This Privacy Policy explains how DIA mobile application (“we” and/or “us”) collects, uses, and discloses personal data you provide while using our services. This Privacy Policy applies when we act as a Data Controller and/or Processor with respect to the personal data of our users, determining the purposes and means of processing personal data. 

This Privacy Policy applies solely to the personal data we collect from our users, and it does not apply to any other products or services provided by us or any other party.

We are committed to safeguarding the privacy of the service users and will never sell, share, or use personal data other than as described in this Privacy Policy.

1. Who are we?

Controller of your personal data used and created by the use of the DIA mobile application is 

Diatech LLC 

Str.Marshal Tito, 54/12-2

Tetovo, North Macedonia

Data Protection Officer

Mario Mijatovic

Email: mario@diahealth.co 

2. What do we guarantee?

We collect and process personal data following the principles laid down in the General Data Protection Regulation (GDPR), meaning we take care that personal data is:

• processed fairly and lawfully

• obtained only for specific, lawful purposes

• adequate, relevant and not excessive

• accurate and kept up to date

• not held for any longer than is necessary

• processed in accordance with the rights of the data subjects

• protected in appropriate ways

• not transferred to other countries, unless that country or territory also ensures an adequate level of protection

  
  

3. What data do we collect for our users?

We collect and process personal data you reveal to us as our users. Legal basis for processing your personal data for registration on DIA is your consent to sign up to DIA mobile application and maintenance and execution of the contract (Terms of Service) signed with us before the processing. Personal data we collect for registering you on the DIA mobile application is:

For signing up/creating an account on DIA, we collect the following categories of personal data:

• Email address

• Username 

• Password

Once you sign up, you will receive a verification code at the email address you have signed up with. The use of DIA will be enabled after you confirm your email address.

Your consent is the legal base for us holding the profile data on the DIA mobile application; adding, deleting or changing the profile data will not influence activities you perform on the DIA mobile application.

You will be asked to choose your subscription plan, and when you do so, we will keep the following personal data:

• Account details

• Date of subscription

Plan details (price and transaction)

To complete your profile on DIA and use the mobile application, we will ask you to fill out a questionnaire, and we will collect the following personal data:

• If you are a person with diabetes

• If you are a caregiver of a person with diabetes

• Diabetes type (type 1, type 2, during pregnancy, prediabetes, not sure)

• Date and country of birth

• Gender

• Hight and weight

• How do you treat your diabetes?

• Exercise type

• Medical history or other complications (optional question)

• How would you describe your lifestyle?

• What is your biggest challenge in managing diabetes? (optional question)

• What is your targeted goal?

• How many hours of sleep do you usually get? (optional question)

• How much water do you drink per day? (optional question)

Once you provide answers to the above questions, we will calculate your BMI (body mass index) and BMR (Basal Metabolic Rate) and give you a suggested plan. 

For personalized use of the DIA mobile application and all its features, you will have the opportunity to log daily activities, receive analyses, and suggestions. Your data will be collected in the following manners:

• Manual logging:

• Blood pressure

• Insulin

• Medication (the user can choose the medication from a pre-defined medication list, or can input their own medication that is not on the list.)

• Nutrition

  • Barcode scanning - the DIA mobile application may request access to your device camera solely for the purpose of scanning food product barcodes to retrieve nutritional information. The camera is not used to capture, store, or process images or video beyond the barcode scanning functionality.

Automatic and manual logging:

• Blood glucose - option to log manually or automatic data transfer from glucose meters/CGMs

• Exercise - option to log manually or automatic data transfer from smartwatches/health apps (Samsung Health, Apple Health)

Automatic:

• Sleep - automatic data transfer from smartwatches/health apps (Samsung Health, Apple Health)

To keep you up to date with new or improved features, updates of the application, or the expiration of your subscription plan, it is in our mutual legitimate interest to contact you via email. 

4. Connection with the DIA web platform

We have developed a DIA web platform for connecting the mobile application users with healthcare providers. From the web platform, your healthcare providers will send an email invitation to you. You need to have an account in the DIA mobile application. From there, you can choose whether you want to accept or decline to share your data and what type of data. If you accept, the healthcare provider has access to your data in the DIA Web Platform Dashboard.

5. How do we store your data?

Your data will be collected, stored, and processed on an Amazon web server, and we take appropriate technical measures to protect this data. 

