Privacy Policy

Last updated:


  1. ABOUT THIS POLICY

Lime Health Inc. (“Lime Health,” “we,” or “our”) takes the protection of your privacy very seriously. That is why this privacy policy (the “Policy”) provides you with information about how we collect, use, and disclose (collectively, “process,” “processed,” “processing”) your personal information when you use our Emilia Notes platform, an AI-powered smart note-taker for patients (the “Application”), the emilianotes.com website (the “Website”), and any interaction with an employee, representative, or authorized subcontractor of Lime Health, including via email, phone, in person, or via videoconference. However, this Policy does not apply to third-party content and platforms accessible through our Application, including via third-party links or features. These third parties may process your personal information in accordance with their respective privacy policies. We are not responsible for such processing, and we encourage you to carefully review the policies of these third parties. 

In addition to the other applicable provisions of this Policy, if you reside in the United States, Europe, the United Kingdom, or Switzerland, you may have additional rights under European laws, where applicable. You will find additional information regarding these rights in the respective appendices titled “United States,” “Europe,” and “Switzerland.

By accessing our Website or using the Application, you acknowledge that you have read this Policy and freely, knowingly, and specifically consent to the collection, use, and disclosure of your personal information as described below. You may withdraw your consent at any time by changing your preferences in the Application settings or by contacting us at the address provided in the “Contact Us” section.

  1. PERSONAL INFORMATION

For the purposes of this policy, “Personal Information” refers to any information relating to a natural person that allows, directly or indirectly, the identification of that person. Personal Information includes Health Information (as defined below). However, laws applicable in certain jurisdictions, including Canada and Quebec, may not consider professional contact information to be personal information. In these jurisdictions, Personal Information therefore does not include professional contact information, such as your name, title, or business contact details, when used in a strictly professional context. Personal Information also excludes information that has been anonymized or aggregated in a manner that is irreversible and in accordance with the criteria established by applicable laws and regulations. 

When you use the Application and/or the Website, we may collect the following Personal Information:

  • Your contact information, such as your last name, first name, email address, mailing address, and phone number, to identify you and communicate with you; 

  • Your login and usage information for the Application, such as the date you registered for the Application, your username, your password, your IP address (anonymized prior to processing and storage), and information regarding your browser or the device used; 

  • Technical information regarding your use of our services, such as the pages viewed, session duration, your clicks, and your interactions with our services;

  • Data related to cookies and identifiers, as described in the “Cookies and Similar Tools” section;

  • When you use the Application, sound recordings, voice recordings, or audio files related to you, as well as the associated information and metadata; 

  • When you use the Application, health information that includes all Personal Information related to your health, including diagnoses, medical history, test results, treatments, care received, and any Personal Information related to your health discussed between you and your healthcare provider during the recording of the consultation (the “Health Information”). 

  • Any other Personal Information that you have provided to us or for which you have consented to its disclosure.

  1. HOW DO WE COLLECT YOUR PERSONAL INFORMATION? 

Directly from you

Generally, we obtain the Personal Information we need directly from you, for example when you fill out registration forms on the Website or the Application, when you contact us, or when you use the Application or the Website. We may also collect your Information directly from you through audio recordings, audio data processing, and voice exchanges. For more information about audio recordings, please see the “Voice Recording Features” section.

On a legal basis such as your consent

The legal basis for processing your Personal Information is generally consent, unless applicable law provides for another permissible legal basis (for example, to comply with our legal obligations, when necessary to establish, exercise, or defend a legal claim or legal proceeding). 

When the processing involves Health Information, such information is collected and processed only with the express, free, informed, and specific consent of the individuals concerned. You may withdraw your consent to the processing of your Health Information at any time, in accordance with the terms set forth in this Policy.

Your consent to the processing of your Personal Information will be renewed in each of the following circumstances: (i) when Lime Health makes a significant change to this Policy, the Application’s Terms of Use, or the Cookie Policy. In such a case, Lime Health will inform you of the nature of the changes made and will request your renewed consent before continuing to process your Personal Information; (ii) when a period of twelve (12) months has elapsed since the date on which you last gave or renewed your consent.

