Privacy Policy

Last updated: April 18, 2026

Limato (“we”, “us”) is a Chrome extension that rewrites user-selected text using AI. This policy explains what data we collect, how we use it, who it is shared with, and how long we keep it.

Limited Use disclosure. Limato’s use and transfer of information received from Chrome APIs adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements. We do not sell your data, do not use it for advertising, and do not allow humans to read it except where required for security, legal compliance, or with your explicit consent.

1. What we collect

a) Text you select

When you trigger a rewrite, the text you selected on the current page (up to 5000 characters per request) is sent to our backend for processing.

b) Device identifier

On first use, a random UUID is generated and stored locally in your browser. It is sent with each request so we can apply daily rate limits to anonymous users. It is not linked to your identity.

c) Preferences

Your chosen tone and target language are stored locally in your browser and sent with each request.

d) Authentication data (optional)

If you choose to sign in, we use Supabase to handle authentication. We receive a JWT token containing your Supabase user ID and email. Signing in is optional and unlocks a higher daily rewrite limit.

e) Technical data

Our backend temporarily processes your IP address (via Cloudflare) to enforce rate limits and prevent abuse. IP addresses are not stored in application logs.

2. How we use your data

Provide the core rewrite feature (sending your text to an AI model and returning the result).
Apply daily rate limits per device or account.
Detect and prevent abuse of the service.

We do not use your data for advertising, profiling, or training AI models.

3. Third parties we share data with

OpenAI — the selected text is sent to the OpenAI API (gpt-4o-mini) to generate the rewrite. OpenAI processes this data per their API data usage policy and does not use API inputs to train its models.
Cloudflare — hosts our backend (Cloudflare Workers) and stores short-lived rate-limit counters in Cloudflare KV.
Supabase — authentication provider; only used if you sign in.

We do not sell or rent your data to any third party.

4. Data retention

Selected text: not stored. The request is stateless — once the rewrite is returned, no copy is kept on our servers.
Rate-limit counters: stored in Cloudflare KV for up to 48 hours, then expire automatically.
Device ID and preferences: stored locally in your browser for as long as the extension is installed. You can clear them by removing the extension.
Account data (if signed in): retained by Supabase until you request deletion.

5. Permissions we request

activeTab — to read the text you selected on the current page.
storage — to save your preferences and device ID locally.
identity — to support sign-in via Supabase OAuth (only used if you sign in).
Host permissions for our backend and Supabase domains — to send requests to our API.

6. Your rights

You can uninstall the extension at any time to stop all data collection. If you signed in, you may request deletion of your account by emailing us at the address below. Because we do not store selected text, there is no stored content to delete on our side.

If you are located in the EEA / UK / California, you have rights under GDPR / UK GDPR / CCPA, including access, correction, deletion, and objection. To exercise these rights, contact us.

7. Children

Limato is not directed at children under 13 (or 16 in the EEA). We do not knowingly collect data from them.

8. Changes to this policy

We may update this policy. Material changes will be announced on this page with a new “Last updated” date.

9. Contact

Questions, requests, or data-deletion inquiries: support@limato.app.