Privacy Policy

We collect several types of information to provide and improve our Service:

Personal Information: When you register for an account, we collect your name, email address, phone number, and professional credentials (for healthcare providers). For clinic administrators, we also collect clinic name, address, and contact information.

Health Data: We collect glucose readings, medical history, diabetes type, medication information, and other health-related data entered by patients or their healthcare providers. This data is considered sensitive personal data under Rwandan law.

Usage Data: We automatically collect information about how you interact with the Platform, including access times, pages viewed, device information, IP addresses, and browser type.

Device Information: When using our mobile application, we may collect device identifiers, operating system version, and mobile network information.

Communication Data: We retain records of communications between you and our support team, as well as in-platform messages between healthcare providers.

We use the information we collect for the following purposes:

• To provide, maintain, and improve the Platform and its features.
• To enable healthcare providers to monitor patient glucose levels and manage alerts.
• To generate notifications and alerts based on configured glucose thresholds.
• To facilitate communication between patients and their healthcare teams.
• To process Subscription payments and manage billing.
• To send you service-related notifications, updates, and administrative messages.
• To analyze usage patterns and improve the user experience.
• To comply with legal obligations and enforce our Terms of Service.
• To protect the safety and security of our users and the Platform.

We will never sell your Health Data to third parties for marketing or advertising purposes.

We share your information only in the following circumstances:

With Your Healthcare Team: Health Data is shared between patients and their assigned healthcare providers and clinic administrators as necessary for care delivery. Patients can view which providers have access to their data.

Service Providers: We engage trusted third-party service providers to perform functions on our behalf, such as cloud hosting, payment processing, and email delivery. These providers are contractually obligated to protect your data and use it only for the purposes we specify.

Legal Requirements: We may disclose your information if required by law, regulation, or legal process, or if we believe disclosure is necessary to protect the rights, property, or safety of GlucoseSense, our users, or the public.

Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such change and any choices you may have regarding your information.

We do not share Health Data with insurance companies, employers, or any other third parties without explicit patient consent.

We implement comprehensive technical and organizational measures to protect your information:

• All data transmitted between your device and our servers is encrypted using TLS 1.3 or higher.
• Health Data stored in our databases is encrypted at rest using AES-256 encryption.
• Access to Health Data is restricted through role-based access controls and multi-factor authentication for administrative access.
• We conduct regular security audits and penetration testing of our systems.
• Our infrastructure is hosted on secure, SOC 2 Type II certified cloud providers with data centers that maintain physical security controls.
• We maintain detailed access logs and monitor for unauthorized access attempts.
• All employees and contractors with access to user data undergo background checks and sign confidentiality agreements.

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but will notify affected users promptly in the event of a data breach.

Under Rwandan data protection law (Law No. 058/2021), you have the following rights regarding your personal data:

Right of Access: You may request a copy of the personal data we hold about you. We will provide this information within 30 days of your request.

Right to Rectification: You may request correction of inaccurate or incomplete personal data.

Right to Erasure: You may request deletion of your personal data, subject to legal retention requirements for health records. Patient Health Data must be retained for a minimum of 5 years in accordance with Rwandan health regulations.

Right to Restrict Processing: You may request that we limit the processing of your personal data in certain circumstances.

Right to Data Portability: You may request your data in a structured, commonly used, machine-readable format (JSON or CSV).

Right to Object: You may object to the processing of your personal data for certain purposes, including direct marketing.

Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time. This does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, please contact us at privacy@glucosesense.org. We will respond to your request within 30 days.

We retain your information for as long as your account is active or as needed to provide you with the Service. Specific retention periods include:

Account Data: Retained for the duration of your account plus 2 years after account closure.

Health Data: Retained for a minimum of 5 years after the last activity, in compliance with Rwandan health records retention requirements. Patients may request earlier deletion, subject to these legal requirements.

Usage Data: Retained for 2 years for analytics purposes, after which it is anonymized or deleted.

Communication Data: Retained for 3 years after the communication.

Billing Data: Retained for 7 years in compliance with Rwandan tax regulations.

When data reaches the end of its retention period, it is securely deleted or anonymized using industry-standard methods.

The Platform is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13.

For patients between the ages of 13 and 18, a parent or legal guardian must create and manage the account. Healthcare providers may enter glucose data for minor patients with appropriate parental or guardian consent.

If we become aware that we have collected personal information from a child under 13 without parental consent, we will take steps to delete that information promptly.

Our primary data processing and storage facilities are located in Africa. However, some of our service providers may process data in other regions.

When personal data is transferred outside of Rwanda, we ensure appropriate safeguards are in place, including:

• Standard contractual clauses approved by relevant data protection authorities.
• Ensuring the receiving country provides an adequate level of data protection.
• Obtaining your explicit consent for the transfer where required.

We prioritize keeping Health Data within African data centers whenever possible. If your data needs to be transferred internationally, we will inform you and ensure equivalent protections are maintained.

We use cookies and similar tracking technologies to enhance your experience on the Platform:

Essential Cookies: Required for the Platform to function properly, including authentication and session management. These cannot be disabled.

Analytics Cookies: Help us understand how users interact with the Platform so we can improve it. These can be disabled in your browser settings.

Preference Cookies: Remember your settings and preferences (such as language and theme). These can be disabled in your account settings.

We do not use advertising or third-party tracking cookies. We do not share tracking data with advertisers.

You can manage cookie preferences through your browser settings. Note that disabling essential cookies may prevent you from using certain features of the Platform.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Post the updated policy on the Platform with a new "Last Updated" date.
• Notify you via email or in-app notification at least 30 days before the changes take effect.
• Obtain your consent where required by law.

We encourage you to review this Privacy Policy periodically. Your continued use of the Platform after changes become effective constitutes your acceptance of the revised policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Data Protection Officer GlucoseSense Ltd Kigali, Rwanda Email: privacy@glucosesense.org Phone: +250 788 000 000

For data protection complaints, you may also contact the National Cyber Security Authority of Rwanda (NCSA), which oversees data protection compliance in Rwanda.

This Privacy Policy was last updated on February 1, 2026.