Privacy Policy – Sugar Sense

Last Updated: June 18, 2026

This Privacy Policy describes how Retarget OÜ, a private limited company registered in Estonia (VAT number EE102572290), with its registered office at Sepapaja tn 6, 15551 Tallinn, Estonia (“Retarget OÜ,” “we,” “us,” “our,” or “Sugar Sense”), collects, uses, shares, and protects your personal data in connection with the Sugar Sense application for iOS and watchOS, its related companion features (Apple Watch app, widgets, and Live Activity), our supporting cloud services, and our website (together, the “Services”).

Retarget OÜ is the data controller for the personal data processed through the Services within the meaning of Article 4(7) of the EU General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”), which is the primary legal framework that applies to us as an Estonian-established company.

Sugar Sense is a continuous glucose monitoring (CGM) companion app. It connects to your existing CGM provider account, displays your glucose readings and trends, lets you log diabetes-related events, sends configurable alerts, and offers optional features such as an AI food-carb estimator, AI insights, an emergency phone-call feature, and Apple Health integration. Because the Services process information about your health (in particular your glucose data), we treat the protection of this data with the highest priority.

Important medical and safety note. Sugar Sense is a supplemental information tool and is not a medical device, does not provide medical advice, and is not a substitute for your CGM’s own reader/receiver and its built-in alarms. Glucose data and alerts depend on third-party CGM services, the internet, and Apple’s push system, and may be delayed, missing, or fail. Do not rely on Sugar Sense as your only means of detecting low or high glucose. In an emergency, call your local emergency number (such as 112 or 911).

WHO WE ARE AND HOW TO CONTACT US

Controller: Retarget OÜ, Sepapaja tn 6, 15551 Tallinn, Estonia. VAT number: EE102572290.

For privacy and data-protection questions, or to exercise your rights, contact us:

Data-protection contact: [email protected]
General/legal contact: [email protected]
By mail: Retarget OÜ, Sepapaja tn 6, 15551 Tallinn, Estonia

SUMMARY

We are an Estonian (EU) company; the GDPR is our primary legal framework.
Most of the data we process is health data (glucose readings, trends, logged insulin/medication/meals, alert thresholds, imported Apple Health metrics, and diabetes-profile answers). We process this special-category data on the basis of your explicit consent (GDPR Art. 9(2)(a)).
We connect to your CGM provider (Abbott LibreLinkUp or, optionally, Dexcom Share) using credentials you provide. Your provider password is stored encrypted.
If you enable the optional emergency-call feature, we collect your phone number and an optional emergency-contact phone number and use Twilio (United States) to place automated voice calls on a confirmed low.
If you use the optional AI features, a food photo and/or aggregated, de-identified glucose statistics are sent to Anthropic (United States) for analysis. Food photos are processed transiently and are never stored. AI output is informational and dose-free.
We do not sell your personal data, and we never sell or share Apple Health (HealthKit) data with third parties for advertising or marketing.
You can permanently delete your account and associated data at any time from within the app.

PERSONAL DATA WE COLLECT

Account and identifiers

Sugar Sense account details — optional name, email address, and password used to create and sign in to your Sugar Sense account.
Account and device identifiers — your authentication user ID and a device identifier (Apple’s identifier for vendor). The device identifier is stored in the device keychain and persists across app reinstalls; it is the primary key under which your data is stored and is sent with most requests.
Push notification tokens — your iPhone and Apple Watch push notification device tokens, used to deliver alerts, silent data refreshes, and Live Activity updates through Apple Push Notification service (APNs).

CGM provider connection

CGM provider credentials — the email/username and password for your Abbott LibreLinkUp account or (optionally) your Dexcom Share account, which you enter so we can fetch your glucose data on your behalf. The password is stored encrypted (AES-256-GCM); it is decrypted only to re-authenticate with your provider. We also store the provider type/region and the session token/account identifier needed to keep the connection working. This is not your Sugar Sense account password.

Health data (special category)

Glucose readings and trends — continuous glucose values (stored in mg/dL) with timestamps and a trend-arrow indicator, fetched from your CGM provider.
Logged events (LogBook) — meals (including carbohydrates), insulin doses, activity/workouts, medication, and notes you log, with the glucose value and trend at the time of logging.
Alert configuration and thresholds — your personal low/high/very-low/very-high glucose limits (defaults 55/70/180/250 mg/dL), per-alert settings, snooze state, quiet-hours, and predictive-low settings. These reflect your clinical targets.
Glycemic statistics and insights — analytics computed from your glucose and events (such as Time in Range, GMI, variability, and detected patterns).
My Foods library — foods you save for quick re-logging, with carb values and usage counts.
Imported Apple Health metrics — see the “Apple Health (HealthKit)” section below.
Diabetes profile (onboarding answers) — answers you provide during onboarding, such as diabetes type, your care goal, concerns, how often you check, and which CGM provider you use.

