Cookie Policy

Introduction

This Cookie Policy explains how NIBARTECH LTD ("we," "us," or "our"), operating the Diabec brand at dia-bec.com, uses cookies and similar tracking technologies when you visit our website.

We use cookies to make our website work, to understand how you interact with it, and - where you give us permission - to show you relevant marketing. This policy gives you clear information about the cookies we use, why we use them, and how you can control them.

What Are Cookies

Cookies are small text files that are placed on your device (computer, tablet, or mobile phone) when you visit a website. They are widely used to make websites work efficiently, to remember your preferences, and to provide information to the website owner.

Cookies can be "first-party" (set by us) or "third-party" (set by services we use, such as Google Analytics). They can also be "session" cookies (deleted when you close your browser) or "persistent" cookies (remain on your device for a set period or until you delete them).

In addition to cookies, we may also use similar technologies such as pixels, web beacons, and local storage for similar purposes. When we refer to "cookies" in this policy, we include all such technologies.

How We Use Cookies

We use cookies for the following purposes:

• Essential website functionality - to enable core features like your shopping cart, secure checkout, session management, and account authentication. The website cannot function properly without these.
• Analytics and performance - to understand how visitors interact with our website, which pages are visited most, and where users encounter issues. This helps us improve the website experience for everyone.
• Marketing and advertising - to measure the effectiveness of our advertising campaigns and to deliver relevant content. These cookies help us understand which marketing channels bring visitors to our site.

Types of Cookies We Use

Essential Cookies Required

These cookies are strictly necessary for the website to function. They enable core features such as shopping cart functionality, secure checkout, and session management. These cookies do not collect personal data used for marketing and cannot be disabled without breaking the website.

Consent storage (localStorage, not a cookie): Diabec stores your consent choice in your browser's localStorage (not as a cookie), under the keys diabec_cookie_consent, diabec_cookie_consent_date, diabec_consent_analytics, diabec_consent_marketing and (when applicable) diabec_gpc_honored. These values persist until you clear browser storage or update your choice via the "Cookie Settings" link in the footer. We use localStorage rather than a cookie so we never set the consent record before you have made a choice.

Analytics Cookies Consent Required

These cookies help us understand how visitors use our website by collecting anonymised data about page visits, time spent on the site, and navigation paths. They are only set after you give your consent via the cookie banner. At the time of writing Diabec's Google Analytics 4 tag has not been configured for a public-facing release; the cookies listed below describe what GA4 sets once the measurement ID is wired. We update this section before any new tag is activated.

Legacy Universal Analytics cookies _gid and _gat were sunset by Google in July 2023 and are not used by Diabec.

Marketing Cookies Consent Required

These cookies are used to measure the effectiveness of our advertising campaigns and to understand how visitors arrive at our website. They are only set after you give your consent via the cookie banner, and only when the corresponding ad platform pixel has been configured for an active Diabec campaign. At the time of writing the Meta, Google Ads and TikTok pixels are present in the page code but inactive (their pixel IDs are placeholders). We update this section before activating any pixel for a public-facing campaign.

Your Cookie Choices

You have control over the cookies that are set on your device. Here are the ways you can manage your preferences:

Cookie Consent Banner

When you first visit our website, you will see a cookie consent banner that allows you to accept or reject non-essential cookies. You can choose to:

• Accept all cookies - enables essential, analytics, and marketing cookies
• Accept essential only - only essential cookies will be set; analytics and marketing cookies will be blocked
• Manage preferences - choose individually which categories of cookies to allow or block

Change Your Preferences

You can change your cookie preferences at any time by clicking the "Cookie Settings" link in the footer of any page on our website. This will reopen the consent panel so you can update your choices.

Browser Settings

Most web browsers allow you to control cookies through their settings. You can typically set your browser to block or delete cookies. Please note that blocking essential cookies may affect the functionality of our website, including your ability to add items to your cart or complete a purchase.

• Chrome - Settings > Privacy and Security > Cookies and other site data
• Firefox - Settings > Privacy & Security > Cookies and Site Data
• Safari - Preferences > Privacy > Manage Website Data
• Edge - Settings > Cookies and site permissions > Cookies and site data

Opt Out of Analytics

You can opt out of Google Analytics across all websites by installing the Google Analytics Opt-out Browser Add-on.

