CGM sensor and insulin pen

Privacy Policy

Last updated: January 2025

This Privacy Policy explains how Key Decision IT, trading as Diabetes Intelligence (“we”, “us”, “our”), collects, uses, shares, and protects your information when you use our blood glucose modeling web application and related services (“Service”).

1. Who We Are

Data Controller: Key Decision IT, trading as Diabetes Intelligence

Registered address: 85 Water Lane, WF4 4PY Middlestown, Wakefield, United Kingdom

Data Protection Officer: Andre Mauricio · [email protected]

2. Scope

This Policy applies to the Service accessible through our website and application interfaces and to related support or communication channels. Our primary audience is in the EU/EEA and the UK. We are not a HIPAA-covered entity.

3. Data We Collect

  • Account and Authentication Data: Google OAuth identifier, name, and email provided by Google.
  • Health and Treatment Data (special category data): CGM readings, insulin doses, meals, exercise, sleep, and related time-series modeling data you input or generate.
  • Device/Technical Data: IP address, device/browser information, app logs, diagnostic and crash data.
  • Cookies and Analytics: Google Analytics (with consent, where required) for aggregated usage metrics.

4. How and Why We Use Your Data

  • Provide and operate the Service (account creation, authentication, core features): performance of a contract (GDPR Art. 6(1)(b)).
  • Process health-related data for modeling and research features you use: your explicit consent (GDPR Art. 6(1)(a) and Art. 9(2)(a)); you can withdraw consent any time in-app or via email.
  • Security, fraud prevention, diagnostics (including logs and crash data): our legitimate interests (GDPR Art. 6(1)(f)).
  • Analytics and product improvement (Google Analytics cookies): your consent (GDPR Art. 6(1)(a)).
  • Compliance with legal obligations: GDPR Art. 6(1)(c).

5. Minors and Guardian Consent

The Service may be used for individuals aged 2 years and older. For users under 16, a parent or legal guardian must create and manage the account, provide explicit consent for processing health data, and supervise usage. We may request evidence of guardian consent and may suspend or terminate accounts where appropriate consent is not maintained.

6. International Data Transfers

We host our systems in Europe and strive to keep personal data stored within the EU/EEA/UK. Certain Service features include calls to third-party AI processing services (e.g., OpenAI APIs used by agents/workflows) that may process data outside the EEA/UK, including in the United States. Transfers rely on Standard Contractual Clauses (SCCs) with supplementary measures. We minimize personal data in such requests and avoid direct identifiers where feasible.

7. How We Share Your Data

  • Service providers (processors): hosting and infrastructure (self-hosted in Europe), authentication (Google OAuth), analytics (Google Analytics), AI processing (e.g., OpenAI).
  • Legal and compliance: when required by law or to protect rights, safety, and security.
  • Business transfers: in connection with a merger, acquisition, or asset sale, subject to this Policy.

8. Retention

  • Account and profile data: retained while active and for up to 24 months of inactivity, then deleted or anonymized.
  • Health/treatment data: retained while the account is active. Deleted data is removed from active systems within 30 days; encrypted backups roll off within ~35 days. Aggregated/anonymized datasets may be retained longer for research.
  • Security and application logs: typically retained up to 12 months.
  • Analytics data: retained by Google Analytics for up to 26 months (subject to consent settings).
  • Support communications: typically retained up to 24 months.

9. Your Rights

Subject to EU/UK GDPR, you have the right to access, rectify, delete, restrict, or object to processing; request data portability; and withdraw consent at any time. Use in-app controls where available or email [email protected]. You may lodge a complaint with your local data protection authority or the UK ICO.

10. Security

We implement encryption in transit and at rest, access controls, auditing, and defense-in-depth practices. No method of transmission or storage is 100% secure; we continually improve the safeguards protecting the Service.

11. Automated Decision-Making

The Service provides modeling and simulation features for informational purposes only. It does not perform automated decision-making that produces legal or similarly significant effects. The Service is experimental, is not MDR-approved, and must not be used for dosing decisions or emergencies.

12. Cookies

We use cookies and similar technologies. Google Analytics cookies are used only with your consent to measure usage and improve the Service. Manage preferences via our cookie banner or your browser settings.

13. Changes to this Policy

We may update this Policy from time to time. Updated versions will include a new “Last updated” date and, when material changes occur, additional notice. Continued use of the Service after changes take effect indicates acceptance of the revised Policy.

14. Contact

Questions or requests? Contact our DPO at [email protected] or write to the address listed above.