Privacy Policy, Bolus pilot
Last updated: April 2025
Identity Statement: Bolus is a weekly food system for adults living with type 1 or type 2 diabetes. Bolus LTD operates it and runs this pilot for research and product testing purposes.
Data Controller: Bolus LTD (company number 17091519)
Contact: pilot@bolus.app | 07946 427264
Bolus LTD ("we", "our", "us") is the data controller for personal data processed in connection with Bolus. This Privacy Policy explains what information we collect, why we collect it, and how we use it during the Bolus pilot. For terms of participation, please see our Terms of Use.
1. Data we collect
When you apply to the Bolus pilot, we collect:
- Name
- Email address
- Postcode
- Mobile number
- Continuous glucose monitor used (Libre, Dexcom, or other)
- Apple health data (if you choose to share it)
- Your consent to participate
Optional: information you choose to provide in follow-up communications (e.g. household details, allergies, dietary preferences).
Analytics & Cookies: When you visit our website, we collect anonymised usage data via Google Analytics and Microsoft Clarity to help us understand and improve our service. These tools use cookies to track website usage. By using our website, you consent to this data collection. No health information is collected through these tools.
2. Why we collect it
We use your data to:
- Confirm eligibility for the pilot
- Communicate with you about the pilot
- Design and deliver your weekly food system
- Improve our service based on feedback and usage trends
We use your data to suggest adjustments to your weekly food system automatically (based on your CGM trends). These are recommendations only; you are always in control and can override or ignore them. We do not make decisions that have legal or similarly significant effects, and we never sell or share your information with third parties for marketing.
3. How we store it
- Data is stored securely.
- Access is limited to the Bolus pilot team (Bolus LTD staff and contractors).
- We keep data only as long as needed for the pilot (up to 12 months after completion), unless you request deletion earlier.
Data is stored in encrypted Google Workspace services. Access is strictly limited to authorised Bolus LTD staff working on the pilot. If groceries are delivered via third-party supermarkets (e.g. Tesco, Sainsbury’s), only the minimum details needed for delivery (e.g. name, address, phone) are shared with them. We keep your data only as long as needed for the pilot (up to 12 months after completion), unless you request deletion earlier.
3a. Technical safeguards
All data is encrypted in transit (TLS) and at rest. Access is limited to authorised staff, with logging and monitoring in place. Where third-party services are used, we ensure appropriate safeguards such as EU Standard Contractual Clauses or UK adequacy decisions.
4. Legal basis under GDPR
We process your data on the basis of:
- Consent (Article 6(1)(a) GDPR); you provide explicit consent when applying.
- Special category data (Article 9(2)(a) GDPR); health information you choose to share is processed only with your explicit consent.
5. Your rights
Under GDPR, you can request at any time:
- Access to your data
- Correction of inaccurate data
- Deletion of your data ("right to be forgotten")
- Restriction or objection to processing
To exercise your rights, email pilot@bolus.app.
6. Contact us
Bolus pilot team
Email: pilot@bolus.app
Tel: 07946 427264
If you are not satisfied with our response, you have the right to complain to the UK Information Commissioner's Office (ICO).