our Service is not directed to children under the age of 13. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will take steps to delete such information.

8. Contact Us

If you have questions about this Privacy Policy, please contact the data controller:

Curly's technology Tmi
Helsinki, Finland
Email: support@makuapp.ai