Privacy Policy

1. Who we are

Carbol is operated by Stephen Killgour ("Carbol", "we", "us", "our"), an individual based in New Zealand. We are the data controller for personal information collected through this service.

Questions about this policy or your data can be directed to steve@carbol.co.nz.

2. What we collect and why

We collect the following categories of personal information:

3. Legal basis for processing

We process your personal information on the following bases:

• Contract — to provide the service you have signed up for
• Consent — for health data and communications, where obtained at signup
• Legitimate interests — for security, fraud prevention, and service improvement
• Legal obligation — where required by New Zealand law

4. How we use your information

Your information is used exclusively to:

• Provide carbohydrate estimation and insulin logging features
• Authenticate your account and maintain session security
• Send transactional emails (account confirmation, password reset, service notices)
• Process subscription payments
• Improve the accuracy and reliability of the service
• Comply with applicable legal obligations

We do not use your personal health data to train AI models. We do not send marketing emails without your explicit consent. We do not sell your data to third parties under any circumstances.

5. Third-party processors

We work with the following trusted third-party services to operate Carbol. Each is engaged under a data processing agreement and bound by their own privacy obligations:

6. Data storage and retention

Your data is stored in Australia (Sydney, AWS ap-southeast-2) via Supabase. We retain your data for as long as your account is active, plus a maximum of 30 days following account deletion to allow for recovery requests.

Specific retention periods:

• Meal photos: 90 days for trial users; retained while subscription is active for paid users
• Meal logs and health data: retained until account deletion
• Legal acceptance records: retained for 7 years for compliance purposes
• Email delivery logs: retained by Resend for up to 30 days
• Payment records: retained by Stripe as required by financial regulations
• API processing data (Anthropic): deleted by Anthropic after 30 days

Accounts that are created but not fully set up (for example, where a user begins signup but does not complete onboarding) are currently retained indefinitely. These can be deleted at any time by emailing steve@carbol.co.nz. We are working to automate cleanup of incomplete accounts.

7. Your rights

Under the New Zealand Privacy Act 2020 you have the right to access and correct personal information we hold about you. Where applicable, you may also have rights under the EU General Data Protection Regulation (GDPR) including the right to erasure, data portability, and restriction of processing.

You can:

• Access your data — from Settings within the app
• Export your data — from Settings → Data
• Correct your data — from your account settings
• Delete your account and all associated data — from Settings → Data, or by emailing us

To exercise any right not available in-app, or to make a complaint about how we handle your data, contact us at steve@carbol.co.nz. We will respond within 20 working days as required by the Privacy Act 2020.

You may also lodge a complaint with the New Zealand Privacy Commissioner at privacy.org.nz.

8. Security

We implement industry-standard security measures including encrypted data transmission (TLS), hashed passwords, row-level security on all database tables, and signed URLs for file access. No system is completely secure; we will notify affected users promptly in the event of a data breach as required by the Privacy Act 2020.

9. Cookies and tracking

Carbol uses cookies and similar technologies for authentication (session management) and anonymous analytics. We do not use tracking cookies for advertising purposes. The Google Analytics cookie used on our marketing site collects anonymous, aggregated data only. You can disable analytics cookies via your browser settings.

10. Children and young people

Carbol accounts must be held by adults (18 or over). Where the service is used to support a child or young person living with Type 1 diabetes, the parent or legal guardian must create the account in their own name and retain primary responsibility for its use.

We do not knowingly collect personal information directly from anyone under 18 as a primary account holder. If you believe a minor has created an account without guardian oversight, please contact us at steve@carbol.co.nz and we will investigate.

Where a parent or guardian provides information about a child in their care (for example, a first name or age used to personalise the experience), that information is treated as the guardian's data for legal purposes and handled under the rest of this policy.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email at least 14 days before they take effect. The version date at the top of this page reflects the most recent update. Continued use of the service after the effective date constitutes acceptance of the revised policy.

12. Governing law

This Privacy Policy is governed by the laws of New Zealand, in particular the Privacy Act 2020. Where you are located in the European Economic Area, UK, or Australia, additional data protection laws may apply and we will honour those obligations.

13. Contact

All privacy enquiries should be directed to: steve@carbol.co.nz