Privacy Policy
A Quick Note Before You Begin
We built syncsulin because living with diabetes is demanding, and because you deserve tools that make managing it feel less like a chore and more like having a knowledgeable companion by your side. You are one of the first people to use this application, and your experience and feedback matters to us enormously.
syncsulin is currently in a closed beta testing via Apple TestFlight, and we operate the website at www.syncsulin.com. This Policy covers exactly these two things. When we launch the full production app, expected very soon, we will update this policy and notify you well in advance.
We have written it to be as clear and straightforward as possible. If you have any questions, please reach out to us directly. We are a small, dedicated team and we genuinely want to hear from you.
1. Acceptance
By downloading, registering, or using the syncsulin app or website, you agree to the collection and use of your information as described in this Policy. If you do not agree, please do not use the service.
We may update this Policy at any time. The “Last Updated” date at the top reflects when this document was last revised. We will notify you of any material changes by posting a notice in the app or by sending you an email. Your continued use of the service after a material change takes effect constitutes your acceptance of the updated Policy. For changes to how we process health data, we will ask for your fresh consent.
2. Who We Are
syncsulin GmbH (“we”, “us”, “our”) is a health technology company incorporated in Düsseldorf, Germany. We are building a personal AI-powered lifestyle and health tracking app for people who live with diabetes. syncsulin helps you log, visualise, and make sense of your own health data; bringing together glucose readings, insulin, meals, activity, and sleep in one place, for your personal awareness and day-to-day wellbeing.
The app and all of its content are provided for informational and personal tracking purposes only. syncsulin does not provide medical advice, diagnosis, or treatment, and is not a medical device. It is not regulated as such under the EU Medical Device Regulation (MDR), the US FDA framework, or equivalent regulations in other jurisdictions. Nothing in syncsulin is a substitute for the advice of a qualified healthcare professional. Please always consult your doctor or diabetes care team for medical decisions.
3. What this Policy covers
This Privacy Policy applies to all services offered by syncsulin GmbH, including:
- Our website at www.syncsulin.com
- The syncsulin Beta Program, distributed via Apple TestFlight, which runs on our Supabase backend infrastructure (the “App”, “Beta”)
- All features and services offered through the above
It applies to all users worldwide, including residents of the EU/EEA, UK, United States, and all other countries. Where applicable law grants you specific rights, we describe them in Section 12.
4. Which Data Do We Collect And How
We collect information in three ways: data you provide directly, data collected automatically when you use the service, and data we receive from third-party sources you connect to the app. We collect only what we genuinely need.
4.1 On our website
When you visit our website www.syncsulin.com, we collect:
| Data | Why | Retention |
|---|---|---|
| Email address (if you sign up for the waitlist or newsletter) | To send you updates about syncsulin | Until you unsubscribe |
| IP address | Security and spam prevention | 12 months |
| Browser and device info | To keep the site working properly | 12 months |
| Squarespace analytics (aggregated) | To understand how people use the site | 12 months |
We offer an optional way to support syncsulin financially through a donation feature on our website, powered by Stripe. Donating is entirely voluntary and has no bearing whatsoever on your access to syncsulin. If you choose to donate, the following data is processed:
- Payment details (card number, expiry, CVC), processed exclusively by Stripe. We never see or store your card data.
- Name and email address (to send a donation confirmation).
- Transaction metadata (amount, date, currency, country), visible to us for accounting purposes.
- IP address and device data, collected by Stripe for fraud prevention.
Stripe acts as an independent data controller for payment processing, meaning they have their own privacy obligations towards you, separate from ours. We recommend reading Stripe’s Privacy Policy before donating. The legal basis for processing your donation data is Art. 6(1)(b) GDPR (transaction you initiated) and Art. 6(1)(c) GDPR (statutory accounting obligations). Transaction records are retained for 10 years in accordance with German commercial law (§ 147 AO).
