Privacy Policy, Bolus pilot
Last updated: May 2026
Identity Statement: Bolus is a weekly food system for adults living with type 1 or type 2 diabetes. Bolus LTD operates it and runs this pilot for research and product testing purposes.
Data Controller: Bolus LTD (company number 17091519)
Contact: [email protected] | 07448 657092
Bolus LTD ("we", "our", "us") is the data controller for personal data processed in connection with Bolus. This Privacy Policy explains what information we collect, why we collect it, and how we use it during the Bolus pilot. For terms of participation, please see our Terms of Use.
1. Data we collect
When you apply to the Bolus pilot, we collect:
- Name
- Email address
- Mobile number
- Continuous glucose monitor data (Libre, Dexcom, or other)
- Your consent to participate
Optional: information you choose to provide in follow-up communications (e.g. household details, allergies, dietary preferences).
Security & anti-abuse: We use Cloudflare Turnstile on pilot sign-up forms to help protect against spam and abuse. Turnstile is used as a security control and is separate from analytics tracking.
2. Why we collect it
We use your data to:
- Confirm eligibility for the pilot
- Communicate with you about the pilot
- Design and deliver your weekly food system
- Improve our service based on feedback and usage trends
We use your data to shape future weekly plans based on patterns from what you cooked and optional CGM context. These are recommendations only; you are always in control and can override or ignore them. We do not make decisions that have legal or similarly significant effects, and we never sell or share your information with third parties for marketing.
3. How we store it
- Data is stored securely.
- Access is limited to the Bolus pilot team (Bolus LTD staff and contractors).
- We keep data only as long as needed for the pilot (up to 12 months after completion), unless you request deletion earlier.
Data is stored in Google Workspace, with encryption at rest and in transit enforced by Google's infrastructure. Access is strictly limited to authorised Bolus LTD staff working on the pilot. We keep your data only as long as needed for the pilot (up to 12 months after completion), unless you request deletion earlier.
3a. Technical safeguards
All data is encrypted in transit (TLS) and at rest. Audit logs are available via Google Workspace admin tooling. Where third-party services are used, we ensure appropriate safeguards such as EU Standard Contractual Clauses or UK adequacy decisions.
4. Legal basis under GDPR
We process your data on the basis of:
- Consent (Article 6(1)(a) GDPR); you provide explicit consent when applying.
- Special category data (Article 9(2)(a) GDPR); health information you choose to share is processed only with your explicit consent.
5. Your rights
Under GDPR, you can request at any time:
- Access to your data
- Correction of inaccurate data
- Deletion of your data ("right to be forgotten")
- Restriction or objection to processing
To exercise your rights, email [email protected].
6. Contact us
Bolus pilot team
Email: [email protected]
Tel: 07448 657092
If you are not satisfied with our response, you have the right to complain to the UK Information Commissioner's Office (ICO).