Privacy Policy

What does this Privacy Policy cover?

NIBARTECH LTD ("we," "us," or "our") is the data controller responsible for your personal data under the UK GDPR (as supplemented by the Data Protection Act 2018 and the Data Use and Access Act 2025), the EU GDPR where applicable, and other data protection laws in the markets we serve. We are committed to protecting and respecting your privacy.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website dia-bec.com, purchase our products, or interact with us in any way.

We are registered in England & Wales (Company No. 15283998) and operate the Diabec brand of food supplements. By using our website or purchasing our products, you agree to the collection and use of information in accordance with this policy.

For data protection enquiries, contact our Data Protection Lead at support@dia-bec.com.

Information We Collect

We collect information that you provide directly to us, as well as information collected automatically when you use our website.

Information You Provide

• Name - your first and last name, as provided during checkout or account creation
• Email address - used for order confirmations, shipping updates, and marketing communications (with your consent)
• Phone number - for order-related communications and customer support
• Shipping address - to deliver your orders
• Payment information - processed securely by Shopify Payments; we do not store your full credit card details on our servers
• Communication preferences - your choices regarding marketing emails, WhatsApp messages, and other communications

Information Collected Automatically

• Browsing data - pages visited, time spent on pages, and navigation paths
• Device information - browser type, operating system, screen resolution, and device type
• IP address - used for fraud prevention and approximate geographic location
• Cookies and similar technologies - see Section 6 for details on our cookie practices
• Referral information - how you arrived at our website (search engine, social media, direct link)

How We Use Your Information

We use the information we collect for the following purposes:

• Order processing - to process and fulfil your orders, send order confirmations, and provide shipping updates
• Customer support - to respond to your enquiries, resolve issues, and provide assistance
• Marketing communications - with your explicit consent, to send you promotional emails, product updates, and special offers
• Product improvement - to analyse usage patterns and improve our website, products, and services
• Fraud prevention - to detect and prevent fraudulent transactions and protect our customers
• Legal compliance - to comply with applicable laws, regulations, and legal obligations

Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your personal data on the following legal bases:

• Consent - where you have given us clear consent to process your personal data for a specific purpose, such as marketing communications or WhatsApp messages
• Contract performance - where processing is necessary to fulfil a contract with you, such as processing your order and delivering your products
• Legitimate interests - where processing is necessary for our legitimate business interests, such as fraud prevention, website security, and improving our services, provided these interests do not override your fundamental rights
• Legal obligation - where processing is necessary to comply with a legal obligation, such as tax reporting or responding to lawful requests from authorities

UK Data (Use and Access) Act 2025 update: Section 80 of the DUAA introduced new Articles 22A-22D into the UK GDPR (in force from 5 February 2026), updating the rules on solely-automated decision-making with legal or similarly significant effects. Because diabetes-related data is special-category personal data, we continue to rely on your explicit consent under Article 9(2)(a) of the UK GDPR and offer a human-review path for any decision the Diabec AI Companion surfaces.

Data Sharing

We do not sell your personal data to third parties. We share your information only with trusted service providers who assist us in operating our business:

• Shopify - our e-commerce platform, which hosts our website and processes transactions. Shopify's privacy practices are governed by their own privacy policy.
• Payment processors - Shopify Payments and associated payment gateways process your payment information securely. We do not have access to your full card details.
• Shipping carriers - Royal Mail, USPS, Canada Post, Australia Post, and other carriers receive your shipping address to deliver your orders.
• Klaviyo - our email marketing platform, used to send marketing communications only with your consent. You can unsubscribe at any time.
• WhatsApp Business (via Eazybe) - used to send order updates and wellness tips only after you complete a two-step opt-in: you tick the WhatsApp box at registration, then reply to our welcome WhatsApp message to confirm. This double opt-in is required by WhatsApp Business Policy 2026 for marketing messages. You can opt out at any time by replying STOP. US numbers are excluded from WhatsApp marketing in line with Meta's current policy.
• Google Analytics - used to understand website traffic and usage patterns. Data is anonymised where possible.

