Privacy Policy

1. Who We Are

Data Controller: Key Decision IT, trading as Diabetes Intelligence

Registered address: 85 Water Lane, WF4 4PY Middlestown, Wakefield, United Kingdom

Data Protection Officer: Andre Mauricio

Contact (privacy requests): gdpr@keydecisionit.com

2. Scope

This Policy applies to the Service accessible through our website and application interfaces and to any related support or communication channels. Our primary audience is in the EU/EEA and the UK. We are not a HIPAA covered entity.

3. Data We Collect

• Account and Authentication Data: Google OAuth identifier, name and email provided by Google.
• Health and Treatment Data (special category data): continuous glucose monitoring (CGM) readings, insulin doses, meals, exercise, sleep, and related time-series modeling data you input or generate.
• Device/Technical Data: IP address, device/browser information, app logs, diagnostic and crash data.
• Cookies and Analytics: Google Analytics (with consent, where required) for aggregated usage metrics.

4. How and Why We Use Your Data (Legal Bases)

• Provide and operate the Service (account creation, authentication, core features): performance of a contract (GDPR Art. 6(1)(b)).
• Process health-related data for modeling and research features you use: your explicit consent (GDPR Art. 6(1)(a) and Art. 9(2)(a)). You can withdraw consent at any time in-app (where available) or by contacting us; withdrawal does not affect prior lawful processing.
• Security, fraud prevention, diagnostics (including logs and crash data): our legitimate interests (GDPR Art. 6(1)(f)).
• Analytics and product improvement (Google Analytics cookies): your consent (GDPR Art. 6(1)(a)).
• Compliance with legal obligations: GDPR Art. 6(1)(c).

5. Minors and Guardian Consent

The Service may be used for individuals aged 2 years and older. For users under 16, a parent or legal guardian must create and manage the account, provide explicit consent for processing health data, and supervise usage. We may request evidence of guardian consent and may suspend or terminate accounts where appropriate consent is not maintained.

6. International Data Transfers

We host our systems in Europe and strive to keep your personal data stored within the EU/EEA/UK. However, certain Service features include calls to third-party AI processing services (for example, OpenAI APIs used by agents/workflows). These providers may process data outside the EEA/UK (including in the United States).

Where transfers occur, we rely on appropriate safeguards, such as the European Commission’s Standard Contractual Clauses (SCCs) and supplementary technical and organizational measures. We minimize the personal data included in such requests and avoid including direct identifiers where feasible.

7. How We Share Your Data

• Service providers (processors): hosting and infrastructure (self-hosted in Europe), authentication (Google OAuth), analytics (Google Analytics), and AI processing (e.g., OpenAI).
• Legal and compliance: when required by law or to protect rights, safety, and security.
• Business transfers: in connection with a merger, acquisition, or asset sale, subject to this Policy.

8. Retention

• Account and profile data: kept while your account is active and for up to 24 months of inactivity, then deleted or anonymized.
• Health/treatment data: retained while the account is active. When you delete data or your account, we remove it from active systems within 30 days; encrypted backups roll off within approximately 35 days. We may retain aggregated or anonymized datasets for research and product improvement that no longer identify you.
• Security and application logs: typically retained for up to 12 months.
• Analytics data: retained by Google Analytics for up to 26 months (subject to your consent settings).
• Support communications: typically retained for up to 24 months.

9. Your Rights

Subject to applicable law (EU/UK GDPR), you have the right to:

• Access your personal data and obtain a copy
• Rectify inaccurate or incomplete data
• Delete your data (right to erasure)
• Restrict or object to processing in certain circumstances
• Data portability for information you provided
• Withdraw consent at any time for processing based on consent

To exercise your rights, use in-app controls (where available) or contact us at gdpr@keydecisionit.com. You also have the right to lodge a complaint with your local data protection authority or the UK ICO.

10. Security

We implement appropriate technical and organizational measures, including encryption in transit and at rest, access controls, auditing, and defense-in-depth practices. No method of transmission or storage is 100% secure; we continuously improve our safeguards.

11. Automated Decision-Making

The Service provides modeling and simulation features for informational purposes only. It does not perform automated decision-making that produces legal or similarly significant effects. The Service is experimental and is not MDR-approved and must not be used for dosing decisions or emergencies.

12. Cookies

We use cookies and similar technologies. Google Analytics cookies are used only with your consent (where required) to measure usage and improve the Service. You can manage preferences via our cookie banner (where available) or your browser settings.

13. Changes to this Policy

We may update this Policy from time to time. We will post the updated version with a new “Last updated” date and, where changes are material, provide additional notice. Your continued use of the Service after changes take effect indicates acceptance of the revised Policy.