If you do not renew your consent within the timeframes set forth above, Lime Health will cease processing your Personal Information for the purposes requiring your consent, subject to its legal retention obligations and any other applicable legal basis permitting the continuation of processing.

By a business partner, with your consent

Subject to your consent with third-party partners, such as Third-Party Authentication Services (as defined in the “Third-Party Authentication Services” section), we may collect your Personal Information directly from these third-party partners, who may submit any information you have provided to them and that they make available to us, with your consent. 

Refusal of Collection and Withdrawal of Consent

You have the right, if you wish, to refuse the processing of your Personal Information. You may also, at any time, and subject to reasonable notice and any applicable legal or contractual restrictions, withdraw your consent (if applicable) to the processing of your Personal Information in our possession by contacting us. You should be aware, however, that if you choose not to provide your Personal Information, this may prevent you, for example, from using the Application, as this information is essential for accessing it. You may contact us as indicated in the “Contact Us” section to submit any requests in this regard.

  1. WHY DO WE COLLECT AND USE YOUR PERSONAL INFORMATION? 

We collect only the Personal Information necessary to achieve the following objectives:

  • To provide access to the Application, its features, and its products;

  • To process transactions and manage billing; 

  • To provide support to users of the Application or the Website; 

  • Respond to your questions, requests, comments, or complaints;

  • Develop new features and products for users;

  • Personalize your experience on the Application;

  • Prevent and detect fraud, abuse, or suspicious activity;

  • Conduct statistical analyses and market research;

  • To personalize the content available to you on the Application;

  • To protect our legal rights and comply with our legal and regulatory obligations; 

  • Any other use for which you have given your consent, including communications via newsletters.

We do not use automated decision-making processes, including profiling, for decisions that produce legal effects concerning you. However, certain features of Lime Health rely on artificial intelligence algorithms to assist you in mapping processes and identifying opportunities for improvement. You will be notified of any recommendations generated automatically by artificial intelligence, and you will be able to request further details regarding the explainability of the generated decision or opt out of using certain features that incorporate artificial intelligence. 

  1. WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

Lime Health does not rent or sell any of your Personal Information to third parties and will not share it with third parties without your consent, unless required by law or for the purposes set out above. Lime Health will only share your Personal Information as follows:

  • With our employees. As part of their work, our employees may need to access your Personal Information, for example when you contact us for assistance. Their access is limited to what is necessary for the performance of their duties.

     

  • With our strategic partners. Lime Health may share your Personal Information with its partners, service providers, and vendors, including but not limited to Google Cloud Platform, Firebase, Google Analytics, AppsFlyer, and Sentry, to the extent that such disclosure is necessary for the purposes listed above. When Lime Health shares your Personal Information with third parties, it implements reasonable contractual and technical safeguards to ensure that these third parties maintain the confidentiality of all Personal Information they process (to the extent required by applicable laws). 

    It is understood that these third-party service providers do not have access to any medical data, are unable to listen in on your consultations, and cannot view the summaries generated by the Application. Furthermore, no identifiers that could be used to individually recognize or track a user are transmitted to them for targeted advertising purposes, provided that your device’s privacy preferences are enabled. The data shared with them remains strictly aggregated, anonymized, and non-identifiable.

    Please note that these third parties may be located in countries other than your own, in which case Lime Health takes appropriate measures, as outlined below in the section “Where do we transfer your Personal Information?”


  • With third parties you have designated. The Application may include features that allow you to share your data and results generated by the Application with third parties or via external services. You acknowledge that Lime Health has no control over the choice of recipients or the use made of your data and results once shared, and cannot be held responsible for the confidentiality, security, or use of such information outside the Application. Any sharing via external services is subject to the terms and conditions of those third-party services, and you are responsible for complying with them.

  • When required by law. Lime Health may share your Personal Information if required by law or if it believes in good faith that such action is necessary to: (a) comply with the law; (b) comply with an order from a competent judicial authority in any jurisdiction; (c) comply with a legal proceeding served on Lime Health; (d) protect and defend the rights or property of Lime Health; (e) enforce or verify your compliance with any part of the agreements you have entered into with Lime Health, if applicable; (f) prevent fraud or any other illegal activity perpetrated via the Application; or (g) act in urgent circumstances to protect the personal safety of Application users or the general public.