All third-party service providers are contractually required to protect your data and use it only for the purposes we specify.

Cookies & Tracking

Our website uses cookies and similar tracking technologies to enhance your browsing experience. Cookies are small text files stored on your device.

Types of Cookies We Use

• Essential cookies - required for the website to function properly, including shopping cart functionality, secure checkout, and session management. These cannot be disabled.
• Analytics cookies - used via Google Analytics to understand how visitors interact with our website, helping us improve content and user experience. These cookies collect anonymised data.
• Marketing cookies - used to deliver relevant advertisements and track the effectiveness of our marketing campaigns. These are only set with your consent.

Managing Your Cookie Preferences

You can manage your cookie preferences through your browser settings. Please note that disabling essential cookies may affect the functionality of our website. Most browsers allow you to refuse or delete cookies; consult your browser's help documentation for instructions.

AI Disclosure

Diabec uses AI in several places: the in-app Companion assistant (powered by Anthropic Claude), AI-generated meal carb estimates, glucose-trend predictions, and the Diabec AI voice assistant that may call you about your order or for wellness check-ins (powered by NLPearl).

In line with EU AI Act Article 50 (effective 2 August 2026) and equivalent transparency rules in the markets we serve - including the California AI Transparency Act (SB 942, in force 1 January 2026), the Colorado AI Act (SB 24-205, in force 1 February 2026), the Utah Artificial Intelligence Policy Act (2024), and the Texas Responsible AI Governance Act (TRAIGA, in force 1 January 2026) - every Diabec AI interaction discloses that it is AI. The Companion identifies itself as AI when asked. Pearl voice calls open with "This is Diabec's AI assistant" within the first few seconds. AI-generated content in the app is labelled "AI".

AI outputs are informational only. They are not medical advice and must not be used to make insulin, medication, or treatment decisions without a licensed clinician. You can opt out of AI features at any time from your account settings, and you can request human review of any AI-derived decision by emailing support@dia-bec.com.

Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Under UK/EU GDPR

• Right of access - request a copy of the personal data we hold about you
• Right to rectification - request correction of inaccurate or incomplete data
• Right to erasure - request deletion of your personal data ("right to be forgotten")
• Right to data portability - receive your data in a structured, commonly used format
• Right to restrict processing - request that we limit how we use your data
• Right to withdraw consent - withdraw consent at any time for consent-based processing
• Right to object - object to processing based on legitimate interests
• Right to lodge a complaint - if you are not satisfied with how we handle your data, you have the right to lodge a complaint with a supervisory authority. For UK residents, this is the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113. For EU residents, contact your local Data Protection Authority.

Self-service account & data deletion: You can request erasure of your Diabec account and associated personal data at any time via our Account & Data Deletion page. Requests are processed within 30 days as required by GDPR Article 17. You may also email support@dia-bec.com to exercise any of the rights listed above.

Data protection contact (UK / EU): NIBARTECH LTD has not appointed a statutory Data Protection Officer because we are not required to do so under UK GDPR Article 37 (we do not carry out large-scale processing of special-category data and we are not a public authority). All UK and EU data-protection enquiries are handled by the same contact point as our Singapore PDPA contact (see Section 12C) at support@dia-bec.com; please mark the subject line "Data Protection".

Under CCPA/CPRA (California Residents)

In the past 12 months, we have collected the following categories of personal information as defined by the California Consumer Privacy Act:

We do not sell your personal data. We may share data with service providers for business purposes as described in Section 5. Under CPRA, sharing data with third parties for cross-context behavioural advertising may constitute "sharing." You have the right to opt out of this.