Global Privacy Control (GPC)

Diabec honours the Global Privacy Control (GPC) signal sent by your browser. When our consent banner detects a GPC signal on your first visit, we automatically set your consent to essential only — analytics and marketing cookies are blocked, and a flag (diabec_gpc_honored) is stored in your browser's localStorage to record that GPC was respected. This satisfies the "Do Not Sell or Share My Personal Information" opt-out under the California CPRA and equivalent state laws (Colorado CPA, Connecticut CTDPA, Texas TDPSA and others), and aligns with the ICO's 29 April 2026 cookie-consent guidance for UK visitors. You can still choose to opt back in to analytics or marketing at any time via the "Cookie Settings" link in the footer; doing so overrides the GPC default for your session.

Legal Basis for Cookies

Under the UK GDPR, the EU General Data Protection Regulation (GDPR), and the Privacy and Electronic Communications Regulations 2003 (PECR), we are required to obtain your consent before setting any cookies that are not strictly necessary for the operation of our website.

• Essential cookies - set under the "strictly necessary" exemption. No consent is required because the website cannot function without them.
• Analytics cookies - set only after you provide your consent via the cookie banner. Legal basis: consent (GDPR Art. 6(1)(a)).
• Marketing cookies - set only after you provide your consent via the cookie banner. Legal basis: consent (GDPR Art. 6(1)(a)).

You may withdraw your consent at any time by updating your cookie preferences through the "Cookie Settings" link in our website footer. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

Third-Party Cookies

Some cookies on our website are set by third-party services that we use. These third parties have their own privacy and cookie policies, which govern how they handle the data collected through their cookies:

• Shopify - our e-commerce platform, which sets the essential cart, session and checkout cookies required for the store to function. Shopify Cookie Policy
• Google Analytics 4 - web analytics provided by Google LLC, used to understand aggregated website usage (consent-gated, not currently active). Google Business Privacy
• Meta Platforms (Facebook & Instagram) - advertising pixel used to measure ad-campaign effectiveness (consent-gated, not currently active). Meta Cookies Policy
• Google Ads - advertising platform used for conversion tracking (consent-gated, not currently active). Google Business Privacy
• TikTok Ads - advertising pixel used to measure TikTok ad-campaign effectiveness (consent-gated, not currently active). TikTok Cookies Policy
• Klaviyo - email-marketing platform used by our newsletter signup form. When you submit our newsletter form, your email address and consent timestamp are sent to Klaviyo via API. Klaviyo's own onsite tracking script is not loaded on the Diabec website, so Klaviyo cookies (such as __kla_id) are only set if you click through from a Klaviyo email. Klaviyo Cookie Policy
• Okendo - reviews and referrals platform used by our Refer-a-Friend programme. When you submit the referral form, your name, email and referral details are sent to Okendo via API. Okendo Privacy Policy
• LiveKit (voice agent) - WebRTC infrastructure used by our optional "Talk to Diabec" voice agent. LiveKit does not set persistent cookies in the browser; the SDK uses transient session data only for the duration of a call. LiveKit Privacy Notice

We do not control the cookies set by these third parties. Please refer to their respective policies for information on how they process data.

Data Collected Through Cookies

The data collected through cookies may include:

• Device information - browser type and version, operating system, screen resolution, and device type
• Usage data - pages visited, time spent on each page, navigation paths, and interactions with site elements
• Network information - IP address (anonymised where possible), approximate geographic location, and internet service provider
• Referral data - the website or advertisement that directed you to our site
• Shopping behaviour - items viewed, items added to cart, and purchase completion (for essential cookies only)

Analytics data is aggregated and anonymised where possible. We do not use cookies to collect sensitive personal information such as health data, financial account numbers, or government identifiers.

For full details on how we handle your personal data, please see our Privacy Policy.

Data Retention

Cookie data is retained for different periods depending on the type of cookie:

• Session cookies - deleted automatically when you close your browser
• Essential persistent cookies - retained for up to 1 year, as needed for website functionality
• Analytics data - GA4 event data is retained for up to 14 months (Google's default for new GA4 properties), after which it is automatically deleted in anonymised form. We do not configure the longer 50-month retention option
• Marketing cookies - retained for up to 2 years (Meta _fbc) or 13 months (TikTok _ttp), or until you clear your cookies or revoke consent in the cookie banner
• Consent preferences (localStorage) - your cookie consent choice persists in your browser's local storage until you clear browser storage or update your choice via the "Cookie Settings" link in the footer. We do not auto-expire the consent record; if you wish to be re-prompted, clear your browser's site data for dia-bec.com

Your Rights

Under UK GDPR and the EU GDPR, you have the following rights in relation to data collected through cookies:

• Right to withdraw consent - you can withdraw your consent to analytics and marketing cookies at any time via the "Cookie Settings" link in the footer
• Right to access - you can request information about the data we have collected about you through cookies
• Right to erasure - you can request deletion of data collected through cookies by contacting us
• Right to object - you can object to the processing of your data through non-essential cookies
• Right to complain - if you are not satisfied with how we handle cookies, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113. EU residents may complain to their national supervisory authority (list at the European Data Protection Board)
• "Do Not Sell or Share My Personal Information" - California, Colorado, Connecticut, Texas and other US-state residents have the right to opt out of any sale or sharing of personal information collected through cookies. Diabec does not sell personal data, and we treat the GPC browser signal as a valid opt-out (see Section 5). For a manual opt-out, use the cookie banner to choose Essential only, or follow our Do Not Sell or Share instructions in the Privacy Policy

To exercise any of these rights, please contact us using the details in Section 14 below.