4.2 App
When you join the Beta and use the App, we collect:
4.2.1 Data You Provide Directly
| Category | Examples | Retention |
|---|---|---|
| Registration data | Name, email address, hashed password | Until account deletion, or 10 years from last use, whichever is earlier |
| Diabetes profile | Diabetes type, therapy type, insulin brand, preferred glucose unit (mg/dL or mmol/L) | Until account deletion |
| Manual health log entries | Blood glucose readings, insulin doses, meal data, menstrual cycle data | Until account deletion |
| Communication data | Messages sent via in-app support or email contact form, including metadata | 10 years from last exchange (legal evidentiary standard) |
4.2.2 Data Collected Automatically
When you use the app, we automatically collect certain technical and usage data. While this is not typically personal data on its own, we treat it as personal data wherever it can be combined with other information to identify you.
| Category | Examples | Retention |
|---|---|---|
| App and device data | Device type, OS, app version, IP address, screen resolution, language settings | 12 months |
| Behavioural and usage data | Collected anonymously via Firebase Analytics by default (app launch, session duration, basic engagement). If you enable push notifications, the following fields are additionally linked to your account: timezone, device type, OS version, app version. | 12 months from last use |
| Error and crash logs | Crash reports, technical error logs (via Firebase Crashlytics) | 12 months |
| Feature flag data (Beta only) | Which features are enabled for your account via GrowthBook | Duration of beta session |
| Website log data | IP address, pages visited, time and date of visit, referring URL | 12 months |
4.2.3 Data from Third Parties (Apple HealthKit and CGM Devices)
With your permission, we receive health data from third-party applications and connected devices. This is the core of how syncsulin works, and it’s how we see your glucose readings, activity, sleep, and more, regardless of which device or app originally recorded that data (for example, a Dexcom CGM writing data to Apple Health, or a Garmin watch).
Specifically, we read:
- Continuous glucose monitoring (CGM) readings and trends
- Steps, heart rate, and heart rate variability (HRV)
- Sleep data
- Activity and workout data
Please note:
- We primarily read from Apple Health. We also write data back in one specific case: when you manually log an insulin dose in syncsulin, that entry is written to Apple Health so your records stay consistent across apps. No other health data is written back without your explicit instruction.
- HealthKit data is never used for advertising purposes.
- HealthKit data is never shared with third parties for their own commercial use, in compliance with Apple’s developer policies.
- The way Apple Health processes your data is governed by Apple’s own Privacy Policy. We encourage you to review it. We cannot be held responsible for data processed by Apple independently of our app.
- You can revoke HealthKit access at any time via iPhone Settings → Privacy & Security → Health → syncsulin.
For any data originating from third-party services or apps connected to syncsulin, we ask that you direct privacy requests related to that third party’s processing to them. We can only respond in relation to our own processing of your data.
4.2.3a Glooko CSV import
If you use Glooko to manage your diabetes data, you can export a CSV file from your Glooko account and import it directly into syncsulin. When you do this:
- The CSV file is transmitted securely to our servers (Supabase, Ireland) and processed to extract your glucose readings, insulin data, and other health records contained in the file.
- syncsulin has no direct connection to Glooko’s systems. We receive only the data contained in the file you actively choose to share with us.
- Glooko’s own privacy policy governs how Glooko processes and exports your data independently. We encourage you to review it at glooko.com.
- You are always in control. We process only files you deliberately share with us.
The legal basis for processing data from Glooko CSV imports is Art. 6(1)(b) GDPR (processing necessary to provide the service you have requested) and Art. 9(2)(a) GDPR (your explicit consent to process health data), consistent with all other health data in the app.
If you encounter a bug, a data display error, or anything that concerns you please tell us. You can reach us at info@syncsulin.com or through the feedback function in the App. Every report helps.
4.2.4 Analytics data
We use a two-tier approach to in-app analytics via Mixpanel:
- Before you give consent: we only collect minimal, anonymous signals, specifically app launch, session duration, and critical stability errors. These contain no personal context and run under our legitimate interest in keeping the app stable (Art. 6(1)(f) GDPR).
- After you give consent: we enable full usage analytics, including screen navigation, feature interactions, and UI preferences. You can change this at any time in the app’s Privacy Settings.
Mixpanel receives only a pseudonymous user ID and usage events. It does not receive health data, name, or email. No advertising identifiers (IDFA, GAID) are collected or shared.
5. Your Responsibilities as a User
By using the App, you agree to:
- Provide accurate information when setting up your account and connecting your devices.
- Use the App only for its intended purpose: personal health data tracking and visualization.
- Not attempt to reverse-engineer, decompile, or tamper with the App or its infrastructure.
- Not use the App in a way that could harm yourself, others, or the integrity of the service.
- Keep your login credentials confidential and notify us immediately if you believe your account has been compromised.
- Not use the App for commercial purposes, to provide medical advice to others, or in any clinical setting without appropriate regulatory authorization.