  • Business Transfers. We may share your Personal Information without your consent when our business operations require it (for example, in the event of a merger, acquisition, bankruptcy, or sale of assets). In such situations, we may also share all or part of your Personal Information with the relevant third party (or its advisors) as part of a due diligence process.

  1. THIRD-PARTY AUTHENTICATION SERVICES

We may offer you the option to create an account or log in to the Application using your credentials from third-party service providers, such as Google, Apple, Facebook, or any other provider we may integrate at our discretion (collectively, the “Third-Party Authentication Services”). By choosing to authenticate through a Third-Party Authentication Service, you acknowledge and agree that: (i) your use of these services remains governed by the terms of use and privacy policies of these third-party providers, which are independent of this Policy; and (ii) Lime Health has no control over the Third-Party Authentication Services and disclaims all liability for their availability, operation, security, or any harm arising from their use, malfunction, or unavailability, including any harm that may be related to their failure to comply with legislative or regulatory requirements regarding the protection of Personal Information or Health Information.

  1. WHERE DO WE TRANSFER YOUR PERSONAL INFORMATION?

The Personal Information we collect is stored in secure systems that may be hosted in Canada, or in the United States for UserIDs and phone numbers, which may include servers located outside your jurisdiction of residence. We may also engage the services of agents and service providers who may be located outside of Canada. However, we strive to protect the Personal Information under our control, including Personal Information entrusted to an agent or service provider, whether they are located in Canada or in other jurisdictions or countries. In particular, we strive to limit their access to Personal Information to what is necessary to perform their assigned duties. These providers must also maintain internationally recognized certifications regarding the protection of personal information, such as ISO 27001 certification or any other equivalent certification. Please note that we also enter into contractual agreements, such as data processing agreements, with these agents and service providers to ensure the confidentiality and security of your Personal Information, and that we conduct privacy assessments prior to such transfers in accordance with applicable legal requirements. This may include the implementation of robust and effective security measures. If you have any further questions on this matter, you may contact us as indicated in the “Contact Us” section.

  1. HOW DO WE PROTECT YOUR PERSONAL INFORMATION? 

With Necessary and Appropriate Security Measures

We strive to implement necessary and appropriate security measures and policies, based on the sensitivity of the information, to ensure the confidentiality of Personal Information in our possession or under our control, including, without limitation, conducting privacy impact assessments for the processing of Health Information . In doing so, we follow generally accepted industry standards. Personal Information under our control is therefore accessible only to individuals who are authorized to access it, who are bound by confidentiality agreements, and who access it only when necessary to perform their duties. Appropriate physical, technical, and administrative security and protection measures have been implemented and are maintained to minimize the risk of incidents. These measures include, for example, restricted access to premises and Personal Information; encryption of data in transit and at rest; access and permission management; activity logging; security incident response protocols; maintenance of internationally recognized certifications regarding the protection of Personal Information; and notification in the event of a privacy incident, in accordance with applicable laws. The Application’s security mechanisms are subject to regular audits, including penetration tests. IP addresses are anonymized prior to any processing; no UserID, DeviceID, or identifier that could identify you or link analytical data to your profile or Health Information is transmitted to analytics platforms, and the transmitted data remains strictly aggregated and non-identifiable, and does not allow for the identification of a user or the linking of an analytics session to a medical consultation.

Lime Health is committed to promptly addressing any identified vulnerabilities. It should be noted, however, that no method of transmission over the Internet or electronic storage is completely secure or error-free. Although we implement rigorous security measures to protect your Personal Information, no data transmission or storage system is entirely infallible. We are, however, committed to doing everything reasonably possible to ensure the protection of your information. You acknowledge that the security of online transactions and the security of communications sent electronically or by mail cannot be guaranteed. You provide information to us via the Internet or by mail at your own risk. We encourage you to exercise caution when using the Internet.

