Privacy policy

Privacy Policy
Effective 2026-05-27
Service availability
Diabec is currently available to residents of the United Kingdom, the United States, Canada, Australia, and Singapore. Residents of the European Economic Area (EU 27 + Iceland, Liechtenstein, Norway) cannot create an account at this time. We expect to extend availability to the EEA once a local representative under UK-GDPR / EU-GDPR Article 27 has been appointed.
1. Who we are
Diabec is operated by NIBARTECH LTD, a company registered in England and Wales (company number 15283998). Registered office: First Floor Office, 3 Hornton Place, London, W8 4LZ, United Kingdom. UK ICO Data Protection Register number: ZC180793.
Contact: contact@dia-bec.com. This Privacy Policy explains what we collect, why, and your rights.
2. Data we collect
Account data: name, email, date of birth, password hash, optional diabetes type.
Health-tracking data you enter: glucose readings, meals, supplements, sleep, mood, reminders, free-text notes, photos of meals, voice notes.
Mental-health check-ins: optional private "diabetes distress" score (1-5), mood tags, and notes you choose to write. Never posted to the community.
Device data: device model, OS version, app version, crash logs.
Usage data: screens viewed, feature interactions (aggregated and pseudonymous).
Payment data (Shop only): handled by Stripe; we do not store full card numbers.
3. Why we collect it
To provide core tracking features, personalize insights, deliver your supplement orders, alert your Care Circle when you use the SOS, respond to support requests, prevent fraud, comply with legal obligations, and (only with your separate opt-in) send marketing communications.
4. Legal basis
UK users (UK-GDPR + Data Protection Act 2018): we rely on (a) your consent (UK-GDPR Art. 6(1)(a), and Art. 9(2)(a) for special-category health data), (b) performance of our contract with you (Art. 6(1)(b)), (c) our legitimate interests in service security and improvement (Art. 6(1)(f)), and (d) legal obligation (Art. 6(1)(c)) for tax and compliance retention. The UK supervisory authority is the Information Commissioner's Office (ICO).
As of 5 February 2026, section 80 of the UK Data (Use and Access) Act 2025 replaced Article 22 UK GDPR on automated decision-making. Because diabetes-related data is a special category, we continue to rely on your explicit consent under Article 9(2)(a) and offer a human-review path within the app for any decision the Companion AI surfaces.
US users (state laws: California CCPA/CPRA, Virginia VCDPA, Colorado CPA, Connecticut, Utah): our processing is based on the contractual relationship and your consent for sensitive data. We honour Do-Not-Sell / Do-Not-Share / opt-out signals where applicable. We do not sell personal information.
Canadian users (PIPEDA + provincial laws): we obtain meaningful consent for collection, use, and disclosure of personal information.
Australian users (Privacy Act 1988 + Australian Privacy Principles): we collect personal information by lawful and fair means with your consent and only for purposes notified to you.
Singapore users (Personal Data Protection Act 2012): we collect, use, and disclose personal data with your consent for the purposes set out in this Policy.
5. Sharing
We do NOT sell your data. We share only with processors who act on our instructions under a data processing agreement:
•    Supabase (auth + database hosting)
•    Cloudflare (network delivery, web app hosting)
•    Fly.io (backend API hosting; United States, Ashburn region)
•    Shopify / Shopify Payments (Shop checkout, billing, and order fulfilment)
•    Shipping carriers (Shop only, for delivery)
•    AfterShip (parcel tracking; we send only the tracking number, not your name or address)
•    17track (parcel tracking fallback when AfterShip cannot resolve a number; we send only the tracking number)
•    Anthropic (meal images, voice transcripts, health-insight context, and mental-health check-in content for AI features; Anthropic does not train on our API data and retains it for up to 30 days for safety and abuse monitoring only)
•    OpenAI (meal images and voice transcripts as a fallback when Anthropic is unavailable; OpenAI does not train on our API data and retains it for up to 30 days for safety monitoring)
•    Google AI Studio / Gemini (text-generation fallback when Anthropic is unavailable; under Google AI Studio terms, free-tier prompts may be used to improve Google products. We work to stay on paid billing to avoid this, but cannot guarantee it on every request)
•    LiveKit (real-time voice infrastructure for in-app support calls; audio is signalled but not stored by us)
•    Pearl (NLPearl AI) (handles and routes in-app and phone support calls, including AI-voice answering; you are told before any AI voice call begins)
•    Apple Push Notification service / Firebase Cloud Messaging / Web Push (delivers reminder, order, and Care Circle notifications; only when you have enabled them)
•    HubSpot and Klaviyo (email communication, only with your opt-in)
•    Eazybe / WhatsApp Business (WhatsApp messages only after a two-step opt-in: registration + a reply to our welcome WhatsApp, in line with WhatsApp Business Policy 2026; US numbers are excluded from WhatsApp marketing)
We also disclose data if legally required (court order, subpoena).