Emergency-call data (optional feature)

Your phone number — collected only if you enable the emergency-call feature, so that Sugar Sense can place an automated voice call to you on a confirmed low glucose.
Emergency-contact phone number — an optional phone number of a person you choose, called if you do not acknowledge the call to you. You must confirm that you have that person’s consent before adding their number.
Emergency-call records — the state of each emergency-call episode (timing, counters, whether you acknowledged, whether the contact was notified).

Optional AI feature data

Food photos — if you use the AI food scanner, the photo you capture or pick is sent for carb estimation. The photo is processed transiently and is never stored by us; only the analysis is returned. See “AI Features” below.
Barcodes — if you scan a packaged-food barcode, the barcode (no personal data) is looked up via Open Food Facts and/or USDA FoodData Central.

Subscription data

Purchase and subscription metadata — your subscription/entitlement status and transaction metadata, processed by Adapty and Apple. Billing is handled by Apple’s In-App Purchase system. We do not collect or store your payment card number.

Usage, diagnostic, and analytics data

Usage and funnel events — in-app events such as onboarding progress, feature usage, and paywall/purchase events, processed via Firebase/Google Analytics.
Crash and diagnostic data — crash reports and diagnostics, processed via Firebase Crashlytics.
Technical data — limited technical information (such as app version, device/OS type, and the push environment) needed to operate and troubleshoot the Services.

We do not collect your precise geolocation, and we do not read your clipboard. (A support screen lets you tap a button to copy your device identifier to the clipboard; that is a user-initiated action and does not involve reading clipboard contents.)

PURPOSES FOR WHICH WE USE YOUR DATA

To connect to your CGM provider and retrieve, display, and chart your glucose data and trends.
To deliver glucose alerts, silent data refreshes, predictive-low alerts, and Live Activity updates to your iPhone and Apple Watch.
To let you log and review diabetes events and to compute statistics and insights.
To provide the optional emergency-call feature (calling you and, if needed, your emergency contact).
To provide the optional AI food-carb estimator and AI insights.
To integrate, where you enable it, with Apple Health.
To manage your subscription and entitlements.
To provide customer support and to maintain, secure, debug, and improve the Services.
To send you first-party, opt-in communications (such as feature announcements), which you can unsubscribe from at any time.
To comply with legal obligations and to establish, exercise, or defend legal claims.

LEGAL BASES FOR PROCESSING (GDPR)

As an EU-established controller, we rely on the following legal bases under the GDPR:

Explicit consent — Article 9(2)(a) for all health (special-category) data, including glucose readings and trends, logged insulin/medication/meal/carb data, alert thresholds, glycemic statistics, imported Apple Health metrics, your diabetes profile, and any health data processed by the optional AI features. We collect this consent through a clear, separate, affirmative opt-in (not bundled into general terms acceptance), and you can withdraw it at any time.
Performance of a contract — Article 6(1)(b) for providing the core Services you ask for (such as connecting to your CGM provider, displaying data, and managing your account and subscription).
Consent — Article 6(1)(a) for optional features you switch on (such as the emergency-call feature, the AI features, Apple Health integration, optional analytics where applicable, and marketing communications).
Legitimate interests — Article 6(1)(f) for securing, debugging, and improving the Services and preventing abuse, where not overridden by your rights and freedoms.
Legal obligation — Article 6(1)(c) where we must process data to comply with the law.

You can withdraw your consent at any time (for example by turning off an optional feature, or by deleting your account). Withdrawing consent does not affect processing already carried out before withdrawal.

RECIPIENTS AND SUB-PROCESSORS

We share personal data only with the providers needed to operate the Services. We do not sell your personal data. The recipients below process data on our behalf or as independent controllers for the stated, limited purposes:

