Carbol
Carbol
Sign inTry free

Privacy Policy

Version 1.0 — Last updated: 22 April 2026

Beta testing phase

Carbol is currently in closed beta. This Privacy Policy is operative and legally binding under the New Zealand Privacy Act 2020. It is being reviewed by a lawyer before general public release and may be updated. Continued use of the app following any update constitutes acceptance of the revised policy.

1. Who we are

Carbol is operated by Stephen Killgour, trading as Insightly, based in New Zealand ("Carbol", "we", "us", "our"). We are the data controller for personal information collected through this service.

Questions about this policy or your data can be directed to steve@carbol.co.nz.

2. What we collect and why

We collect the following categories of personal information:

Account information

Email address and password (hashed). Collected at signup to create and secure your account, and to send service-related emails.

Health and dosing data

Insulin-to-carb ratio, carbohydrate estimates, meal logs, insulin units recorded, and glucose unit preference. Collected to provide the core estimation and logging service. This is sensitive personal information under the Privacy Act 2020 and is handled with additional care.

Meal photos and voice recordings

Photos and voice transcripts submitted for AI carb estimation. Transmitted to Anthropic (see section 5) for processing. Photos are stored in Australia and deleted after 90 days for trial users. Voice transcripts are not stored beyond the logging session.

Device and usage data

Timezone, approximate session activity, and anonymous page-view analytics (via Google Analytics). Used to improve the service and understand usage patterns. No personally identifiable information is sent to Google Analytics.

Legal acceptance records

Timestamp and version number of the Terms of Service and Privacy Policy accepted at signup. Retained for legal compliance purposes.

Payment information

Payment card details and billing information are handled directly by Stripe and are never stored on Carbol servers. We receive only a Stripe customer ID and subscription status.

3. Legal basis for processing

We process your personal information on the following bases:

  • Contract — to provide the service you have signed up for
  • Consent — for health data and communications, where obtained at signup
  • Legitimate interests — for security, fraud prevention, and service improvement
  • Legal obligation — where required by New Zealand law

4. How we use your information

Your information is used exclusively to:

  • Provide carbohydrate estimation and insulin logging features
  • Authenticate your account and maintain session security
  • Send transactional emails (account confirmation, password reset, service notices)
  • Process subscription payments
  • Improve the accuracy and reliability of the service
  • Comply with applicable legal obligations

We do not use your personal health data to train AI models. We do not send marketing emails without your explicit consent. We do not sell your data to third parties under any circumstances.

5. Third-party processors

We work with the following trusted third-party services to operate Carbol. Each is engaged under a data processing agreement and bound by their own privacy obligations:

Supabase

Database, authentication, and file storageAustralia (AWS ap-southeast-2)

Privacy policy

Anthropic

AI analysis of meal photos and voice transcriptsUnited States

Images and transcripts are submitted per-request and are not retained by Anthropic for training.

Privacy policy

Vercel

Application hosting and content deliveryUnited States / global CDN

Privacy policy

Resend

Transactional email deliveryUnited States

Privacy policy

Stripe

Payment processingUnited States

Card details are entered directly into Stripe and never pass through Carbol servers.

Privacy policy

Google Analytics

Anonymous website analytics (marketing site only)United States

No personally identifiable information is sent. IP anonymisation is enabled.

Privacy policy

6. Data storage and retention

Your data is stored in Australia (Sydney, AWS ap-southeast-2) via Supabase. We retain your data for as long as your account is active, plus a maximum of 30 days following account deletion to allow for recovery requests.

Specific retention periods:

  • Meal photos: 90 days for trial users; retained while subscription is active for paid users
  • Meal logs and health data: retained until account deletion
  • Legal acceptance records: retained for 7 years for compliance purposes
  • Email delivery logs: retained by Resend for up to 30 days
  • Payment records: retained by Stripe as required by financial regulations

7. Your rights

Under the New Zealand Privacy Act 2020 you have the right to access and correct personal information we hold about you. Where applicable, you may also have rights under the EU General Data Protection Regulation (GDPR) including the right to erasure, data portability, and restriction of processing.

You can:

  • Access your data — from Settings within the app
  • Export your data — from Settings → Data
  • Correct your data — from your account settings
  • Delete your account and all associated data — from Settings → Data, or by emailing us

To exercise any right not available in-app, or to make a complaint about how we handle your data, contact us at steve@carbol.co.nz. We will respond within 20 working days as required by the Privacy Act 2020.

You may also lodge a complaint with the New Zealand Privacy Commissioner at privacy.org.nz.

8. Security

We implement industry-standard security measures including encrypted data transmission (TLS), hashed passwords, row-level security on all database tables, and signed URLs for file access. No system is completely secure; we will notify affected users promptly in the event of a data breach as required by the Privacy Act 2020.

9. Cookies and tracking

Carbol uses cookies and similar technologies for authentication (session management) and anonymous analytics. We do not use tracking cookies for advertising purposes. The Google Analytics cookie used on our marketing site collects anonymous, aggregated data only. You can disable analytics cookies via your browser settings.

10. Children

Carbol is not intended for use by children under 13. Users aged 13–17 may only use the service under the supervision of a parent or legal guardian who accepts these terms on their behalf. We do not knowingly collect personal information from children under 13 without parental consent.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email at least 14 days before they take effect. The version date at the top of this page reflects the most recent update. Continued use of the service after the effective date constitutes acceptance of the revised policy.

12. Governing law

This Privacy Policy is governed by the laws of New Zealand, in particular the Privacy Act 2020. Where you are located in the European Economic Area, UK, or Australia, additional data protection laws may apply and we will honour those obligations.

13. Contact

All privacy enquiries should be directed to: steve@carbol.co.nz