Privacy of Policy

Effective Date: September 9, 2025
Last Updated: September 9, 2025
Version: 2.0

1. Introduction and Scope

GlucoSense ("we," "our," or "Company") is committed to protecting the privacy and security of our users' personal data ("you," "your," or "User"). This Privacy Policy describes how we collect, use, process, store, and protect your information when you use our website www.glucosen.shop and related services (collectively, the "Services").

This policy complies with:

  • General Data Protection Regulation (GDPR) - EU 2016/679
  • California Consumer Privacy Act (CCPA) - Cal. Civ. Code § 1798.100
  • Telephone Consumer Protection Act (TCPA) - 47 U.S.C. § 227
  • CTIA Messaging Guidelines
  • A2P 10DLC Requirements
  • Brazilian General Data Protection Law (LGPD) - Law No. 13,709/2018

2. Definitions and Legal Basis

2.1 Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person
  • Sensitive Data: Personal data about health, racial/ethnic origin, political opinions, religious beliefs
  • Processing: Any operation performed on personal data
  • Controller: Entity that determines the purposes and means of processing
  • Processor: Entity that processes data on behalf of the controller
  • Data Breach: Security breach leading to unauthorized destruction, loss, alteration, or disclosure of data

2.2 Legal Bases for Processing

We process your personal data based on:

  • Consent: For marketing communications and health data collection
  • Contract Performance: To provide our Services
  • Legal Obligation: To comply with applicable laws
  • Legitimate Interests: For security, fraud prevention, and service improvements

3. Information We Collect

3.1 Information You Provide Directly

  • Account Data: Name, email address, phone number, postal address
  • Payment Data: Credit card information (tokenized via PCI-DSS processor)
  • Health Data: Glucose levels, medical information (with explicit consent)
  • Communication Data: Messages, communication preferences, consent records

3.2 Information Collected Automatically

  • Device Data: IP address, browser type, operating system, unique identifiers
  • Usage Data: Pages visited, features used, timestamps, clickstream data
  • Location Data: Approximate location based on IP (with consent for precise location)
  • Cookies and Similar Technologies: As per our Cookie Policy

3.3 Information from Third Parties

  • Identity Providers: Authentication data via OAuth
  • Telecommunications Partners: Message delivery status, number verification

4. How We Use Your Information

4.1 Primary Purposes

  • Provide, maintain, and improve our Services
  • Process transactions and send related notifications
  • Respond to customer support requests
  • Send important service communications

4.2 Communications and Marketing

  • Transactional Communications: Order confirmations, account updates, security alerts
  • Promotional Communications: Offers, new features (only with consent)
  • Health Communications: Reminders, insights (with specific consent)

4.3 TCPA Compliance for Communications

  • Messaging Hours: 8 AM to 9 PM recipient's local time
  • Express Written Consent: Obtained before any automated communications
  • Immediate Opt-Out: Reply STOP to cancel SMS, unsubscribe links in emails
  • Consent Records: Detailed records of all consents maintained

4.4 Security and Compliance

  • Detect and prevent fraud, abuse, and illegal activities
  • Comply with legal obligations and regulatory requirements
  • Enforce our Terms of Service
  • Protect rights, property, and safety

5. Data Sharing and Disclosure

5.1 Service Providers

We share data with carefully vetted providers who:

  • Have signed Data Processing Agreements (DPAs)
  • Are ISO 27001/SOC 2 certified where applicable
  • Undergo regular security assessments
  • Process data only per our instructions

Provider Categories:

  • Cloud infrastructure (AWS - ISO 27001, SOC 2, PCI-DSS)
  • Payment processing (PCI-DSS Level 1 compliant)
  • Communication services (Twilio - ISO 27001, SOC 2)
  • Analytics (anonymized processing only)

5.2 Legal Disclosures

We may disclose information when:

  • Required by law, subpoena, or court order
  • Necessary to protect vital interests
  • To prevent harm or illegal activities
  • With your explicit consent

6. International Data Transfers

6.1 Transfer Mechanisms

When we transfer data internationally, we use:

  • Standard Contractual Clauses (SCCs) - EU Controller-Processor Module
  • Adequacy Decisions - For EU-recognized countries
  • Binding Corporate Rules (BCRs) - For intra-group transfers
  • Explicit Consent - Where appropriate

6.2 Specific Safeguards

  • All data encrypted during transfer (TLS 1.2+)
  • Transfer Impact Assessments (TIAs) conducted
  • Supplementary measures implemented per Schrems II

7. Data Security

7.1 Technical Security Measures

  • Encryption: AES-256 for data at rest, TLS 1.2+ for data in transit
  • Access Control: Multi-factor authentication (MFA) required, RBAC, least privilege principle
  • Network Security: Firewalls, IDS/IPS, network segmentation, VPN for admin access
  • Monitoring: 24/7 security monitoring, real-time anomaly detection

7.2 Organizational Measures

  • Training: Annual mandatory security and privacy training
  • Background Checks: For all employees with data access
  • Confidentiality Agreements: NDAs signed by all employees and contractors
  • Access Management: Quarterly access reviews, immediate de-provisioning upon termination

7.3 Certifications and Compliance

We maintain the following certifications:

  • ISO/IEC 27001:2022 - Information Security Management System
  • SOC 2 Type II - Security, Availability, and Confidentiality Controls
  • PCI DSS Level 1 - For payment processing
  • HIPAA - For health data (where applicable)

7.4 Testing and Auditing

  • Quarterly third-party penetration testing
  • Annual compliance audits
  • Continuous vulnerability scanning
  • Bug bounty program

8. Incident Response and Breach Notification

8.1 Incident Response Plan

We maintain a comprehensive incident response plan following NIST SP 800-61:

  • Detection: Continuous monitoring and alerting systems
  • Containment: Immediate isolation of affected systems
  • Eradication: Removal of threats and vulnerabilities
  • Recovery: Secure restoration of operations
  • Lessons Learned: Post-incident analysis and improvements

8.2 Breach Notification Procedures

In case of a personal data breach:

  • Regulatory Authorities: Notification within 72 hours (GDPR/LGPD)
  • Affected Individuals: Notification without undue delay when high risk
  • Contractual Partners: As per data processing agreements
  • Documentation: Complete record of all breaches maintained

9. Your Privacy Rights

9.1 Rights under GDPR/LGPD

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate data
  • Erasure: Request deletion of data ("right to be forgotten")
  • Portability: Receive data in structured format
  • Restriction: Limit data processing
  • Objection: Object to certain processing
  • Automated Decision-Making: Not be subject to solely automated decisions

9.2 Rights under CCPA

California residents have additional rights:

  • Know what personal information we collect
  • Know if we sell information (we do not sell)
  • Delete personal information
  • Non-discrimination for exercising rights
  • Opt-out of sale (though we don't sell data)

10. Telecommunications Compliance

10.1 A2P 10DLC Registration

  • Brand registered with The Campaign Registry (TCR)
  • Campaigns verified for each use case
  • Compliance with throughput limits
  • Regular number status verification

10.2 TCPA Compliance

  • Consent: Prior express written consent for all automated communications
  • Quiet Hours: No messages between 9 PM and 8 AM local time