PRIVACY POLICY

Effective Date: January 9, 2026

Thank you for visiting the Glurry website located at https://glurry.app (the “Website”). This Privacy Policy explains how Rx Studio OÜ (“Rx Studio,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal data when you access or use the Website, the Glurry mobile application (the “Glurry App”), the Glurry Dashboard, and related services (collectively, the “Products”).

We process personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR), HIPAA, CCPA/CPRA, and PIPEDA, where applicable. This Privacy Policy does not limit any rights you may have under mandatory applicable law.

1. INTRODUCTION

1.1 Data Controller

Rx Studio OÜ
Sõpruse pst 214-104
13416 Tallinn, Estonia
Business ID: 16304251
Email: privacy@glurry.app

Rx Studio is the data controller and determines the purposes and means of processing personal data (“User Data”).

We may provide additional, contextual privacy information within the Products. Such information supplements, and does not override, this Privacy Policy.

This Privacy Policy is accessible at all times via the Website and within the Products.

2. SCOPE AND LEGAL BASES

The Products are intended for persons with diabetes. Use of the Products may inherently involve health-related data.

We process personal data only where a valid legal basis exists, including performance of a contract, explicit user consent, legitimate interests, and compliance with legal and regulatory obligations, including medical device regulations.

Where required by law, explicit consent is obtained prior to processing health data.

3. CATEGORIES OF PERSONAL DATA

3.1 Account and Authentication Data

We process data required to create, authenticate, and manage user accounts, including system-generated user identifiers, account status, and authentication-related information.

Users may authenticate using secure authentication methods, including standard credentials, federated identity providers, or government-backed electronic identity solutions, depending on availability and user choice.

Authentication data is protected using industry-standard security mechanisms and is not stored in plain text.

3.2 Contact and Communication Data

When users interact with us through contact forms, feedback channels, or support communications, we may process contact and communication data voluntarily provided by the user, such as contact details, message content, and attachments.

3.3 Technical and Device Data

To operate, secure, and maintain the Products, we process technical data including device characteristics, operating system and application version, language, country, time zone, and technical signals necessary for functionality and security.

3.4 Health and Medical Data

Depending on user configuration, connected services, and granted permissions, we process health and medical data including, but not limited to:

  • Blood glucose measurements and related timestamps
  • Continuous glucose monitoring data
  • Insulin and other medication data, including timing, type, and dosage
  • Data from connected insulin delivery devices and smart insulin pens
  • Physiological, activity, and sensor-derived health data, including physical activity, sleep, heart rate, and related metrics
  • Nutrition and lifestyle data, including meals and associated media such as photos
  • Other health-related data made available through connected devices, health platforms, or applications, as authorized by the user

3.5 Third-Party Integration and Authorization Data

To enable integrations with external devices, platforms, and services, we process authorization and access information such as tokens or credentials generated through industry-standard authorization protocols.

Such data is stored securely, used solely to provide the requested integration functionality, and is not used for unrelated purposes.

4. PURPOSES OF PROCESSING

  • Providing, operating, and maintaining the Products
  • Creating and managing user accounts
  • Importing, storing, and displaying health and device data at the user’s request
  • Generating summaries, visualizations, and insights
  • Supporting self-management and behavior-related features
  • Ensuring product safety, quality, and reliability
  • Providing customer support and responding to inquiries
  • Complying with legal, regulatory, and medical device obligations
  • Conducting analysis and research to improve the Products, where legally permitted
  • Sending marketing or informational communications, where explicit consent has been provided

5. AI-BASED AND ALGORITHMIC ANALYSIS

The Products use artificial intelligence, statistical, and algorithmic methods to analyze user-provided and connected health data.

AI-based outputs are informational and supportive in nature, do not constitute medical advice, do not replace professional judgment, and are not used to make autonomous medical or therapeutic decisions.

6. DATA SHARING AND PROCESSORS

We may share personal data with trusted service providers acting on our instructions, including providers of cloud infrastructure, security services, analytics tools, and customer support systems.

Such providers are contractually bound to confidentiality and data protection obligations.

7. DATA STORAGE AND INTERNATIONAL TRANSFERS

Personal data is stored on secure servers located in the European Union. Where data is transferred outside the EU/EEA, appropriate safeguards are applied in accordance with applicable law.

8. DATA RETENTION

Personal data is retained only for as long as necessary to provide the Products, comply with legal obligations, or resolve disputes. When no longer required, data is securely deleted or anonymized.

9. MINORS

The Products are intended for users aged sixteen (16) or older, unless parental or guardian consent has been obtained where required by law.

10. YOUR RIGHTS

Depending on your jurisdiction, you may have rights including access, correction, deletion, restriction, objection, data portability, and the right to lodge a complaint with a supervisory authority.

Requests may be submitted to privacy@glurry.app.

11. HIPAA BUSINESS ASSOCIATE PROVISIONS

Where the Products are provided through a healthcare provider or insurer acting as a HIPAA Covered Entity, Rx Studio acts as a Business Associate and processes data as Protected Health Information (PHI) in accordance with HIPAA and applicable agreements.

Where no Covered Entity relationship exists, data is processed under this Privacy Policy and applicable consumer privacy laws.

12. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. Where required by law, users will be notified and additional consent obtained.

THANK YOU FOR YOUR TRUST IN RX STUDIO AND GLURRY.