Sensitive Personal Information (CPRA §1798.121)

NIBARTECH LTD does not collect, use, or disclose sensitive personal information as defined under CPRA §1798.140(ae) for purposes that would trigger the right to limit use. We do not collect Social Security, driver's licence, financial-account, precise geolocation, racial or ethnic origin, religious beliefs, mail/email contents, genetic data, biometric identifiers used for unique identification, or health, sex-life, or sexual-orientation information. Because no such sensitive PI is processed for secondary purposes, the "Limit the Use of My Sensitive Personal Information" right does not apply to our processing, but you may always contact us at support@dia-bec.com if you believe we have nonetheless collected such data.

• Right to know - request details about the personal information we collect and how it is used
• Right to delete - request deletion of your personal information
• Right to correct - request correction of inaccurate information
• Right to opt out of sale/sharing - opt out of the sale or sharing of personal information for cross-context behavioural advertising
• Right to limit use of sensitive PI - limit how we use sensitive personal information
• Right to non-discrimination - you will not be discriminated against for exercising your rights

To exercise your California rights, contact us by two methods:

• Email: support@dia-bec.com (subject line: "CCPA Request")
• Phone: +1 312 471 1541 (US support line)

We will respond within 45 days. We will verify your identity before processing your request.

US State Privacy Rights (Other States)

If you reside in a US state with a comprehensive consumer-privacy law in effect - including but not limited to Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Delaware (DPDPA), Nebraska (NDPA), New Hampshire (NHDPA), New Jersey (NJDPA), Tennessee (TIPA), Minnesota (MNCDPA), Maryland (MODPA), Indiana (INCDPA), and Rhode Island (RIDTPPA) - you have the following rights:

• Right to access - confirm whether we process your data and obtain a copy
• Right to correct - request correction of inaccurate data
• Right to delete - request deletion of your personal data
• Right to data portability - obtain your data in a portable format
• Right to opt out - opt out of targeted advertising, sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects

Universal opt-out signals: We recognise Global Privacy Control (GPC) signals as valid opt-out requests for the sale and sharing of personal data and targeted advertising, as required by the Colorado, Connecticut, Oregon, and Montana privacy laws. When our website detects a GPC signal from your browser, we will automatically treat it as a valid opt-out request.

Appeal process: If we decline your privacy request, you may appeal by emailing support@dia-bec.com with "Privacy Appeal" in the subject line. We will respond within 60 days. If you are not satisfied with the outcome, you may contact your state's Attorney General.

To exercise any of the rights listed above, contact us at support@dia-bec.com or call +1 312 471 1541 (US) / +44 7537 162418 (UK). We will respond within 30 days (or as required by applicable law).

Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes outlined in this policy. The table below sets out our retention periods by data category. Where multiple periods could apply (for example, a marketing record attached to an order), the longest applicable period applies.

After the applicable period, we either delete the data or irreversibly anonymise it for statistical purposes only. Erasure requests are honoured on production systems within 30 days; the corresponding records cycle out of encrypted backups within the additional 90-day window above. Where law requires longer retention (for example, an active dispute or regulatory hold), we keep the data only for that legal purpose.

International Transfers

Your personal data may be processed and stored in countries outside your country of residence, including the United Kingdom, European Union, and United States. This is necessary because our service providers (such as Shopify, Klaviyo, and Google) operate globally.

When data is transferred outside the UK or EU, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, the UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs for transfers from the UK, or transfers to countries with an adequacy decision.

Named sub-processors and the countries to which your data may be transferred:

• Shopify Inc. (e-commerce platform & order processing) - Canada / United States. Safeguard: UK IDTA and EU SCCs.
• Klaviyo, Inc. (email marketing & CRM) - United States. Safeguard: EU-U.S. Data Privacy Framework certification and EU SCCs / UK IDTA.
• Meta Platforms, Inc. (Meta Pixel, when consented) - United States / Ireland. Safeguard: EU-U.S. Data Privacy Framework and EU SCCs / UK IDTA.
• TikTok Pte. Ltd. / TikTok Inc. (TikTok Pixel, when consented) - Singapore / United States. Safeguard: EU SCCs and UK IDTA.
• Google LLC (Google Analytics 4 & advertising, when consented) - United States. Safeguard: EU-U.S. Data Privacy Framework and EU SCCs / UK IDTA.
• Trustpilot A/S (review collection) - Denmark (EU). Safeguard: GDPR adequacy.
• Contract manufacturer (Diabec capsule production, WHO-GMP certified) - India. Safeguard: contractual confidentiality clauses and EU SCCs / UK IDTA where personal data is shared for fulfilment.

