Privacy & Security
Your health data belongs
to you. Full stop.
GlucoLab is a personal health tracking application. We do not sell your data, share it with third parties, or use it to train AI models. Here is exactly how we protect it.
Our Commitments
What we will never do
Sell your data
We will never sell your personal or health data to any third party — not to advertisers, data brokers, pharmaceutical companies, or anyone else.
Share it without consent
Your data is only shared with Care Partners you explicitly invite. No one else — including GlucoLab staff — can access your health records as part of normal operations.
Use it to train AI models
Your meal logs, glucose readings, and health events are never used to train or fine-tune any AI or machine learning model, including the models powering GlucoLab AI features.
How We Protect Your Data
Security built into the foundation
GlucoLab is built on Supabase, a PostgreSQL-based platform with enterprise-grade security controls enabled by default.
Row-Level Security on every table
Every database query is enforced at the database level — not just in application code. Even if there were a bug in the app, it would be impossible for one user's query to return another user's data. Your records are yours at the lowest level.
Encrypted in transit and at rest
All data is transmitted over HTTPS/TLS — no unencrypted connections are ever made. Your data is also encrypted at rest in our database, meaning the raw storage layer cannot be read without the proper decryption keys.
Elevated credentials stay server-side
We use two levels of API keys. Public keys handle standard authenticated requests. Elevated service-role keys (which can bypass row-level security) are stored only on our servers and never sent to your browser under any circumstances.
Industry-standard authentication
Passwords are never stored in plaintext. Authentication uses secure JWT tokens and hashed credentials managed by Supabase Auth, an industry-standard system built on top of PostgreSQL and GoTrue.
Private photo storage
Meal and treatment photos are stored in private Supabase Storage buckets. Photos are not publicly addressable — access is controlled by the same row-level security policies that protect all your other data.
Care Partner access is explicit and revocable
Care Partners only see data for members who have explicitly invited them. Access is granted by you, visible to you in Settings, and can be revoked at any time. Care Partner relationships are enforced at the database level — not just in the UI.
Data We Collect
Only what the app needs to work
We collect only the data you actively provide. We do not use tracking pixels, third-party advertising SDKs, or behavioral analytics.
Account info
Email address and display name for authentication and identification.
Health logs
Meals, glucose readings, insulin events, activity, and low treatments — entered by you or uploaded from your pump.
Photos
Meal and treatment photos you choose to attach. Stored in private, access-controlled buckets.
Device info
For Face ID login, a device-bound credential ID is stored locally on your device only — never sent to our servers.
Usage
Basic, non-identifying usage information to keep the app running and improve reliability. No third-party analytics.
Care Partners
You control who sees your data
GlucoLab allows you to invite Care Partners — parents, guardians, spouses, or other trusted individuals — to view and help manage your health data. This is entirely opt-in.
Care Partner access is enforced at the database level. Each relationship is tied to an explicit invitation, visible in your Settings, and can be revoked at any time. Revoking access immediately prevents the Care Partner from querying any of your data.
Your Rights
You own your data
Export everything
Download all your data — meals, glucose, bolus, activity, site changes — as a single CSV file from the Settings page at any time.
Delete your account
You can request full account deletion at any time. All your data, including photos, is permanently removed from our systems.
Manage Care Partners
View, update, or remove any Care Partner relationship from Settings at any time. Changes take effect immediately.
Additional Policies
A few more things worth knowing
Cookies
GlucoLab uses only essential cookies — small files that keep you logged in and remember your session. We do not use advertising cookies, tracking cookies, or third-party analytics cookies. No cookie banner is needed because we only use cookies the app cannot function without.
Data Retention
Your data is retained for as long as your account is active. If you delete your account, all associated data — including health logs, photos, and settings — is permanently and irreversibly deleted from our systems. We do not keep backups of deleted accounts.
Children's Privacy
GlucoLab accounts must be created by individuals 18 years of age or older. Parents and legal guardians may create and manage accounts on behalf of their minor children — this is a common use case for families managing childhood Type 1 diabetes. In all cases, the account is held by the adult, not the child.
GlucoLab is not directed at children and does not knowingly collect personal information directly from anyone under 13.
International Users
GlucoLab is operated from the United States. If you are located in the European Union, United Kingdom, or another jurisdiction with data protection laws, you have the right to access, correct, export, and delete your personal data — rights that are already built directly into the app. To exercise any of these rights, contact us at support@myglucolab.com.
Questions about your data?
Reach out anytime. We read every message.
Contact UsLast updated: March 22, 2026