Privacy Notice

Version v2026-05-06.3 · Last updated: 6 May 2026

1. Who we are

Glyca is operated by Satish Singh (Antwerp, Belgium) acting as the data controller under GDPR Article 4(7). For any data-protection question — exercising your rights, withdrawing consent, reporting a concern — write to satixbv@outlook.com.

2. What data we process

• Account data: email, display name, your local timezone, the linking code we issue, and the Telegram chat ID you bind once you run /start CODE.
• CGM credentials: the username and password of your Dexcom Share or LibreLinkUp account. Passwords are encrypted at rest in a managed secrets vault; only Glyca's poller can decrypt them.
• Health data (Article 9 GDPR special category): glucose readings polled every 5 minutes; meal logs (text and/or Telegram photo file ID + your carb estimate); your insulin-to-carb ratio table if you're a pen user; episodes of low/high glucose derived from the readings.
• Communication data: messages you send the bot (e.g. /feedback, /answer) and the bot's responses; basic delivery metadata (timestamps, message IDs).
• Operational data: when each automated brief was last sent to you, so we don't duplicate.

3. Why we process it (purposes & lawful basis)

• Health-data processing — generate your morning and evening briefs, weekly endo report, meal-response back-fill, and dose suggestions. Lawful basis: explicit consent under Article 9(2)(a) GDPR. You can withdraw consent at any time — see §6.
• Account operation — letting you sign in, link Telegram, exercise your rights. Lawful basis: necessity for performance of the agreement under Article 6(1)(b) GDPR.
• Service improvement — internal logs to fix bugs. Lawful basis: legitimate interests under Article 6(1)(f).

4. Who we share it with (sub-processors)

We use a small number of third-party services to run Glyca. Each processes data only on documented instructions from us, has a Data Processing Agreement on file (or its terms apply), and was selected with EU data-protection compliance in mind. The categories of recipient are listed below; we don't publish the specific vendor names here so as not to expose our infrastructure choices, but we'll send you the named list on request to satixbv@outlook.com.

• EU-based managed database & secrets vault (Frankfurt) — stores your account, glucose readings, meal logs, insulin profile; encrypts CGM passwords at rest.
• LLM provider (US, transfer under SCCs) — composes the prose portions of briefs and reports from a compact aggregated bundle. No raw time-series leaves the EU.
• Messaging platform — delivers our messages to your Telegram chat. You sign in to this service yourself with your own credentials.
• Application hosting (US, transfer under SCCs) — runs the bot, the polling worker, and this website.
• DNS & CDN provider (US, transfer under SCCs) — domain routing and static page hosting for the marketing site.
• Your CGM provider (Dexcom or Abbott FreeStyle Libre) — you authorise us to read your data via your own existing account; we are not their controller.

5. How long we keep your data

• Glucose readings: kept for the lifetime of your account so the weekly endo report has 14 days of history.
• Account, meal logs, insulin profile: kept until you delete your account.
• CGM credentials: kept (encrypted) until you delete your account or revoke them on the provider's side.
• After deletion: we erase your record within 30 days. Anonymised aggregates (no identifiers) may be retained for service-improvement purposes.

6. Your rights (GDPR Articles 15–22)

You have the right to:

• Access a copy of your data (Article 15)
• Have inaccurate data corrected (Article 16)
• Have your data erased (Article 17 — “right to be forgotten”)
• Restrict processing (Article 18)
• Receive your data in a portable format (Article 20)
• Object to processing (Article 21)
• Withdraw consent at any time (Article 7(3)) — withdrawal does not affect the lawfulness of processing that already happened

To exercise these rights, email satixbv@outlook.com. Self-service export and deletion endpoints are coming in Phase 1 — until then we'll process your request within 30 days of receiving it.

You also have the right to lodge a complaint with the Belgian data-protection authority (Gegevensbeschermingsautoriteit / Autorité de protection des données): www.dataprotectionauthority.be.

7. International data transfers

Some of our sub-processors (LLM provider, application hosting, DNS & CDN provider) host infrastructure in the United States. Where personal data is transferred outside the EU/EEA, we rely on Standard Contractual Clauses (Commission Decision 2021/914) to provide GDPR-equivalent protection. The bulk of your health data stays in the EU (Frankfurt). The LLM narration step sends a compact, non-time-series evidence summary — no raw glucose trace — across the SCC-protected channel.

8. Automated processing & AI disclosure

Glyca uses a Large Language Model (a generative-AI service provided by a third party — full name available on request) to compose the prose portions of the morning brief, evening summary, and weekly endo report. The model receives a structured summary of your data and produces narrative text. It is automatically blocked from giving dosing advice or recommending pump-setting changes by a banned-phrase filter. No automated decisions are made that produce legal effects on you within the meaning of GDPR Article 22 — every output is presented as a discussion point for you and your clinician.

9. Security

CGM passwords are encrypted at rest in a managed secrets vault. Database row-level security restricts cross-user reads. Service- role keys stay on the server; no client ever sees them. Sub-processor connections are TLS-only.

10. Changes to this notice

If we materially change how we process your data, we will bump this document's version, post the new text, and (where required) ask you to re-consent before continuing.

See also: Terms of Service.