The list above is reviewed periodically; the current list is available on request via support@dia-bec.com.

Children's Privacy

Our website and products are not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. In the United States, we comply with the Children's Online Privacy Protection Act (COPPA) and do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal data from a child under 16 (or under 13 in the US), we will take steps to delete that information as soon as possible.

California minors (CCPA §1798.120(c)): for California residents under 13 we require verifiable parental consent before any collection, and we will not sell or share the personal information of a California resident aged 13 to 16 without that consumer's affirmative opt-in authorisation.

If you believe we have collected information from a child under the applicable age, please contact us immediately at support@dia-bec.com.

WhatsApp Communications

We offer optional communications via WhatsApp Business for order updates, wellness tips, and customer support. Key points about our WhatsApp communications:

• Explicit consent required - we will only send you WhatsApp messages if you have given us your explicit, opt-in consent. Consent timestamps (user identifier + ISO 8601 timestamp + consent text version) are retained as an audit record for 3 years from withdrawal.
• Easy opt-out - you can opt out of WhatsApp messages at any time by replying "STOP" to any message or contacting our support team
• Data handling - WhatsApp messages are processed through Meta's WhatsApp Business platform. Your phone number and message history are subject to WhatsApp's own privacy policy in addition to ours.
• Message types - we may send order confirmations, shipping updates, wellness content, and promotional offers via WhatsApp

Security Measures

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it:

• SSL encryption - all data transmitted between your browser and our website is encrypted using SSL/TLS technology
• Secure payment processing - payments are processed by PCI DSS-compliant payment processors; we never store your full card details
• Access controls - access to personal data is restricted to authorised personnel who need it to perform their duties
• Regular monitoring - we regularly monitor our systems for vulnerabilities and potential security incidents
• Secure infrastructure - our website is hosted on Shopify's secure, enterprise-grade infrastructure

While we strive to protect your personal data, no method of transmission over the internet is 100% secure. We encourage you to use strong passwords and keep your account credentials confidential.

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority (the ICO for UK data, or the applicable EU Data Protection Authority) within 72 hours of becoming aware of the breach, as required by GDPR Article 33
• Inform affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34
• Notify affected US residents as required by the New York SHIELD Act and other applicable state breach notification laws, in the most expedient time possible
• Notify the Australian Information Commissioner (OAIC) and affected Australian individuals for eligible data breaches under the Notifiable Data Breaches scheme
• Notify the Singapore Personal Data Protection Commission (PDPC) for notifiable data breaches under the PDPA

Our breach notification will include: the nature of the breach, the likely consequences, the measures taken to address it, and contact details for further information.

EU/EEA Residents & Representatives

NIBARTECH LTD is established in the United Kingdom. We currently ship and offer Diabec only to consumers in the United Kingdom, United States, Canada, Australia, and Singapore (see our Shipping Policy). We do not actively offer goods or services to consumers resident in the European Union or European Economic Area and do not target marketing at EU/EEA residents.

Because we do not offer goods or services to EU/EEA residents and do not monitor the behaviour of EU/EEA residents in the Union, we are not subject to the Article 27 EU GDPR obligation to designate an EU representative. If at any time we begin actively offering Diabec to EU/EEA residents, we will appoint an Article 27 representative and publish their full name, EU postal address and contact email on this page before doing so.

If you are an EU or EEA resident who has nevertheless interacted with our website, you may still contact us at support@dia-bec.com regarding any personal data we may hold about you, and you retain the right to lodge a complaint with your national supervisory authority. A list of national authorities is available from the European Data Protection Board.