Recipient	Data shared	Purpose	Location
Abbott LibreLinkUp (LibreView)	Your LibreLinkUp email and password (login); we receive your glucose readings and trends	Authenticate and retrieve CGM glucose data	EU/region-specific (libreview.io)
Dexcom Share (optional)	Your Dexcom account name (email) and password; we receive your glucose readings	Optional alternative CGM source	Region-specific (dexcom.com)
Apple — APNs and HealthKit	Push device tokens and glucose/alert payloads (APNs); Apple Health data you authorize (HealthKit)	Push notification delivery; Apple Health integration	United States / on-device (Apple)
Twilio	Your phone number and optional emergency-contact phone number; the glucose value spoken in the call	Optional emergency voice calls on confirmed low glucose	United States
Anthropic, PBC (Claude)	Food photo (transient, never stored) and/or aggregated, de-identified glucose/health statistics (no name, no email, no raw reading stream)	Optional AI carb estimation and AI insights	United States
Google / Firebase	Authentication tokens (Auth); usage/funnel and onboarding events (Analytics); crash diagnostics (Crashlytics); remote config and content reads (Remote Config, Firestore)	Authentication; product analytics; crash reporting; configuration and content	United States (Google Cloud)
Adapty	Device and purchase/subscription transaction metadata (no payment card number)	Subscription and entitlement management	United States
Open Food Facts	Scanned barcode only (no personal data)	Packaged-food nutrition lookup	EU (France)
USDA FoodData Central	Scanned barcode only (no personal data)	Fallback packaged-food lookup	United States
Decodo and Webshare (proxies)	Network transit only for our LibreLinkUp fetch; no separate app-user personal data is routed to them as a data category	Rotating-proxy infrastructure so the provider fetch is not IP-blocked	Infrastructure providers
DigitalOcean (hosting)	Our self-hosted database and services (where your account data is stored)	Cloud hosting infrastructure	[Confirm hosting region]

We may also disclose personal data to professional advisers, or to public authorities and law-enforcement bodies, where we are legally required to do so or where disclosure is necessary to protect our rights, your safety, or the safety of others. If we are ever involved in a merger, acquisition, or asset sale, your data may be transferred to the successor entity, and we will notify you before your data becomes subject to a different privacy policy.

APPLE HEALTH (HEALTHKIT)

If you enable Apple Health integration (a single, free, optional toggle in Settings), the app accesses Apple HealthKit on your device as follows:

Reads: blood glucose, steps, exercise minutes, active energy, workouts, resting heart rate, heart rate variability, sleep, body mass, body mass index (BMI), and blood pressure.
Writes: blood glucose readings back into Apple Health, marked as device-sourced.
Uploaded to our backend: a subset only — sleep, resting heart rate, heart rate variability, and imported workouts (as activity events) — which is used to compute insights and may be included, in aggregated and de-identified form, in the optional AI Insights feature.
Display only (never uploaded): body mass, BMI, and blood pressure are read for in-app display and are not sent to our servers.
Never collected: reproductive, menstrual, and pregnancy health data types are explicitly rejected and are never stored.

Data obtained through Apple HealthKit is never used for advertising or marketing, and is never sold or shared with third parties for advertising, marketing, or data-mining purposes. You can revoke Health access at any time in the iOS Settings or Apple Health app.

AI FEATURES

Sugar Sense offers optional, premium AI features that send limited data to Anthropic, PBC (United States) for analysis using the Claude model:

AI food scanner: the meal photo you capture or pick is transmitted for carbohydrate estimation. The photo is processed transiently and is never written to disk or stored by us; only the analysis (a carbohydrate range and related estimates) is returned.
AI Insights: aggregated, de-identified glucose/health statistics (such as average glucose, Time in Range, variability, your target range, and detected patterns) are transmitted. We do not send your name, email, or raw reading stream.

AI output is informational and educational only and is dose-free: it never provides insulin doses, units, carb ratios, or correction factors, and it returns carbohydrate estimates as ranges rather than precise figures. We do not use your data to train AI models, and the photo is not retained for training. Because these features process health data, we rely on your explicit consent (Art. 9(2)(a)), and the transmission to the United States is covered by the safeguards described in “International Transfers” below.

EMERGENCY-CALL FEATURE

The emergency-call feature is optional and off by default. When you enable it, the app collects your phone number, and (if you choose) an emergency-contact phone number, and uses Twilio (United States) to place an automated voice call on a confirmed low glucose. If you do not acknowledge the call to you, the call may escalate to your emergency contact. You must confirm that you have your emergency contact’s consent before adding their number. We rely on your consent for this feature (including, for the emergency-contact escalation, the consent you confirm on the contact’s behalf).

This feature is not an emergency-dispatch or guaranteed life-safety service; it does not contact emergency services. It depends on third-party services, the internet, and the telephone network, and may be delayed or fail. In an emergency, call your local emergency number (such as 112 or 911).

“FAMILY MESSAGES” (MESSAGE GROUP)

The optional “Family messages” / Message Group feature lets you send a simple ping/acknowledgement notification. It transmits only a notification type and a display name (for example, to show “X pinged you”). It does not share your glucose history, logs, or other health data with anyone.

INTERNATIONAL TRANSFERS

We are established in the European Union (Estonia). Some of our recipients and sub-processors are located outside the European Economic Area (EEA), in particular in the United States — including Twilio (phone numbers and the spoken glucose value), Anthropic (food photos and aggregated health statistics), Google/Firebase (authentication, analytics, and crash data), Adapty (subscription metadata), and Apple (push tokens and glucose payloads).