6. AI and machine learning — always your choice
syncsulin’s core purpose is to use AI to help you understand your own glucose patterns and make better-informed decisions. To build and improve those models, we want to be fully transparent about what that means for your data.
With your separate, freely given consent, we may use pseudonymised health data from the Beta to train and improve our machine learning algorithms for blood glucose trend prediction and personalised guidance.
Here’s what “pseudonymised” means in practice: your data is processed under an internal identifier (not your name or email) so it cannot be directly attributed to you without additional information that we hold separately.
We are explicit that we do not use fully anonymised data for this purpose. The reason is straightforward: delivering truly personalised guidance requires the model to associate learned patterns with your individual profile. Anonymised data can’t do that.
This processing is entirely optional:
- It requires a separate, specific consent step during onboarding, clearly distinct from accepting this policy.
- You can grant or withdraw this consent at any time in the app’s Privacy Settings.
- Withdrawing consent has no impact on your access to the app.
- Raw health data obtained via Apple HealthKit is excluded from AI training.
7. How and Why we Use Your Data
We use personal data only for the purposes described in this section. We strive to minimise personal data use and, to the maximum extent possible, work with anonymised or aggregated data.
| Purpose | Legal basis (EU/EEA/UK) | Details |
|---|---|---|
| Run the App and display your health data | Art. 6(1)(b) GDPR + Art. 9(2)(a) GDPR | Core functionality; necessary to provide the service |
| Use Beta data to validate that the app displays health data correctly and behaves as expected before the production launch | Art. 6(1)(a) + Art. 9(2)(a) GDPR | Separate Beta participation consent required |
| Improve the App based on aggregate usage patterns | Art. 6(1)(f) GDPR | We use aggregated, anonymised data wherever possible |
| Keep the app stable (crash and error monitoring) | Art. 6(1)(f) GDPR | Legitimate interest in maintaining a working service |
| Train AI/ML models for personalised guidance | Art. 6(1)(a) + Art. 9(2)(a) GDPR | Separate, optional consent; see Section 6 |
| Send you product updates and news | Art. 6(1)(a) GDPR | Only if you opt in; unsubscribe any time |
| Comply with legal requirements | Art. 6(1)(c) GDPR | E.g. GDPR documentation, legal disclosures |
| Security and fraud prevention | Art. 6(1)(f) GDPR | Legitimate interest in platform security |
For US residents: we process your personal data based on your consent, our need to perform the services you’ve signed up for, our legitimate business interests (as described above), and our legal obligations. Where your state has specific privacy laws, Section 12 describes your rights in detail.
8. Who We Share Your Data With
8.1 Technical Service Providers
We work with a small number of trusted technical partners who process data strictly on our behalf, under Data Processing Agreements (DPAs). They have no right to use your data for any purpose other than the service they provide us.
| Provider | Role | Location | Data involved |
|---|---|---|---|
| Supabase | Backend database, authentication, file storage | EU - Ireland | All health and account data |
| Firebase Analytics (Google) | Anonymous baseline analytics (app performance, crash-free rate) | USA - Standard Contractual Clauses | Anonymous aggregate data only — no user identifiers |
| Crashlytics (Google Firebase) | Mobile stability monitoring | USA - Standard Contractual Clauses | Technical logs only, no health data |
| Mixpanel | In-app analytics (consent-gated) | USA - Standard Contractual Clauses | Pseudonymous usage events, no health data |
| GrowthBook | Feature flag management | USA - Standard Contractual Clauses | Pseudonymous user ID only |
| Apple TestFlight | Beta app distribution | USA - Standard Contractual Clauses | App distribution only |
| GitHub (Microsoft) | Source code repository | USA - Standard Contractual Clauses | Source code only, no user data |
| Stripe | Payment processing for donations (independent controller) | USA - Standard Contractual Clauses | Donation payment data, see Section 4.1 |
| Squarespace | Website hosting | USA - Standard Contractual Clauses | Website visitor data only |
8.2 Legal Disclosures
We may share personal data with regulators, supervisory authorities, or law enforcement where we are legally required to do so. Where possible, we will notify you before making such a disclosure.
8.3 Business Transfer
If syncsulin is ever involved in a merger, acquisition, or asset sale, your data may transfer to the successor entity. For health data specifically, we will ask for fresh consent before any transfer takes effect. We will notify you in advance and explain your rights.
9. International Data Transfer
We store all personal health data within the European Economic Area, specifically, on Supabase servers in Ireland.