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to find out more about how the processing for the new purpose is compatible with the original purpose, please email us. If we need to use your personal data for a purpose unrelated to the purpose for which we collected the data, we will notify you and we will explain the legal ground of processing.

We may be legally obliged to disclose your personal information without your knowledge to the extent that we are required to do so by law; in connection with any ongoing or prospective legal proceedings; to establish, exercise or defend our legal rights (including providing information to others for fraud prevention and reducing credit risk); to any person who we reasonably believe may apply to a court or other competent authority for disclosure of that personal information where, in our reasonable opinion, such court or authority would be reasonably likely to order disclosure of that personal information. 

6. For how long do we keep your data?

We retain your personal information only for such period as is appropriate for its intended and lawful use, in this case, we shall retain the data in accordance with our contractual commitment unless otherwise required to do so by law. Personal information that is no longer required will be disposed of in ways that ensure their confidential nature is not compromised. All our electronic systems are backed up and archived. These archives are retained for a defined period of time in a strictly controlled environment. Once expired, the data is deleted and the physical media destroyed to ensure the data is erased.

• Profile data is kept as long as you are an active user of the DIA mobile application.

• In the Food page, we have insights about macronutrient quality, key takeaways, and suggestions for Today, Last 7 days, Last 14 days, and last 30 days. We keep this data in our database for 6 months and permanently delete it after the expiry of those 6 months.

• In the Health page, we have a metabolic health daily summary based on user habit scores (glucose, exercise, nutrition, sleep) for Today, Last 7 days, last 14 days, and last 30 days. We keep this data in our database for 6 months and permanently delete it after the expiry of those 6 months.

• In each of the habit pages (glucose, exercise, nutrition, and sleep) we have AI insights, today, last 7 days, last 14 days, and last 30 days. We keep this data in our database for 6 months and permanently delete it after the expiry of those 6 months.

• If you are no longer an active user but you have not requested deletion, we will delete all your data, including profile data within 1 year of the last activity. 

  
  

7. What security measures do we undertake?

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know such data. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We maintain a Personal Data Breach Register and, based on severity, we will inform the regulator within 72 hours of identifying the breach. We undertake the following steps in dealing with a data breach: informing the Data Protection Officer, assessing the scope and impact of the personal data breach, notifying the relevant parties, taking measures to reduce the risk, conducting a review of existing measures in place, and exploring how these measures can be strengthened to prevent a similar breach from recurring. 

The DIA mobile application may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.

8. Third Parties

We may have to share your personal data with the parties set out below for the purposes described in this document:

• Service providers who provide IT and system administration services

• Third parties, including equipment providers, and other third parties as required to run our business

• Professional advisers, including lawyers, bankers, auditors, and insurers who provide consultancy, credit scoring, banking, legal, fraud protection, insurance, and accounting services.

• regulators and other authorities of relevant jurisdictions who require reporting of processing activities in certain circumstances.

We require all third parties to whom we transfer your data to respect the security of your personal data and to treat it in accordance with the law. We only allow such third parties to process your personal data for specified purposes and in accordance with our instructions.
 

9. Cookies

A cookie is a small file that asks permission to be placed on your computer’s hard drive. Once you agree, the file is added, and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences. We use traffic log cookies to identify which pages are being used. This helps us analyse data about webpage traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.

Cookies help us provide you with a better website by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser settings to decline cookies if you prefer. This may prevent you from taking full advantage of the website.

10. What rights do you have?

    
    

Right to information

You can at any time request to be furtherly informed about what personal data is being processed and the rationale for such processing.
 

Right to access

You can request the DIA mobile application to provide you with access to your personal data that is being processed. This request provides you to see or view their own personal data, as well as to request copies of the personal data.

Right to rectification

You can ask for an update of your personal data in case you believe that your personal data is not up to date or accurate.

Right to withdraw consent

You have the right to withdraw a previously given consent for the processing of your personal data for a specific purpose. The request requires the DIA mobile application to stop the processing of the personal data that was based on the consent provided earlier. The data subject can withdraw the consent in the same manner that was given or by filling and submitting a request form at contact@diahealth.co  

Right to object

You have the right to object to the processing of your personal data at any time. This effectively means that you can stop or prevent us from using your data. 

