Privacy Policy

Effective 2026-04-15

1. Who we are

Diabec ("we", "us") operates the Diabec mobile application, website, and supplement shop. Contact: jeff@dia-bec.com. This Privacy Policy explains what we collect, why, and your rights.

2. Data we collect

• Account data: name, email, date of birth, password hash, optional phone number, optional diabetes type.
• Health-tracking data you enter: glucose readings, meals, supplements, sleep, mood, reminders, free-text notes, photos of meals, voice notes.
• Mental-health check-ins: optional private "diabetes distress" score (1-5), mood tags, and notes you choose to write. Never posted to the community.
• Device data: device model, OS version, app version, crash logs.
• Usage data: screens viewed, feature interactions (aggregated and pseudonymous).
• Payment data (Shop only): handled by Shopify Payments / Stripe; we do not store full card numbers.

3. Why we collect it

To provide core tracking features, personalise insights, deliver your supplement orders, alert your Care Circle when you use the SOS, respond to support requests, prevent fraud, comply with legal obligations, and (only with your separate opt-in) send marketing communications.

4. Legal basis (GDPR)

EU/UK users: we rely on (a) your consent (Art. 6(1)(a), and Art. 9(2)(a) for health data), (b) performance of our contract with you (Art. 6(1)(b)), (c) legitimate interests in service security and improvement (Art. 6(1)(f)), and (d) legal obligation (Art. 6(1)(c)) for tax and compliance retention.

5. Sharing

We do NOT sell your data. We share only with processors who act on our instructions under a data processing agreement:

• Supabase (auth + database hosting)
• Cloudflare (network delivery, web app hosting)
• Fly.io (backend API hosting; United States, Ashburn region)
• Shopify / Shopify Payments (Shop checkout, billing, and order fulfilment)
• Shipping carriers (Shop only, for delivery)
• AfterShip and 17track (parcel tracking; we send only the tracking number, never your name or address)
• Anthropic (meal images, voice transcripts, health-insight context, and mental-health check-in content for AI features; Anthropic does not train on our API data and retains it for up to 30 days for safety and abuse monitoring only)
• OpenAI (meal images and voice transcripts as a fallback when Anthropic is unavailable; OpenAI does not train on our API data and retains it for up to 30 days for safety monitoring)
• Google AI Studio / Gemini (text-generation fallback when Anthropic is unavailable)
• LiveKit (real-time voice infrastructure for in-app support calls; audio is signalled but not stored by us)
• NLPearl (AI voice agent for inbound and outbound support calls)
• Apple Push Notification service / Firebase Cloud Messaging / Web Push (delivers reminder, order, and Care Circle notifications; only when you have enabled them)
• HubSpot and Klaviyo (email communication, only with your opt-in)
• Sentry (crash and error reporting; we configure it without personal data)

We also disclose data if legally required (court order, subpoena).

6. International transfers & EU Representative

Our servers are located in the United States (Fly.io Ashburn, Supabase, Cloudflare). If you are in the EU, EEA, or UK, your data is transferred internationally under Standard Contractual Clauses (SCCs) approved by the European Commission. You can request a copy of the SCCs by emailing jeff@dia-bec.com.

EU Representative (GDPR Article 27): to be appointed before EU launch. Contact jeff@dia-bec.com until the representative is named.

7. Retention

Active account: for as long as you keep the account. After account deletion: we delete personal data within 30 days, except transactional records we are required to keep for up to 24 months for tax, legal, and fraud-prevention purposes. Aggregated and fully de-identified analytics may be retained indefinitely.

8. Your rights

Subject to applicable law, you can:

• Access your data and export a copy (in-app: Profile → Export my data)
• Correct inaccuracies
• Delete your account (in-app: Profile → Delete my account — deletion is irreversible and cascades across all your tracked data within 30 days)
• Object to or restrict processing
• Withdraw consent (including marketing) at any time
• Lodge a complaint with your local data protection authority

Email jeff@dia-bec.com to exercise any right; we respond within 30 days.

9. Children

Diabec is not intended for users under 13. We require a date of birth at registration and block accounts where the user is under 13. Users aged 13–17 must confirm a parent or guardian is aware they use the app.

10. Health disclaimer

Diabec is a dietary supplement and wellness-tracking companion, not a medical device. The app does not diagnose, treat, cure, or prevent any disease. AI-generated estimates (carbs, glucose prediction, sleep correlation) are informational only. Always consult a licensed healthcare professional before making medical decisions.

11. Security & breach notification

We protect your data with TLS in transit, encryption at rest (iOS Keychain / Android Keystore for tokens), least-privilege access controls, and regular security review.

If a personal-data breach affects you and creates a risk to your rights and freedoms, we notify the relevant supervisory authority within 72 hours of becoming aware of it (GDPR Article 33), and we notify you without undue delay where required by law (GDPR Article 34). No system is perfectly secure; we treat every incident with the same transparency.

12. Changes

We may update this Policy. If we make material changes we email you at least 30 days before the changes take effect. Continued use after the effective date means you accept the updated Policy.

13. Contact

Questions about this Policy or your data: jeff@dia-bec.com.

Diabec is operated by NIBARTECH LTD. Effective date: 2026-04-15. © 2026 Diabec. All rights reserved.