Skip to main content

Privacy Policy

Last updated - March 2026

Section 1

Introduction

NIBARTECH LTD ("we," "us," or "our") is the data controller responsible for your personal data under the UK GDPR, EU GDPR, and applicable data protection laws worldwide. We are committed to protecting and respecting your privacy.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website dia-bec.com, purchase our products, or interact with us in any way.

We are registered in England & Wales (Company No. 15283998) and operate the Diabec brand of food supplements. By using our website or purchasing our products, you agree to the collection and use of information in accordance with this policy.

For data protection enquiries, contact our Data Protection Lead at support@dia-bec.com.

Section 2

Information We Collect

We collect information that you provide directly to us, as well as information collected automatically when you use our website.

Information You Provide

  • Name - your first and last name, as provided during checkout or account creation
  • Email address - used for order confirmations, shipping updates, and marketing communications (with your consent)
  • Phone number - for order-related communications and customer support
  • Shipping address - to deliver your orders
  • Payment information - processed securely by Shopify Payments; we do not store your full credit card details on our servers
  • Communication preferences - your choices regarding marketing emails, WhatsApp messages, and other communications

Information Collected Automatically

  • Browsing data - pages visited, time spent on pages, and navigation paths
  • Device information - browser type, operating system, screen resolution, and device type
  • IP address - used for fraud prevention and approximate geographic location
  • Cookies and similar technologies - see Section 6 for details on our cookie practices
  • Referral information - how you arrived at our website (search engine, social media, direct link)
Section 3

How We Use Your Information

We use the information we collect for the following purposes:

  • Order processing - to process and fulfil your orders, send order confirmations, and provide shipping updates
  • Customer support - to respond to your enquiries, resolve issues, and provide assistance
  • Marketing communications - with your explicit consent, to send you promotional emails, product updates, and special offers
  • Product improvement - to analyse usage patterns and improve our website, products, and services
  • Fraud prevention - to detect and prevent fraudulent transactions and protect our customers
  • Legal compliance - to comply with applicable laws, regulations, and legal obligations
Section 4

Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your personal data on the following legal bases:

  • Consent - where you have given us clear consent to process your personal data for a specific purpose, such as marketing communications or WhatsApp messages
  • Contract performance - where processing is necessary to fulfil a contract with you, such as processing your order and delivering your products
  • Legitimate interests - where processing is necessary for our legitimate business interests, such as fraud prevention, website security, and improving our services, provided these interests do not override your fundamental rights
  • Legal obligation - where processing is necessary to comply with a legal obligation, such as tax reporting or responding to lawful requests from authorities
Section 5

Data Sharing

We do not sell your personal data to third parties. We share your information only with trusted service providers who assist us in operating our business:

  • Shopify - our e-commerce platform, which hosts our website and processes transactions. Shopify's privacy practices are governed by their own privacy policy.
  • Payment processors - Shopify Payments and associated payment gateways process your payment information securely. We do not have access to your full card details.
  • Shipping carriers - Royal Mail, USPS, Canada Post, Australia Post, and other carriers receive your shipping address to deliver your orders.
  • Klaviyo - our email marketing platform, used to send marketing communications only with your consent. You can unsubscribe at any time.
  • WhatsApp Business - used to send order updates and wellness tips only with your explicit consent. You can opt out at any time.
  • Google Analytics - used to understand website traffic and usage patterns. Data is anonymised where possible.

All third-party service providers are contractually required to protect your data and use it only for the purposes we specify.

Section 6

Cookies & Tracking

Our website uses cookies and similar tracking technologies to enhance your browsing experience. Cookies are small text files stored on your device.

Types of Cookies We Use

  • Essential cookies - required for the website to function properly, including shopping cart functionality, secure checkout, and session management. These cannot be disabled.
  • Analytics cookies - used via Google Analytics to understand how visitors interact with our website, helping us improve content and user experience. These cookies collect anonymised data.
  • Marketing cookies - used to deliver relevant advertisements and track the effectiveness of our marketing campaigns. These are only set with your consent.

Managing Your Cookie Preferences

You can manage your cookie preferences through your browser settings. Please note that disabling essential cookies may affect the functionality of our website. Most browsers allow you to refuse or delete cookies; consult your browser's help documentation for instructions.