Some of our technical service providers (Firebase Analytics, Crashlytics, Mixpanel, GrowthBook, Apple TestFlight, GitHub, Stripe, Squarespace) are based in the United States. Where technical or pseudonymous data is transferred to these providers, no personal health data is included. All such transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission.
Where providers participate in the EU–US Data Privacy Framework, we additionally rely on that framework. If you’d like a copy of the safeguards for any specific transfer, contact us at privacy@syncsulin.com.
10. How Long We Keep Your Data
We retain your data only for as long as our processing purposes, legal retention obligations, and legitimate interests in documentation and evidentiary record-keeping require. When data is no longer needed, we delete or anonymise it as part of our regular processes.
| Data category | Retention period | Reason |
|---|---|---|
| Account and profile data | Until account deletion | User control |
| Health data (Beta app) | Until the Beta ends or you delete your account, whichever comes first | Beta program scope |
| AI training data (if consented) | Until you withdraw consent or delete your account | User control |
| Crash and error logs | 12 months | Technical necessity |
| Usage analytics | 12 months from last use | Technical necessity |
| Database backups | 30 days, then automatically deleted | Disaster recovery |
| Account deletion records (metadata only, no health data) | 3 years after deletion | GDPR compliance documentation |
| Support and email communication | 10 years from last exchange | Legal evidentiary standard |
| Newsletter / waitlist email | Until you unsubscribe | Consent-based |
You can request deletion of your account and all associated health data at any time by contacting us at privacy@syncsulin.com. We will confirm deletion within 30 days. Note: a self-service in-app deletion function is planned and will be added in a future update.
11. Security And Data Breach Notification
We implement technical and organisational security measures appropriate to the risk associated with the processing of health data. We maintain the following protections:
| Measure | Detail |
|---|---|
| Encryption in transit | TLS 1.3+ on all connections |
| Encryption at rest | AES-256, managed by Supabase |
| Authentication | bcrypt password hashing via Supabase Auth |
| Per-user data isolation | Row-Level Security (RLS) enforced at the database level. No user can access another’s data |
| Admin access | Multi-factor authentication required for all team members |
| Local storage | None. Health data is never persisted on your device. Only API tokens are stored, in the iOS Keychain. |
| Access controls | Principle of least privilege: team members only access what they need for their role |
All team members and contractors who access personal data are bound by confidentiality agreements. Please be aware that no method of data transmission or storage over the internet can be guaranteed to be 100% secure. If you believe your interaction with us may no longer be secure, please contact us immediately at privacy@syncsulin.com.
In the event of a personal data breach we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware, where feasible (GDPR Art. 33);
- Notify affected users without undue delay where the breach is likely to result in high risk to your rights (GDPR Art. 34);
- Notify California and Washington residents within 30 days of discovery;
- Inform you of the nature of the breach, the categories and approximate number of data records affected, likely consequences, and the measures we are taking or have taken.
12. Data Protection and Your Privacy Rights
12.1 General
Your health data is sensitive and personal, and we treat it as such. syncsulin processes your personal data as data controller within the meaning of GDPR Art. 4(7). We do not sell your personal data. We do not use it for advertising. We use it only to provide, maintain, and improve the syncsulin service.
12.2 For Users in the European Union and EEA
Your data is processed on the basis of your explicit consent pursuant to GDPR Art. 6(1)(a) and Art. 9(2)(a). You may withdraw your consent at any time without this affecting the lawfulness of processing prior to withdrawal.
Under the GDPR, you have the following rights, which you may exercise at any time by contacting us at privacy@syncsulin.com:
- Right of access (Art. 15 GDPR): to obtain confirmation of whether and what personal data we process about you.
- Right to rectification (Art. 16 GDPR): to correct inaccurate or incomplete data.
- Right to erasure / “right to be forgotten” (Art. 17 GDPR): to request deletion of your data.
- Right to restriction of processing (Art. 18 GDPR): to limit how we use your data in certain circumstances.
- Right to data portability (Art. 20 GDPR): to receive your data in a structured, machine-readable format.
- Right to object (Art. 21 GDPR): to object to processing based on our legitimate interests.
- Right to lodge a complaint with your national supervisory authority, in particular the supervisory authority in your EU country of residence.
You also have the right to complain to the supervisory authority in your country of residence. A list of EEA authorities can be found at edpb.europa.eu. We will respond to all GDPR requests within one month of receipt. Complex or numerous requests may be extended by a further two months, in which case we will inform you within the first month.