Payment Information

The financial information you provide at the time of payment is that required by our payment solutions partner. This information is processed separately by an encrypted payment module, in accordance with security and encryption standards in force in the payments industry (e.g., the PCI SSL standard). No information regarding your payment card is collected or stored by Lime Health. 

Children’s Privacy

Lime Health does not knowingly process Personal Information from minors under the age of sixteen (16) without the prior and explicit consent of the parent or legal guardian. If you believe that Personal Information has been collected from minors under the age of sixteen (16) without the necessary consents, you may contact Lime Health as indicated in the “Contact Us” section.

If you believe your Personal Information has been compromised, please contact our Privacy Officer as described in the “Contact Us” section.

Respecting Your Device’s Privacy Preferences

Lime Health automatically respects the privacy settings you have configured on your mobile device, such as the “Do Not Track” feature. If any of these settings are enabled, data collection is automatically restricted to essential technical data only, such as error diagnosis and Application performance measurement. No data related to marketing or the personalization of communications is collected in such cases.

Security Incident Management

In the event of actual or suspected unauthorized access to confidential information or the Application’s systems, Lime Health will implement a formal process to contain, analyze, correct, and document the incident, in compliance with applicable laws. When Lime Health determines that unauthorized access has occurred, it undertakes to promptly notify you if you are affected by the unauthorized access or are likely to suffer harm as a result. Upon discovery of any unauthorized access, Lime Health commits to immediately taking steps to: (i) terminate the unauthorized access; (ii) manage and mitigate the impact of the unauthorized access; and (iii) develop a strategy to prevent unauthorized access in similar circumstances.

  1. RETENTION AND DESTRUCTION

Your Personal Information will be retained only for as long as necessary to fulfill the purposes for which it was collected, or in accordance with Lime Health’s legitimate interests, or to comply with applicable legal, tax, or regulatory requirements. At the end of this period, we will endeavor to destroy or anonymize this information. The original data captured through the Application, namely the Audio Files (as defined below), are deleted within a maximum of twenty-four (24) hours following their collection. 

To determine the appropriate retention period for your Personal Information, we take into account the amount, nature, and sensitivity of the Personal Information in question, the potential risk of harm resulting from unauthorized use or disclosure of your Personal Information, the purposes for which we process your Personal Information and the possibility of achieving those purposes by other means, as well as any applicable legal, tax, or regulatory requirements. 

  1. WHAT ARE YOUR RIGHTS?

Depending on applicable law, you may have certain rights regarding your Personal Information, such as the right to data portability, the right to access or correct your Personal Information, and the right to withdraw your consent (where applicable). To exercise any of these rights (to the extent they are available), please contact us at the address listed in the “Contact Us” section. 

In addition, you may file a complaint with Lime Health’s Privacy Officer if you are dissatisfied with how we process your Personal Information or with our compliance with this policy. The law also allows you to file a complaint with a privacy commissioner or any other competent supervisory authority responsible for the protection of Personal Information. 

  1. COOKIES AND OTHER SIMILAR TOOLS

A cookie is a small text file that is stored in a dedicated location on your computer, mobile device, tablet, or other device when you use your browser to visit an online service. Other tracking technologies, such as web beacons and tracking pixels, may be used for similar purposes. In this policy, all such tracking technologies are collectively referred to as “cookies.” All Personal Information collected through the use of cookies by or on behalf of Lime Health is treated with the same level of confidentiality as any other Personal Information held by Lime Health.

Please review our Cookie Policy to learn about the collection and use of your Personal Information via cookies, available at: https://emilianotes.com/en/cookie-policy

  1. VOICE RECORDING FEATURES

Lime Health, acting as a service provider, may, through the Application, provide audio recording, AI-powered transcription, and transcription diagramming features to help you track consultations, conversations, or voice communications, particularly with your healthcare professional (collectively referred to as “Voice Recording Features”). When you use the Voice Recording Features, sensitive Personal Information may be processed, as applicable, including your voice, Health Information, or any other information you may disclose while using the Voice Recording Features. Lime Health does not collect any Personal Information resulting from the Voice Recording Features without first obtaining your explicit, informed, specific, and time-limited consent.

