Skip to content
Dulce
FeaturesBetaAboutContact
Join the waitlist

Legal

Privacy Policy

Last updated: 2026-05-19

This Privacy Policy explains what personal data Dulce collects, how we use it, and the rights you have over it. It applies to both this website (dulceglucosa.com) and the Dulce mobile application.

1. Data controller

The data controller is Giorgio Khimshiashvili, operating as a sole trader, based in Spain. You can contact us about anything related to your data at hola@dulceglucosa.com.

2. What data we collect

2.1 Website

  • Waitlist: your email and your session's language.
  • Beta form: name, email, CGM device, and region. Optionally, any notes you choose to share.
  • Minimal technical data: an anonymous hash (SHA-256) of your IP combined with a daily-rotating salt, used only to throttle form abuse. We never store the raw IP.
  • Anonymous analytics: we use Vercel Analytics, which sets no cookies and collects no personal identifiers. It only measures page views and performance.

2.2 Mobile application

  • Glucose data obtained on your device from LibreLinkUp, Dexcom Share or your own Nightscout instance. Credentials are encrypted in the system's secure keychain (Keychain on iOS, Keystore on Android).
  • Apple Health data in read-only mode, if you grant permission.
  • Your logbook: carbohydrates, insulin, exercise, notes and manual readings. Stored locally.
  • Preferences: units, target range, language, theme.

During the MVP, app data is stored on your device and is not transmitted to Dulce servers. When this changes (optional cloud sync, family-sharing feature), we'll update this policy and ask for your explicit consent.

3. Why we use your data

  • Let you know when Dulce is available (waitlist).
  • Evaluate and select participants for the beta (beta form).
  • Protect the site from abuse (IP hash, rate limit).
  • Understand which pages perform best (anonymous analytics).
  • Comply with legal obligations and respond to your rights requests.
  • Consent (Art. 6(1)(a) GDPR): when you join the waitlist or beta.
  • Legitimate interest (Art. 6(1)(f) GDPR): basic site security and anonymous analytics.
  • Pre-contractual relationship (Art. 6(1)(b) GDPR): when we process your beta application.

5. Special category data (Art. 9 GDPR)

Glucose readings and other health data are special categories of personal data. Processing them requires explicit consent (Art. 9(2)(a) GDPR). In the MVP, these data:

  • Are processed only on your device.
  • Are not transmitted to Dulce servers.
  • Are not shared with any third party without your explicit instruction.

6. How long we keep your data

  • Waitlist: until launch + 6 months, or until you ask to be removed.
  • Beta form: for the duration of the beta + 12 months for support and product-improvement purposes.
  • IP hash: 30 days.
  • App data (on your device): until you delete it or uninstall the app.

7. Who we share your data with

We share data only with the providers strictly required to run the service. They all act as processors under contract:

  • Supabase (waitlist and beta storage) — hosted in the EU (eu-west-3).
  • Resend (sending the waitlist confirmation email).
  • Vercel (website hosting and anonymous analytics).
  • In the app, direct connections between your device and the providers you choose: LibreLinkUp (Abbott), Dexcom, Nightscout, Apple (Health). Those connections are governed by their own privacy policies.

We never sell, rent or hand over your data to third parties for advertising or commercial purposes.

8. International transfers

Some of our processors (Resend, Vercel) process data in the US. Transfers are made under the European Commission's Standard Contractual Clauses (SCCs) or equivalent frameworks (DPF). You can request a copy of these safeguards at hola@dulceglucosa.com.

9. Your rights

As a data subject, you have the right to:

  • Access your personal data.
  • Rectify it if inaccurate.
  • Request its deletion.
  • Object to processing or request restriction.
  • Portability of data you have provided.
  • Withdraw your consent at any time.

You can exercise any of these rights by writing to hola@dulceglucosa.com. We respond within 30 days at the latest.

If you believe our processing does not comply with the law, you have the right to file a complaint with the Spanish Data Protection Agency (AEPD).

10. Children

Dulce is not directed at children under the age of 14. If you are a parent or legal guardian and believe a minor in your care has provided us with data without your consent, contact us and we will delete it.

11. Cookies

We only use strictly necessary technical cookies (language preference, CSRF token on forms). We do not use tracking or advertising cookies. More in our Cookie Policy.

12. Changes to this policy

If we make material changes, we will notify affected users by email and publish the updated version with its revision date on this page.

13. Contact

For any questions about this Privacy Policy or the processing of your data, write to hola@dulceglucosa.com.