Privacy Policy

Diabetly provides an educational wellness companion for adults with type 2 diabetes or prediabetes. This policy explains what data we collect, why, and the choices you have. It aligns with the EU GDPR, UK GDPR, California's CCPA/CPRA, and Morocco's Law 09-08.

1 Who runs Diabetly

Diabetly is operated by the Diabetly team. For privacy questions, data-access requests, or to exercise any right under this policy, email support@diabely.com. We respond within 30 days.

2 What we collect

Account

Email address, hashed password (we never see your plaintext password), and the language and country you chose during onboarding.

Health information you provide

Diabetes type, year of diagnosis, age, sex, height, weight, medications, dietary restrictions, food dislikes, smoking and alcohol patterns, sleep, stress, comorbidities, last HbA1c value and date, last checkup date, and optional doctor and emergency contact.

Lab reports you upload

The original PDF or image, the text we extract, the structured values (HbA1c, glucose, lipids, etc.), and the friendly explanation we generate.

App activity

Glucose readings, meal and training plans, medication reminder logs, and Q&A chat messages.

Subscription metadata

Your Whop membership status and renewal dates. We never see your card number.

Communication identifiers

If you opt in: your Telegram chat ID, WhatsApp phone number, or reminder email.

Technical data

Approximate IP, browser user-agent, request timestamps, and error logs, used only for security and abuse prevention.

3 How we use it

• Explain your lab reports and generate your meal and training plans.
• Send the reminders and weekly summaries you opted into.
• Run your account, process your subscription, and answer support.
• Detect medical emergencies in chat and respond safely with localized guidance.
• Monitor service quality and improve our prompts.

4 Third parties that process your data

Supabase

Database and auth hosting; your data sits in their EU region.

Vercel

Application hosting and edge logs.

KIE.ai (routing Claude and Gemini)

Your inputs are processed transiently for inference and are not used to train their models.

Whop

Handles checkout and card payments; we never receive the card number.

Resend

Sends transactional emails (welcome, reminders).

Telegram / WhatsApp

Deliver reminder messages if you opted into a chat channel.

Sentry

Receives error traces only; identifiers and health values are scrubbed before they leave our servers.

5 Retention

Account and health data are kept while your account is active. When you delete a single item it is soft-deleted immediately and hard-deleted after 90 days (so an undo or support recovery is possible). When you delete your account, everything is hard-deleted within 30 days except minimal financial records we must keep for tax. AI safety logs are kept up to 12 months, then deleted.

6 Your rights

Any time, from Settings → Account, you can:

• Export every row we hold as a single JSON file.
• Delete your account and all associated data.
• Update any field from onboarding.
• Withdraw consent for reminders or marketing emails.

You may also access, rectify, restrict, object, or lodge a complaint with your local authority (CNIL, ICO, CNDP, or your US state attorney general).

7 Children

Diabetly is for adults only (18+). We do not knowingly collect data from children. If you believe a minor has signed up, contact us and we will delete the account.

8 Security

Data is encrypted in transit (TLS 1.2+) and at rest. Row-level security ensures one user can never read another's data. Service-role access is logged, and we never share your password.

9 Not medical advice

10 Changes to this policy

If we change this policy materially, we'll email all active users at least 14 days before it takes effect. The change date is always shown at the top of this page.