UK Representative (UK GDPR Article 27): as a controller established in the United Kingdom, the equivalent UK GDPR Article 27 requirement does not apply to us. UK residents may contact us directly using the details above, and may lodge complaints with the Information Commissioner's Office (ICO).

Australian Privacy Act & Australian Privacy Principles

If you are an Australian resident, we comply with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

• APP 1 - Open and transparent management - this Privacy Policy sets out how we manage your personal information
• APP 5 - Notification of collection - we collect your personal information for the purposes described in Section 3. We will notify you at or before the time of collection
• APP 6 - Use and disclosure - we only use or disclose personal information for the purpose for which it was collected, or a directly related purpose you would reasonably expect
• APP 7 - Direct marketing - we will only use your personal information for direct marketing with your consent. You can opt out at any time
• APP 8 - Cross-border disclosure - your personal data may be disclosed to recipients in the United Kingdom, United States, and Canada for order processing, email marketing (Klaviyo, US), website analytics (Google, US), and e-commerce hosting (Shopify, Canada)
• APP 12 - Access - you may request access to the personal information we hold about you
• APP 13 - Correction - you may request correction of inaccurate personal information

To exercise your rights under the Australian Privacy Act, or to lodge a privacy complaint, contact our Data Protection Lead at support@dia-bec.com. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

Our marketing communications to Australian customers comply with the Spam Act 2003 (Cth). Every marketing message includes the sender's identity and a functional unsubscribe mechanism.

Privacy and Other Legislation Amendment Act 2024: Australian residents may also rely on the new statutory tort for serious invasions of privacy (in force from June 2025) and on the strengthened OAIC enforcement powers (including significantly increased civil penalties for interference with privacy). Where Diabec uses automated processing - including our AI Companion and AI-derived insights - we comply with the automated-decision-making transparency provisions of the amended Privacy Act as they take effect for Australian users, and you may request a human-review path by emailing support@dia-bec.com.

Singapore Personal Data Protection Act (PDPA)

If you are a Singapore resident, we comply with the Personal Data Protection Act 2012 (PDPA).

• Consent - we collect, use, and disclose your personal data only with your consent, or where permitted by law
• Purpose limitation - we collect personal data only for the purposes described in Section 3 of this policy, and will notify you of any new purposes before collecting additional data
• Access and correction - you may request access to your personal data and request corrections to any inaccurate information
• Withdrawal of consent - you may withdraw your consent for the collection, use, or disclosure of your personal data at any time by emailing support@dia-bec.com. Please note that withdrawal of consent for essential processing (e.g., order fulfilment) may result in our inability to complete your order or provide certain services
• Data Protection Officer - our designated Data Protection Officer for PDPA matters can be reached at support@dia-bec.com (please mark the subject line "Attn: DPO"). This is the same shared contact point used for UK and EU GDPR enquiries (see Section 7). Outside Singapore, NIBARTECH LTD is not required to appoint a statutory DPO under UK GDPR Article 37.
• Data breach notification - under the PDPA's mandatory data-breach notification regime (in force since 1 February 2021), we will notify the Personal Data Protection Commission (PDPC) within 3 calendar days of assessing that a data breach is notifiable, and we will notify affected Singapore individuals without undue delay where the breach is likely to cause significant harm.

Our marketing communications to Singapore customers comply with the Spam Control Act 2007. Every marketing message includes the sender's identity and a functional unsubscribe mechanism. We honour all Do Not Call (DNC) Registry opt-outs administered by the PDPC and process unsubscribe requests within 30 days. NIBARTECH LTD does not currently make outbound marketing phone calls or send marketing SMS to Singapore residents; if this changes, registered DNC numbers will be checked before any call or text is sent.

If you have concerns about our data practices, you may contact the Personal Data Protection Commission (PDPC) at pdpc.gov.sg.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify you via email if the changes significantly affect how we use your personal data
• Post a prominent notice on our website

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.