In the interest of transparency, you are always notified, via a visual and/or audio indicator, when the Voice Recording Features are activated . Additionally, before using the Voice Recording Features, you must ensure that you have obtained the consent of any person whose voice or personal information may be captured during the recording. In the absence of such consent, you must not use the Voice Recording Features. Lime Health disclaims all liability with respect to Voice Recording Features used without the consent of the individuals concerned.

You may at any time refuse collection via the Voice Recording Feature and request an alternative method for entering your information.

In all cases, Lime Health will retain the original Audio Files for a maximum period of twenty-four (24) hours. You may request the deletion of specific segments of the Audio Files by submitting a written request to [email protected] . Lime Health will endeavor to respond to such requests within a reasonable timeframe, subject to legal retention obligations and technical limitations. For the purposes hereof, an “Audio File” means any data consisting of sound or voice content, including, in particular, any recording made using the Voice Recording Feature, which is transmitted, provided, or stored in digital format in connection with the use of the Application, by you or on your behalf.

Please note that we do not use Personal Information obtained through the Voice Recording Features for the training, improvement, or development of artificial intelligence models without your consent. 

  1. CONTACT US

You may contact us to exercise your rights or if you have questions about our practices, procedures, and policies regarding the protection of Personal Information. You may also contact us if you need assistance exercising or understanding your choices regarding the protection of your Personal Information. We will inform individuals who make inquiries or file complaints of the existence of the relevant procedures. Lime Health will review all complaints. If a complaint is deemed justified, we will take appropriate action, including, if necessary, modifying our policies and practices. Please feel free to contact us with any questions, inquiries, comments, or complaints regarding your Personal Information.

The person responsible for ensuring compliance with and implementation of this policy, including the handling of rights and complaints, is our Privacy Officer, whose contact information is as follows:

Privacy Officer

Lime Health Inc.

Jonathan Santerre

212 du Grand-Hunier, Saint-Augustin-De-Desmaures, 

Quebec, G3A 2J2, Canada 

[email protected]

1-877-503-LIME

  1. CHANGES TO THIS PRIVACY POLICY

We reserve the right to modify this policy at any time. We therefore encourage you to review it regularly. Changes to this policy will be posted on our Application and on our Website in the form of an updated policy and will take effect upon posting. If we make significant changes to this policy, we will notify you by posting a notice on our Application, our Website, or via email. However, in all other cases, the publication of a new version of the policy on our Application and on our Website or your continued use of the Application or the Website will be sufficient to notify you of the changes made to the policy and to obtain your consent to them.


APPENDIX 1 – UNITED STATES

This appendix applies solely to the collection and processing of “personal information” as defined by U.S. law. This term refers to any personal information relating to an individual located in the United States, including California, whether or not that individual is a U.S. citizen. This section applies to you if you are located in the United States. It does not apply if you are outside the United States, even if you are a U.S. citizen. It is current as of Apr. 15 2026

1. What personal information is collected?

Although our processing of personal information varies depending on our relationship and interactions with you, in this section we describe, in general terms, how we have collected and disclosed personal information during the twelve (12) months preceding the last update of this Appendix. For more information, please refer to the sections “Personal information”, “How Do We Collect Personal Information?” and “Why Do We Collect Personal Information?” Below, we identify the categories of personal information (as defined by applicable U.S. laws) that we collect about U.S. residents.

Identifiers: include direct identifiers, such as name, username, account number, or unique personal identifier; email address, phone number, address, and other contact information; IP address prior to anonymization and other online identifiers.

User Accounts: include personal information, such as name, account name, contact information, professional information, account number, and financial or billing information, that individuals provide to us when accessing our Application.  

Commercial Information: includes records of products or services purchased, obtained, or considered, or other purchase or usage histories or trends.

Usage Data: includes browsing history, navigation path data, search history, access logs, and other usage data and information regarding interaction with our Application and Website, our marketing emails, and our online advertisements.

Sensitive personal information: includes personal information related to your health, diagnoses, medical history, test results, treatments, and care you have received.

2. Is your personal information sold?

In accordance with U.S. privacy laws, your Personal Information will never be sold to third parties.