6. International transfers
Our backend servers are located in the United States (Fly.io Ashburn region; Supabase; Cloudflare's global edge network).
UK users: the UK government recognises the United States as a partner under the UK Extension to the EU-US Data Privacy Framework. Where we transfer your data to a US processor not certified to the Framework, we rely on the UK International Data Transfer Addendum (IDTA) to the EU Standard Contractual Clauses, supplemented by a Transfer Risk Assessment. You can request a copy by emailing contact@dia-bec.com.
Canadian, Australian, and Singapore users: we transfer your data to US-based processors under contractual obligations consistent with PIPEDA, the Australian Privacy Principles, and Singapore's PDPA respectively.
EU/EEA residents: Diabec is not currently offered to residents of the European Economic Area (see Service availability above). No EU/EEA personal data is intentionally collected or processed at this time.
7. Retention
Active account: for as long as you keep the account. After account deletion, we delete personal data within 30 days, except transactional records we are required to keep for up to 24 months for tax, legal, and fraud-prevention purposes. Aggregated and fully de-identified analytics may be retained indefinitely.
8. Your rights
Subject to applicable law, you can: access your data, export a copy, correct inaccuracies, delete your account, object to or restrict processing, withdraw consent (including marketing), and lodge a complaint with your local data protection authority. UK: ICO (ico.org.uk/concerns); California: AG / CPPA; Canada: OPC; Australia: OAIC; Singapore: PDPC.
Email contact@dia-bec.com to exercise any right; we respond within 30 days (or sooner where required by your local law).
9. Children
Diabec is not intended for users under 13. We require a date of birth at registration and block accounts where the user is under 13. Users aged 13-17 must confirm a parent or guardian is aware they use the app.
10. Health disclaimer
Diabec is a dietary supplement and wellness-tracking companion, not a medical device. The app does not diagnose, treat, cure, or prevent any disease. AI-generated estimates (carbs, recent glucose patterns you have logged, sleep correlation) are informational only. Always consult a licensed healthcare professional before making medical decisions.
Our in-app Companion is an AI assistant (Anthropic Claude). It identifies itself as AI when asked and is labelled as "AI" throughout the app, in line with EU AI Act Article 50 (effective 2 August 2026).
11. Security & breach notification
We protect your data with TLS in transit, encryption at rest, least-privilege access controls, and regular security review.
If a personal-data breach affects you and creates a risk to your rights and freedoms, we notify the UK Information Commissioner's Office within 72 hours of becoming aware of it (UK-GDPR Article 33), notify you without undue delay where required (Article 34), and meet equivalent breach-notification duties in the US (state laws), Canada (PIPEDA), Australia (Notifiable Data Breaches scheme), and Singapore (PDPA Mandatory Data Breach Notification). No system is perfectly secure; we treat every incident with the same transparency.
12. Changes
We may update this Policy. If we make material changes, we will email you at least 30 days before the changes take effect. Continued use after the effective date means you accept the updated Policy.
13. Contact
Questions about this Policy or your data: contact@dia-bec.com.
Diabec is operated by NIBARTECH LTD, a company registered in England and Wales—effective date: 2026-05-27.