12.3 For Users in the United States
California residents (CCPA/CPRA): You have the right to know what personal information we collect and how it is used, the right to delete your personal information, the right to opt out of any sale or sharing of your information (note: we do not sell or share your data), the right to correct inaccurate information, the right to limit use of sensitive personal information, and the right not to be discriminated against for exercising these rights. To submit a request, contact us at privacy@syncsulin.com. We respond within 45 days, extendable by a further 45 days for complex requests. This service is free of charge.
In the last 12 months, we have shared the following categories of personal information with service providers for business purposes: identifiers (Category A), internet or network activity (Category F). We have not sold or shared any personal information.
Washington State residents (WPA): Washington residents have the right to access, correct, delete, and port their personal data, and to opt out of targeted advertising and automated profiling. We do not engage in either. To exercise these rights, contact privacy@syncsulin.com. We respond within 45 days (extendable by 45 days with notice).
Residents of other US states: Similar rights to access, delete, correct, and obtain a copy of your personal data apply. Please contact us at privacy@syncsulin.com.
We do not knowingly collect personal information from residents of the United States who are under the age of 18, consistent with COPPA and applicable state laws.
Do Not Track (DNT): Our website does not currently respond to Do Not Track browser signals. You can limit tracking through your device’s privacy settings.
California Shine the Light Law (Civil Code § 1798): We do not share personal data with third parties for their direct marketing purposes. If you have questions, contact us at privacy@syncsulin.com.
12.4 Data Security
We implement appropriate technical and organisational security measures to protect your personal data, including encryption of data in transit (TLS) and at rest (AES-256), access controls, and regular security reviews. Health data is not stored locally on your device; only API authentication tokens are stored using your device’s secure storage (iOS Keychain).
13. Children’s Privacy
syncsulin is not intended for children under 16 (EU/EEA/UK) or under 13 (United States) without verified parental or guardian consent. We do not knowingly collect personal data from children below these thresholds. If you believe a child has registered without appropriate consent, please contact us at privacy@syncsulin.com and we will delete the account promptly.
14. Cookies And Tracking On Our Website
Our website (syncsulin.com) uses cookies. Here’s what we use and why:
| Type | Purpose | Duration |
|---|---|---|
| Essential | Required for the site to work (navigation, session, consent memory) | Session to 1 year |
| Analytics (Aggregate) | Understand how visitors use the site at an aggregate level — no individual tracking | Up to 12 months |
| Preference | Remember your settings (language, cookie consent) | Up to 12 months |
We do not use advertising cookies or share website visitor data with ad networks. You can manage or withdraw cookie consent at any time through your browser settings or the cookie preference panel on the site.
15. Changes To This Policy
We may update this policy as syncsulin evolves. The “Last Updated” date at the top always reflects when it was last changed. For material changes, we’ll notify you by:
- Posting a prominent notice in the app before the change takes effect;
- Sending an email to your registered address (if you’ve opted in to communications);
- Updating the version number.
If we make material changes to how we process your health data, we will ask for fresh, explicit consent rather than relying on your continued use of the service.
The biggest update will come when we launch the production app in the coming months. We’ll reach out to all Beta testers individually at that point with a new policy and clear information about what changes.
16. Contact Us
Questions, requests, concerns, we’re always happy to hear from you!
| privacy@syncsulin.com | |
| Post | syncsulin GmbH, Speditionsstraße 15a, 40221 Düsseldorf, Germany |
| Website | www.syncsulin.com |
We will acknowledge your request within 5 business days and respond fully within the timeframes required by applicable law.
Appendix: Managing Your Privacy Settings
| Setting | Where to find it |
|---|---|
| Apple HealthKit access | iPhone Settings → Privacy & Security → Health → syncsulin |
| AI / ML training consent | syncsulin app → Settings → Privacy → AI Training |
| Analytics consent | syncsulin app → Settings → Privacy → Analytics |
| Beta program participation | Contact info@syncsulin.com or delete your account |
| Marketing emails / newsletter | Unsubscribe link in any email, or contact privacy@syncsulin.com |
| Cookie preferences (website) | Cookie preference panel on www.syncsulin.com or browser settings |
| Feature flags (Beta) | Managed by the syncsulin team via GrowthBook — contact us to query |
| Account deletion | Contact info@syncsulin.com. We confirm deletion within 30 days. In-app deletion coming in a future update. |