Our Website and Application are not intended for minors, and we do not knowingly collect, let alone sell, any personal information from minors under the age of sixteen (16) through our websites. However, if the parent or guardian of a minor under the age of sixteen (16) believes that the minor has provided us with personal information without the prior and explicit consent of the parent or legal guardian, they should contact us at [email protected] to request the removal of such information from our records.

3. Your Rights 

In accordance with U.S. laws, you may have certain rights regarding your personal information, including the rights listed below. To exercise these rights, please contact us at [email protected] .

Access: You have the right to request, in accordance with applicable laws, that we disclose to you the personal information we have collected, used, shared, and sold (if applicable) about you over the past twelve (12) months. You may request information prior to this period, and we are required to provide it to you, provided that it is feasible to obtain and does not require a disproportionate effort. 

Deletion: You have the right to request that we delete certain personal information we have collected about you. 

Opt-out of Sale or Sharing: You have the right to opt out of the sale or sharing of your personal information. 

Request for Transparency (or Shine the Light): You may also have the right to request that we provide you with (i) a list of certain categories of personal information we have disclosed to third parties for direct marketing purposes during the preceding calendar year and (ii) the identity of those third parties.

Correction of Inaccurate Personal Information: You have the right to request that we correct any inaccurate personal information, taking into account the nature of the personal information and the purposes for which the personal information is processed. We will make every reasonable effort to correct inaccurate personal information in accordance with your instructions, subject to applicable U.S. laws.

Freedom from Discrimination: You have the right not to be discriminated against in connection with the exercise of your rights.

4. Hosting of Your Personal Information

The personal information of users located in the United States, including Health Information as defined in this Policy, is hosted on servers in Canada or the United States, for UserIDs and phone numbers. 

In connection with the operation and maintenance of the Application, certain personal information may be accessed from Canada by authorized Lime Health personnel. This right of access is governed by appropriate contractual, technical, and organizational measures, in accordance with applicable U.S. laws regarding the protection of personal information. 

In any event, Lime Health undertakes that no health data will be transferred or hosted outside the territory of Canada without the explicit consent of the data subject and without the implementation of appropriate safeguards in accordance with applicable laws.

5. Anonymous Visits to the Website

Users of the Website may visit our Website anonymously. 

Our link to the “Privacy Policy” page includes the word “Privacy” and can be easily found on the page specified above. You will be notified of any changes to this Policy on our Privacy Policy page.  

You can modify your personal information: 

  • By sending us an email;

  • By calling us.

6. How does our Website handle “Do Not Track” signals?

We honor “Do Not Track” signals; we do not set cookies and we do not use advertising when a “Do Not Track” browser mechanism is in place.

7. Does our Website allow third-party behavioral tracking?

No. It is also important to note that we do not allow third-party behavioral tracking.

8. Fair Information Practices

The principles of fair information practices form the backbone of privacy legislation in the United States, and the concepts they encompass have played a significant role in the development of data protection laws worldwide. Understanding the principles of fair information practices and how they should be implemented is essential to complying with the various privacy laws that protect Personal Information.  

To comply with Fair Information Practices, we will take responsive measures. In the event of a breach involving your personal information, we will notify you in written form, including via email or via notification in the Application, as promptly as possible and without unreasonable delay following the breach .   

We also accept the principle of individual redress, which requires that individuals have the right to legally enforceable rights against data collectors and processors who do not comply with the law. This principle requires not only that individuals have enforceable rights against data users, but also that they have recourse to courts or government agencies to prosecute and/or investigate non-compliance by data processors.


APPENDIX 2 – EUROPE 

This appendix applies solely to the collection and processing of “personal data” within the European Union (“EU”). This term refers to any personal information relating to a person located in the EU, whether or not they are a citizen of a member state. This section applies to you if you are located in an EU country. It does not apply if you are outside the EU, even if you are a citizen of a member state.

For the purposes of this appendix, the term “processing” has the meaning given by the General Data Protection Regulation (the “GDPR”) and includes any operation or set of operations performed on EU personal data, such as: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

The EU personal data we process may come directly from you, from a third party (for example, our European partners), or result from your use of our services.