Right to object to automated processing

We do not undertake activities that imply automated personal data processing. If a need for this type of processing appears in the future, we will provide you with the ability to object to a decision based on automated processing. 

Right to be forgotten

Also known as the right to erasure, provides you with the ability to ask for the deletion of your data. We respect your right, but also note that this is not an absolute right, and depends on the legal basis of the processing and retention period in line with other applicable laws.

Right for data portability

We provide you with the ability to ask for the transfer of your personal data. As part of such a request, you may ask for your personal data to be provided back to you or transferred to another controller. When doing so, the personal data must be provided or transferred in a machine-readable electronic format.

Access to your personal data or to exercise any of the other rights is free of charge. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data or to exercise any of your rights. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. 

11. Our use of AI

We use an AI model to enhance user experience, improve service efficiency, and provide personalized recommendations.

• Recommendations (e.g., content or product suggestions).

• Matching services (e.g., job applications or service compatibility).

We are using system prompts and user prompts. The user prompts are the data that we have from the user - we insert this data, and it's only the data from the questionnaire and their previous 24-hour data. From this data, we create system prompts in order to have valuable output from the AI model. 

The system prompt is a predefined prompt that is friendly, suggestive, encouraging and its purpose is to find correlations between the user's habits and their glucose levels (ex., Glucose x Sleep, Glucose x Nutrition, Glucose x Exercise etc). The system prompt will serve the user as an ai metabolic health assistant and to give outputs based on the user prompt data.

Also, when the user logs food, he can use AI to describe his food, and after the log, there will be an AI insight about his meal, giving him a food quality score about macronutrients and ingredients. Insights on what is good about this meal, suggestions on what he needs to add/remove from the meal to improve the meal.  

We recognize the importance of transparency and control when it comes to automated decision-making and profiling. You have the following rights:

• Request Human Intervention: If you believe that an automated decision has been made incorrectly or unfairly, you can request that a human reviews the decision.

• Challenge Decisions: You have the right to challenge any automated decisions that you believe are inaccurate, unfair, or discriminatory.

To exercise any of these rights, please contact us at contact@diahealth.co .We will respond to your request within a reasonable timeframe and in accordance with applicable laws.

We implement robust safeguards to ensure that AI model works fairly, transparently, and without bias. Our AI model is regularly audited and tested to maintain high standards of accuracy and fairness. We are committed to providing clear explanations of how our automated decision-making processes work and the criteria used.

12. Training and Optimization of AI Systems 

We are committed to transparency regarding the methods and data involved in training our AI systems. This section outlines how we handle this process:

Methods of Training

Our AI systems are trained using data to improve their accuracy, performance, and functionality. This may involve supervised learning, unsupervised learning, reinforcement learning, or other machine learning techniques, depending on the nature of the AI system.

Data Collected and Processed

The data used to train our AI systems may include information collected directly from you, data provided by third-party sources, and publicly available datasets.

If personal data is used for training purposes, we ensure compliance with applicable data protection laws, including obtaining necessary consents where required.

Special Categories of Personal Data

In cases where special categories of personal data are used to train our AI systems, we do so only under strict conditions and in compliance with applicable laws. This includes:

• Obtaining explicit consent from individuals where required.

• Ensuring the data is processed securely and for clearly defined, lawful purposes.

• Applying robust safeguards, such as encryption, anonymization, or pseudonymization, to protect the data.

Sources of Training Data

• Training data may originate from various sources, including:

  • Data voluntarily provided by users during interactions with our systems or services.

  • Datasets obtained from trusted third-party providers.

  • Publicly available information collected in accordance with applicable laws.

• When third-party or publicly available data is used, we take reasonable steps to verify the data’s reliability and ensure compliance with relevant legal and ethical standards.

Data Minimization and Safeguards

We apply data minimization principles, ensuring that only the necessary amount of data is processed to achieve the intended purpose. Additionally, technical and organizational measures are implemented to protect the data used for training, including encryption, access controls, and anonymization or pseudonymization where feasible.

Changes to Privacy Policy

We reserve the right to modify this Privacy Policy at any time, so please review it frequently. If we decide to change our Privacy Policy, we will post those changes to this privacy statement, which can be found on our websites’ homepages.

Point of contact

Data Protection Officer

Email: contact@diahealth.co