Changes to This Policy

We may update this Cookie Policy from time to time to reflect changes in the cookies we use, changes in technology, or changes in applicable law. When we make changes:

• The "Last updated" date at the top of this page will be revised
• If we introduce new categories of cookies, we will update the cookie consent banner and ask for your consent again
• Material changes will be communicated via a notice on our website

We encourage you to review this Cookie Policy periodically.

Recent changes

• 28 May 2026 - Added a Quick Answer summary, a Global Privacy Control (GPC) section, a Children's Cookies section (UK AADC), an International Transfers section and a Contact Us section. Replaced the obsolete cookie_consent cookie entry with the actual localStorage keys used by our banner. Removed retired Universal Analytics cookies (_gid, _gat). Added TikTok pixel cookies. Updated GA4 retention from 26 to 14 months. Added Klaviyo, Okendo and LiveKit as third-party processors. Updated meta tags to en_GB with split hreflang. Aligned with ICO 29 April 2026 cookie-consent guidance and the UK Data (Use and Access) Act 2025.
• 18 March 2026 - Initial publication of this Cookie Policy.

Children's Cookies and the UK Age Appropriate Design Code

Diabec is a food supplement intended for adults. We do not knowingly market our products to, or set non-essential cookies on devices belonging to, children under 18. Where Diabec content is reasonably likely to be accessed by users under 18 in the United Kingdom, we apply the standards set out in the ICO's Age Appropriate Design Code (AADC):

• Default to high privacy - if our banner detects a likely child user (for example via the GPC signal or a system-level "limit ad tracking" preference), we default to essential only
• No profiling without explicit choice - analytics and marketing pixels are never set on first visit; they require an affirmative click in the consent banner
• No nudging - both "Accept all" and "Essential only" are presented as equally prominent buttons in the banner
• Parental contact - if you believe your child has accepted non-essential cookies on our site, contact support@dia-bec.com and we will clear the associated identifiers and disable the consent flag

For US visitors, we do not knowingly collect personal information from children under 13 in compliance with the Children's Online Privacy Protection Act (COPPA), and we extend the same protections to teens under 16 in California in line with the CPRA opt-in requirement for the sale of teen personal information.

International Transfers via Cookies

Many of the third-party cookies described in Section 4 are set by providers headquartered in the United States (Google, Meta, TikTok, Klaviyo, Okendo). When you give consent for those cookies to be set, the associated identifiers and event data are processed in the United States and in other regions where those providers operate.

For UK and EU/EEA visitors, we rely on the following safeguards for these transfers:

• UK transfers - the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, plus the UK extension to the EU-US Data Privacy Framework where the recipient is certified
• EU/EEA transfers - the EU Commission's Standard Contractual Clauses (SCCs), plus the EU-US Data Privacy Framework where the recipient is certified
• Risk assessment - we carry out a Transfer Risk Assessment (TRA) before activating any new third-party tag that would transfer personal data outside the UK / EEA

For the full list of overseas processors and the legal basis for each transfer, see our Privacy Policy.

Contact Us

If you have any questions about this Cookie Policy, want to exercise any of the rights described in Section 10, or want to report a concern, please contact us:

Data Protection Officer: NIBARTECH LTD has not appointed a statutory Data Protection Officer because we are not required to do so under UK GDPR Article 37 (we do not carry out large-scale processing of special-category data and we are not a public authority). All UK, EU, US and Singapore data-protection enquiries are handled by the contact point above; please mark the subject line "Data Protection".

UK and EU Article 27 representatives: as a controller established in the United Kingdom, the UK GDPR Article 27 requirement does not apply to us. We do not currently offer Diabec to EU/EEA residents and are therefore not subject to the EU GDPR Article 27 representative requirement. If we begin actively offering Diabec to EU/EEA residents, we will appoint an Article 27 representative and update this page before doing so.

Supervisory authorities: UK residents may complain to the Information Commissioner's Office (ICO). EU residents may complain to their national authority via the European Data Protection Board. California residents may contact the California Privacy Protection Agency or the California Attorney General.