We process this data in accordance with this appendix and our Policy. In the event of any conflict between this appendix and other sections of the Policy regarding the processing of EU personal data, this appendix shall prevail. It is current as of Apr. 15 2026.

1. Principles of the GDPR

All personal data will be:

  • Processed lawfully, transparently, and fairly;

  • Collected solely for the purposes identified in the Policy or for any other agreed-upon purpose, without further processing incompatible with those purposes;

  • Adequate, relevant, and limited to what is necessary in light of the purposes pursued;

  • Kept up to date in accordance with the “How do we protect your information?” section of the Policy;

  • Retained in a form that permits identification only for as long as is necessary for the intended purposes;

  • Stored and processed securely to prevent unauthorized access, loss, damage, or accidental disclosure, in accordance with the Policy.

2. Legal Bases for Processing

We collect and process personal data only if we have a legal basis to do so, including:

  • Your consent;

  • The necessity of processing to fulfill a contract with you (for example, providing the requested services);

  • The necessity of processing for the “legitimate interests” of Lime Health, provided that these interests do not override your rights and freedoms. Certain legitimate interests are specified in the “Why do we collect Personal Information?” section of the Policy.

When we rely on your consent, you may withdraw, restrict, or refuse it at any time. When we rely on a legitimate interest, you may object to it. For any questions regarding legal bases, please refer to the “What are your rights?” section of the Policy.

We do not use automated decision-making, including profiling, for decisions that produce legal effects on you.

3. Rights of Data Subjects

In addition to the rights set forth in the Policy, you have the following rights regarding your personal data:

  • Access and portability: You may request a copy of your data (as well as any information provided for under Article 15 of the GDPR) and receive this data in a structured, commonly used, and machine-readable format, including for the purpose of transferring it to a third party.

  • Restriction and objection: You may request the restriction or cessation of the processing of your data, particularly if you believe that such processing is unlawful or if it is used for direct marketing purposes.

4. Responsibilities as a Data Controller

In general, we act as the “data controller” for personal data. In this capacity, we:

  • Explain, in this Policy, how we collect, store, disclose, and process this data;

  • Only appoint processors under agreements compliant with the GDPR;

  • Maintain a record of processing activities when required;

  • Cooperate with the competent authorities;

  • Implement appropriate technical and organizational measures to protect the data and report any breaches in accordance with the “How do we protect your information?” section of the Policy.

5. Disclosure to Third Parties

If we need to disclose your data to third parties (including processors), we require them to comply with the GDPR. In the event of a transfer outside the EU, this will be carried out within the scope of the lawful performance of our services.

6. Hosting of Personal Data

The personal data of users located in the EU, including Health Information as defined in this Policy, is hosted exclusively on servers located within Belgium, with the exception of UserIDs and phone numbers, which are hosted in the United States. However, as part of the operation and maintenance of the Application, certain personal data may be accessed remotely from Canada by authorized Lime Health personnel. These rights regarding data storage and access are governed by appropriate contractual, technical, and organizational measures and is based, in particular on the adequacy decision issued by the European Commission regarding Canada and the United States, recognizing a sufficient level of protection within the meaning of the GDPR. In any event, Lime Health undertakes that no health data will be transferred or hosted outside Belgium without the explicit consent of the data subject and without the implementation of appropriate safeguards in accordance with Articles 46 et seq. of the GDPR.

7. Consent to Transfer

By accepting this Policy, you consent to the transfer of your personal data to third parties located outside the EU. You acknowledge that we are not responsible for such third parties’ compliance with their obligations under the GDPR.

For any comments, questions, or complaints regarding the processing of your personal data, or to exercise your rights, please use the contact information provided in the “Contact Us” section of the Policy. Your requests will be handled in accordance with the “What are your rights?” section.

8. European Representatives

You may also use the contact details of our representative in Europe:

Contact Information for the European Representative

EDPO

71 Avenue Huart Hamoir, 

1030 Schaerbeek, Belgium 

Online form available at: https://edpo.com/gdpr-data-request/


APPENDIX 3 – SWITZERLAND 

This appendix applies solely to the collection and processing of “personal data” in Switzerland. This term refers to any personal information relating to an individual located in Switzerland, whether or not they are a citizen of Switzerland. It does not apply if you are outside of Switzerland, even if you are a Swiss citizen. 