Where personal data is transferred outside the EEA, we rely on appropriate safeguards under Chapter V of the GDPR, such as the European Commission’s Standard Contractual Clauses, an adequacy decision, and/or the EU–U.S. Data Privacy Framework where applicable. You may request information about these safeguards using the contact details above.

HOW WE STORE AND SECURE YOUR DATA

We take appropriate technical and organisational measures to protect your personal data, including encryption in transit (HTTPS/TLS), encryption at rest, encryption of your CGM provider credentials with AES-256-GCM, and access controls. Our operational logs are minimised and time-limited. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

RETENTION OF DATA

We retain your account data, glucose readings, logged events, and imported health metrics for as long as your account remains active, in order to provide trends, statistics, and the Services. When you delete your account (see below), your data is irreversibly deleted from our active systems within [X days], and from routine backups within [Y days]. Food photos used by the AI scanner are never stored. We may retain limited records for longer where necessary to comply with legal obligations or to establish, exercise, or defend legal claims.

ACCOUNT DELETION

You can permanently delete your account and associated data at any time, directly in the app: go to Settings → Terms & account → Delete Account. This action is irreversible and removes your profile, glucose history, logged events, emergency-call records, imported Apple Health metrics, and your authentication record from our systems.

You can also sign out on a per-device basis (“Log out”), which clears the connection and push tokens on that device while keeping your account.

Deletion covers the data we hold. Where data has already been transmitted to a processor (for example, an aggregated statistic sent to Anthropic, or analytics events sent to Google), we will, where applicable, instruct the relevant processor accordingly; copies held by those processors are subject to their own retention and deletion practices.

YOUR DATA PROTECTION RIGHTS

Under the GDPR, you have the following rights regarding your personal data:

Access — to obtain confirmation of, and a copy of, the personal data we hold about you.
Rectification — to have inaccurate or incomplete data corrected.
Erasure — to have your personal data deleted (you can also do this yourself via in-app Account Deletion).
Restriction — to ask us to restrict processing in certain circumstances.
Objection — to object to processing based on our legitimate interests.
Data portability — to receive your glucose and event data in a structured, commonly used, machine-readable format.
Withdraw consent — to withdraw your consent at any time where we rely on it (including for health data, the optional features, and marketing), without affecting prior processing.

To exercise any of these rights, contact us at [email protected]. We will respond within one month, as required by Article 12(3) of the GDPR (this period may be extended for complex requests, in which case we will inform you). We may need to verify your identity before responding.

RIGHT TO LODGE A COMPLAINT

If you believe we have not handled your personal data lawfully, you have the right to lodge a complaint with a supervisory authority. As an Estonian-established controller, our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, AKI), https://www.aki.ee. You may also lodge a complaint with the supervisory authority in your own EEA Member State of residence, place of work, or place of the alleged infringement.

WHEN YOU PROVIDE ANOTHER PERSON’S DATA

If you provide the personal data of another person (for example, an emergency-contact phone number), you confirm that you have a lawful basis and that person’s consent to do so, and that you have informed them how their data will be used (to place an automated emergency voice call via Twilio). Retarget OÜ remains the data controller for that data.

CHILDREN’S PRIVACY

The Services are not directed to or intended for children. Because the Services process special-category health data, any permitted use by a minor must take place with the active involvement of a parent or guardian. The minimum age for digital consent under the GDPR in Estonia is 13; below that age, a parent or guardian must be involved. If we become aware that we have collected personal data from a child without a valid legal basis, we will delete it without undue delay. If you believe a child has provided us with personal data, please contact us at [email protected].

MARKETING COMMUNICATIONS

We may send you first-party communications from Retarget OÜ about Sugar Sense, only where you have opted in. We do not sell or share your contact details with third parties for their own direct marketing. You can opt out at any time using the unsubscribe link in our emails or by contacting [email protected].

LINKS TO OTHER SERVICES

The Services may contain links to websites or services not operated by us. We are not responsible for the content or privacy practices of those third parties, and we encourage you to review their privacy policies.

CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. We will post the updated version on this page and update the “Last Updated” date above. For material changes, we will provide additional notice (for example, in-app or by email) where appropriate. Please review this Privacy Policy periodically.

CONTACT US

If you have any questions about this Privacy Policy or our handling of your personal data, please contact us:

By email: [email protected] (data protection) or [email protected]
By mail:
Retarget OÜ
Sepapaja tn 6, 15551 Tallinn, Estonia
VAT number: EE102572290