Section 7

Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Under UK/EU GDPR

  • Right of access - request a copy of the personal data we hold about you
  • Right to rectification - request correction of inaccurate or incomplete data
  • Right to erasure - request deletion of your personal data ("right to be forgotten")
  • Right to data portability - receive your data in a structured, commonly used format
  • Right to restrict processing - request that we limit how we use your data
  • Right to withdraw consent - withdraw consent at any time for consent-based processing
  • Right to object - object to processing based on legitimate interests
  • Right to lodge a complaint - if you are not satisfied with how we handle your data, you have the right to lodge a complaint with a supervisory authority. For UK residents, this is the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113. For EU residents, contact your local Data Protection Authority.

Under CCPA/CPRA (California Residents)

In the past 12 months, we have collected the following categories of personal information as defined by the California Consumer Privacy Act:

Category Examples Shared With
A. Identifiers Name, email, phone, IP address Shopify, Klaviyo, shipping carriers
B. Commercial Information Order history, products purchased Shopify, Klaviyo
F. Internet Activity Browsing history, pages viewed, referral source Google Analytics
G. Geolocation Approximate location from IP address Google Analytics, Shopify

We do not sell your personal data. We may share data with service providers for business purposes as described in Section 5. Under CPRA, sharing data with third parties for cross-context behavioural advertising may constitute "sharing." You have the right to opt out of this.

  • Right to know - request details about the personal information we collect and how it is used
  • Right to delete - request deletion of your personal information
  • Right to correct - request correction of inaccurate information
  • Right to opt out of sale/sharing - opt out of the sale or sharing of personal information for cross-context behavioural advertising
  • Right to limit use of sensitive PI - limit how we use sensitive personal information
  • Right to non-discrimination - you will not be discriminated against for exercising your rights

To exercise your California rights, contact us by two methods:

We will respond within 45 days. We will verify your identity before processing your request.

US State Privacy Rights (Virginia, Colorado, Connecticut, Texas, Oregon, Montana)

If you reside in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Oregon (OCPA), or Montana (MCDPA), you have the following rights:

  • Right to access - confirm whether we process your data and obtain a copy
  • Right to correct - request correction of inaccurate data
  • Right to delete - request deletion of your personal data
  • Right to data portability - obtain your data in a portable format
  • Right to opt out - opt out of targeted advertising, sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects

Universal opt-out signals: We recognise Global Privacy Control (GPC) signals as valid opt-out requests for the sale and sharing of personal data and targeted advertising, as required by the Colorado, Connecticut, Oregon, and Montana privacy laws. When our website detects a GPC signal from your browser, we will automatically treat it as a valid opt-out request.

Appeal process: If we decline your privacy request, you may appeal by emailing support@dia-bec.com with "Privacy Appeal" in the subject line. We will respond within 60 days. If you are not satisfied with the outcome, you may contact your state's Attorney General.

To exercise any of the rights listed above, contact us at support@dia-bec.com or call +1 312 471 1541 (US) / +44 7537 162418 (UK). We will respond within 30 days (or as required by applicable law).

Section 8

Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes outlined in this policy:

  • Order data - retained for a minimum of 6 years after purchase to comply with tax, accounting, and legal obligations
  • Marketing data - retained until you opt out or withdraw consent. Upon opting out, your email address is added to our suppression list to ensure you do not receive further marketing communications.
  • Website analytics data - retained in anonymised form for up to 26 months
  • Customer support records - retained for up to 3 years to help us provide consistent support
Section 9

International Transfers

Your personal data may be processed and stored in countries outside your country of residence, including the United Kingdom, European Union, and United States. This is necessary because our service providers (such as Shopify, Klaviyo, and Google) operate globally.

When data is transferred outside the UK or EU, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, the UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs for transfers from the UK, or transfers to countries with an adequacy decision.

Section 10

Children's Privacy

Our website and products are not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. In the United States, we comply with the Children's Online Privacy Protection Act (COPPA) and do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal data from a child under 16 (or under 13 in the US), we will take steps to delete that information as soon as possible.

If you believe we have collected information from a child under the applicable age, please contact us immediately at support@dia-bec.com.