For the purposes of this appendix, the term “processing” has the meaning given by the Federal Act on Data Protection (FADP) and includes any operation or set of operations performed on personal data from Switzerland, including: the collection, recording, storage, use, modification, disclosure, archiving, erasure, or destruction of data.

The Swiss personal data we process may come directly from you, from a third party (for example, our Swiss partners), or result from your use of our services.

We process this data in accordance with this appendix and our Policy. In the event of any conflict between this appendix and other sections of the Policy regarding the processing of personal data, this appendix shall prevail. It is current as of Apr. 15 2026.

1. Principles of the FADP

All personal data will be:

  • Processed lawfully, transparently, and fairly;

  • Collected solely for the purposes identified in the Policy or for any other agreed-upon purpose, without further processing incompatible with those purposes;

  • Adequate, relevant, and limited to what is necessary in light of the purposes pursued;

  • Kept up to date in accordance with the “How do we protect your information?” section of the Policy;

  • Retained in a form that permits identification only for as long as is necessary for the intended purposes;

  • Stored and processed securely to prevent unauthorized access, loss, damage, or accidental disclosure, in accordance with the Policy.

We do not use automated decision-making, including profiling, for decisions that produce legal effects on you.

2. Rights of Data Subjects

In addition to the rights provided for in the Policy, you have the following rights regarding your personal data in Switzerland:

  • Access and portability: You may request a copy of your data (as well as any information provided for under Article 25 of the FADP) and receive this data in a structured, commonly used, and machine-readable format, including for the purpose of transferring it to a third party.

  • Restriction and objection: You may request the restriction or cessation of the processing of your data, particularly if you believe that such processing is unlawful or if your data is being used for direct marketing purposes.

3. Responsibilities as Data Controller

In general, we act as the “data controller” for personal data. In this capacity, we:

  • Explain, in this policy, how we collect, store, disclose, and process this data;

  • Appoint processors only under agreements compliant with the FADP;

  • Maintain a record of processing activities when required;

  • Cooperate with the competent authorities;

  • Implement appropriate technical and organizational measures to protect the data and report any breaches in accordance with the “How do we protect your information?” section of the Policy.

4. Disclosure to Third Parties

If we need to disclose your data to third parties (including processors), we require them to comply with the FADP. In the event of a transfer outside Switzerland, this will be carried out within the scope of the lawful provision of our services.

5. Hosting of Personal Data

The personal data of users located in Switzerland, including Health Information as defined in this Policy, is hosted exclusively on servers located within Belgium, with the exception of UserIDs and phone numbers, which are hosted in the United States. However, as part of the operation and maintenance of the Application, certain personal data may be accessed remotely from Canada by authorized Lime Health personnel. These rights regarding data storage and access are governed by appropriate contractual, technical, and organizational measures and is based, in particular, on the adequacy decision issued by the Swiss Federal Council regarding Canada, Belgium and the United States, recognizing a sufficient level of protection within the meaning of the FADP. In any event, Lime Health undertakes that no health data will be transferred or hosted outside Belgium without the explicit consent of the data subject and without the implementation of appropriate safeguards in accordance with Articles 16 et seq. of the FADP.

6. Consent to Transfer

By accepting this Policy, you consent to the transfer of your personal data to third parties located outside Switzerland. You acknowledge that we are not responsible for such third parties’ compliance with their obligations under the FADP.

For any questions, comments, or complaints regarding the processing of your personal data, or to exercise your rights, please use the contact information provided in the “Contact Us” section of the Policy. Your requests will be handled in accordance with the “What Are Your Rights?” section.

7. Swiss Representative

You may also use the contact information for our representative in Switzerland:

Contact Information for the Swiss Representative

EDPO

71 Avenue Huart Hamoir, 

1030 Schaerbeek, Belgium 

Online form available at: https://edpo.com/gdpr-data-request/