1. Introduction

Welcome to Sugar.no by Intendum, LTD. This Privacy Policy explains how we collect, use, and protect your personal and health data when you use our Service. By accessing or using the Service, you agree to the collection and use of your data as described in this policy.

2. Scope of this Privacy Policy

This Privacy Policy applies to the mobile application ("App"), our websites (including but not limited to sugar.no, our blog, social media and all related services, features, and content (collectively, the “Services”). This policy explains how we collect, use, and protect your personal data, as well as the rights you have concerning the information we hold about you.

3. Information We Collect

• Personal Information: Name, email, and payment details.
• Health Data: Data from CGM (Dexcom) integrations and Apple Health (e.g., glucose levels).
• Usage Data: IP addresses, browsing activity, and interactions with our platform.
• Camera/Photo Access: If you choose to upload photos or videos, we may request permission to access your camera or device’s photo library. You can manage this permission through your device settings.

4. User Consent for Health Data

By using our Service, you explicitly consent to the collection and processing of your health data (e.g., glucose data from CGM devices) when the device is connected, which is necessary for the provision of our services. You can withdraw your consent at any time via app settings.

5. Use of Your Information

We use your data to:

• Provide, personalize, and improve the Service.
• Communicate updates and promotions.
• Analyze user activity and troubleshoot issues.

6. Aggregated Data

We may aggregate, anonymize, or de-identify your personal data for analysis and research purposes. This information is shared with trusted third parties or used for statistical purposes, without identifying individual users.

7. Cookies and Tracking Technologies

We use cookies to enhance your experience and analyze usage. You can manage your cookie settings through your browser.

8. Children’s Privacy

Our Services are not intended for or directed at individuals under the age of 16. We do not knowingly collect or solicit personal information from anyone under 16. If you are under 16, please do not use the Services or provide any personal information. If we become aware that we have collected personal data from a child under 16, we will take steps to delete such information. If you believe we might have any data from or about a child under 16, please contact us at [email protected].

9. Data Retention

We retain your data only as long as necessary to fulfill the purposes outlined in this policy or as required by law.

10. Data Sharing

We do not sell your personal data. However, we may share your data with trusted third-party service providers, vendors, and partners to operate, maintain, and improve our Services. These include cloud storage providers, customer support tools, analytics platforms, payment processors, and AI service providers. All third parties are required to handle your data securely and in accordance with applicable data protection laws.

Where data is shared with third-party services for AI or analytics purposes, such as Google Cloud, the data is used solely to power app features and is not used to train or improve external models

We may share your data in the following cases:

• With service providers (e.g., payment processors)
• To comply with legal obligations.
• In the event of a business transfer (e.g., acquisition or merger).

11. Data Deletion Request

You may request the deletion of your personal and health data. If you wish to delete your data, please contact us at [email protected]. Upon receiving your request, we will take appropriate action to remove your data from our systems, subject to legal retention requirements.

12. Security of Your Information

We use industry-standard security measures to protect your data, but no method is entirely secure.

13. Third-Party Services

Sugar.no may integrate third-party services, such as payment providers and analytics tools. Their privacy policies govern your interactions with them. We may share anonymous data with third-party analytics providers, such as Google Analytics, for the purpose of improving our services. These third parties are prohibited from using this data for any purpose other than analyzing platform activity. You can opt-out of certain analytics by adjusting your browser settings or using opt-out tools provided by the analytics provider.

14. International Data Transfers

Please note that your personal data may be transferred to and stored on servers located in countries outside your jurisdiction, including outside the EU or California. These countries may have different data protection laws than your own country. By continuing to use our services, you consent to the transfer of your data across borders.

We ensure that any international transfers of personal data are conducted in compliance with applicable data protection laws, including the use of appropriate safeguards such as standard contractual clauses or other legal mechanisms.

15. Your Data Protection Rights

Depending on your location, you may have rights to:

• Access, correct, or delete your data.
• Object to or restrict certain processing.
• Withdraw consent for data collection.

GDPR (General Data Protection Regulation) Compliance:

• GDPR Rights: If you are located in the European Economic Area (EEA), you have specific rights under the GDPR, including the right to access, correct, delete, or restrict the processing of your personal data. You also have the right to data portability and to withdraw consent for processing at any time.
• Data Protection Officer: For users in the EEA, our Data Protection Officer can be contacted at [email protected].
• International Data Transfers: We transfer your data to servers in the United States. If you are located in the EEA, by using the Service, you consent to this transfer.

CCPA (California Consumer Privacy Act) Compliance:

• CCPA Rights: California residents have specific rights regarding their personal data, including the right to know what personal data is being collected, the right to delete personal data, and the right to opt-out of the sale of personal data. To exercise these rights, please contact us at [email protected].
• Do Not Sell My Personal Information: Sugar.no does not sell your personal information to third parties.

16. HIPAA Compliance (Health Data)

Health Data: Sugar.no by Intendum LTD does not qualify as a covered entity under HIPAA, as we are not a healthcare provider, insurer, or healthcare clearinghouse. However, we are committed to safeguarding your health-related data and take appropriate steps to ensure your privacy and security. We handle health data, such as glucose levels, under the applicable privacy and data protection laws.

17. Legal Basis for Data Processing

We process data based on:

• Your consent.
• The need to fulfill a contract (e.g., refund processing).
• Legitimate business interests (e.g., improving the Service).
• Compliance with legal obligations.

18. Updates to Privacy Policy

We may revise this Privacy Policy, with updates posted and the effective date revised accordingly. Continued use of the Service after changes signifies your acceptance of those updates.

19. Consent for Data Collection

By using the Service, you consent to the collection and use of your data as outlined in this policy.

20. Notification of Data Breaches

In the event of a data breach affecting your personal or health data, we will notify you in accordance with applicable laws, including within 72 hours under GDPR if necessary.

21. Security and Compliance

All user data is protected in accordance with current information security standards.

22. Security Measures

We implement industry-standard security measures to protect your personal and health data. These include encryption of sensitive information (both in transit and at rest), role-based access controls, and regular security audits and monitoring. Our infrastructure is hosted on secure cloud environments that follow modern security frameworks. While we strive to maintain a high level of security, no method of electronic transmission or storage is entirely secure. Any transmission of data is at your own risk.

23. Marketing Communications

We may send promotional emails about new features and updates. You can opt out via the unsubscribe link in emails.

24. Data Accuracy

You are responsible for ensuring your personal information is accurate and up to date. Notify us of any changes.

25. Your Choices Regarding Your Data

You can:

• Opt out of marketing communications.
• Update or request deletion of your personal data.

26. Data Subject Requests

To exercise your rights, contact us at [email protected].

27. Transfer of Data in Case of Business Changes

In case of a merger, acquisition, or sale, your data may be transferred as part of the transaction.

28. User Responsibility

You are responsible for maintaining the confidentiality of your account credentials and notifying us of unauthorized access.

29. Notifications of Changes

We may update this Privacy Policy from time to time. When significant changes are made, you will be notified through the app or via email. By continuing to use the Service after such notifications, you consent to the updated Privacy Policy.

30. Jurisdiction and Governing Law

This Privacy Policy is governed by the laws of Cyprus. Any disputes will be resolved under these laws.

31. Contact Us

For questions or concerns, contact us at:

INTENDUM LTD
Vasili Michailidi 9
3026 Limassol
Cyprus
Tel: +357 25262283
[email protected]

32. Complaints

If you believe your privacy rights have been violated, you can file a complaint with your local data protection authority or contact us directly.