Section 11

WhatsApp Communications

We offer optional communications via WhatsApp Business for order updates, wellness tips, and customer support. Key points about our WhatsApp communications:

  • Explicit consent required - we will only send you WhatsApp messages if you have given us your explicit, opt-in consent
  • Easy opt-out - you can opt out of WhatsApp messages at any time by replying "STOP" to any message or contacting our support team
  • Data handling - WhatsApp messages are processed through Meta's WhatsApp Business platform. Your phone number and message history are subject to WhatsApp's own privacy policy in addition to ours.
  • Message types - we may send order confirmations, shipping updates, wellness content, and promotional offers via WhatsApp
Section 12

Security Measures

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it:

  • SSL encryption - all data transmitted between your browser and our website is encrypted using SSL/TLS technology
  • Secure payment processing - payments are processed by PCI DSS-compliant payment processors; we never store your full card details
  • Access controls - access to personal data is restricted to authorised personnel who need it to perform their duties
  • Regular monitoring - we regularly monitor our systems for vulnerabilities and potential security incidents
  • Secure infrastructure - our website is hosted on Shopify's secure, enterprise-grade infrastructure

While we strive to protect your personal data, no method of transmission over the internet is 100% secure. We encourage you to use strong passwords and keep your account credentials confidential.

Section 12A

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority (the ICO for UK data, or the applicable EU Data Protection Authority) within 72 hours of becoming aware of the breach, as required by GDPR Article 33
  • Inform affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34
  • Notify affected US residents as required by the New York SHIELD Act and other applicable state breach notification laws, in the most expedient time possible
  • Notify the Australian Information Commissioner (OAIC) and affected Australian individuals for eligible data breaches under the Notifiable Data Breaches scheme
  • Notify the Singapore Personal Data Protection Commission (PDPC) for notifiable data breaches under the PDPA

Our breach notification will include: the nature of the breach, the likely consequences, the measures taken to address it, and contact details for further information.

Section 12B

Australian Privacy Act & Australian Privacy Principles

If you are an Australian resident, we comply with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

  • APP 1 - Open and transparent management - this Privacy Policy sets out how we manage your personal information
  • APP 5 - Notification of collection - we collect your personal information for the purposes described in Section 3. We will notify you at or before the time of collection
  • APP 6 - Use and disclosure - we only use or disclose personal information for the purpose for which it was collected, or a directly related purpose you would reasonably expect
  • APP 7 - Direct marketing - we will only use your personal information for direct marketing with your consent. You can opt out at any time
  • APP 8 - Cross-border disclosure - your personal data may be disclosed to recipients in the United Kingdom, United States, and Canada for order processing, email marketing (Klaviyo, US), website analytics (Google, US), and e-commerce hosting (Shopify, Canada)
  • APP 12 - Access - you may request access to the personal information we hold about you
  • APP 13 - Correction - you may request correction of inaccurate personal information

To exercise your rights under the Australian Privacy Act, or to lodge a privacy complaint, contact our Data Protection Lead at support@dia-bec.com. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

Our marketing communications to Australian customers comply with the Spam Act 2003 (Cth). Every marketing message includes the sender's identity and a functional unsubscribe mechanism.

Section 12C

Singapore Personal Data Protection Act (PDPA)

If you are a Singapore resident, we comply with the Personal Data Protection Act 2012 (PDPA).

  • Consent - we collect, use, and disclose your personal data only with your consent, or where permitted by law
  • Purpose limitation - we collect personal data only for the purposes described in Section 3 of this policy, and will notify you of any new purposes before collecting additional data
  • Access and correction - you may request access to your personal data and request corrections to any inaccurate information
  • Withdrawal of consent - you may withdraw your consent for the collection, use, or disclosure of your personal data at any time by emailing support@dia-bec.com. Please note that withdrawal of consent for essential processing (e.g., order fulfilment) may result in our inability to complete your order or provide certain services
  • Data Protection Officer - our designated Data Protection Officer can be reached at support@dia-bec.com (marked "Attn: DPO")

Our marketing communications to Singapore customers comply with the Spam Control Act 2007. Every marketing message includes the sender's identity and a functional unsubscribe mechanism.

If you have concerns about our data practices, you may contact the Personal Data Protection Commission (PDPC) at pdpc.gov.sg.

Section 13

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Notify you via email if the changes significantly affect how we use your personal data
  • Post a prominent notice on our website

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.