Privacy Policy
How Diabic (Mindantic LLC) collects, uses, shares, and protects your information when you use diabic.com. GDPR, UK GDPR, and CCPA aligned.
Last reviewed · May 1, 2026Privacy Policy
This Privacy Policy explains how Mindantic LLC ("Diabic", "we", "us") collects, uses, shares, and protects your information when you use diabic.com. We follow the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA, and other applicable privacy laws.
Diabic is a diabetes-education blog. Our content is for information only and is not medical advice. See our Terms & Conditions for the full medical disclaimer.
Table of contents
- About this policy
- Quick summary
- Information we collect
- Legal bases under GDPR
- How we use your information
- Third-party processors we share data with
- International data transfers
- How long we keep your information
- Your privacy rights
- Children's privacy
- How we secure your information
- Do Not Track and Global Privacy Control
- Third-party links
- Changes to this policy
- Mobile app data practices
- Apple App Store privacy categories
- Google Play Data Safety alignment
- How to contact us
- EU/UK representative
- Frequently asked questions
About this policy
Mindantic LLC is a US-registered limited liability company and the operator of diabic.com (the "Site"). Diabic is a diabetes-education blog providing recipes, nutrition guidance, and general wellness content. When the Diabic mobile app launches, this policy will extend to cover that app as well, we will note that change in the header.
This policy is effective as of May 01, 2026. The most recent review date is always shown in the header at the top of this page. When we make material changes, we will update that date and, where practical, notify newsletter subscribers.
By using the Site, you accept the data practices described here. If you disagree with any part of this policy, please do not use the Site.
This policy covers privacy only. For our content disclaimer and terms of use, including the full medical disclaimer explaining that nothing on diabic.com constitutes medical advice, see our Terms & Conditions.
Quick summary
- We collect anonymous usage analytics via PostHog.
- If you subscribe to our newsletter, we collect your email through Brevo.
- If you message us through /contact, we receive your name, email, and message in Gmail.
- We do not show ads.
- We do not sell or share your personal information for cross-context advertising.
- We do not collect health data, diagnoses, or biometric information.
- You can ask us to access, correct, delete, or port your data at any time, see Your privacy rights.
Information we collect
Information collected automatically (analytics)
When you visit any page on diabic.com, our analytics provider PostHog automatically collects certain technical information. We use PostHog to understand which content is helpful and where the Site can be improved. The data collected includes:
- Pages viewed and navigation path within the Site
- Referring URL (the page or search engine you came from)
- Browser type and device class (desktop, tablet, or mobile)
- Your IP address, which PostHog anonymizes before storing
- Session events such as clicks, scroll depth, and approximate time on page
PostHog sets cookies whose names start with ph_ (for example, ph_posthog_lib). These cookies are used solely for product analytics, to understand how visitors use the Site and to improve our content and user experience. They are not used for advertising targeting and are not sold or shared with ad networks or data brokers.
PostHog is hosted on PostHog's US cloud; events captured on diabic.com are transferred to and processed in the United States. For more detail on PostHog's own privacy practices and the safeguards applied to that transfer, see Third-party processors we share data with and International data transfers.
Information you provide directly
Newsletter. If you choose to subscribe to the Diabic newsletter, we collect your email address. Subscription is always opt-in, we never add you without your explicit action. Your email address is stored and processed by Brevo (formerly Sendinblue), our email marketing provider. We use it only to send the newsletter and occasional site announcements. You can unsubscribe at any time by clicking the unsubscribe link in any email we send, or by contacting us directly at diabic@mindantic.com.
Contact form. If you send us a message through /contact, we receive your name, email address, and the content of your message. These messages are delivered to and stored in our Gmail inbox. We use this information only to respond to your inquiry and do not use it for any marketing purpose unless you explicitly ask to join the newsletter.
Cookies and similar technologies
The table below lists the cookies currently active on diabic.com.
We may embed third-party content in the future (for example, YouTube videos or Pinterest pins). When those embeds go live, the relevant providers may set their own cookies. We will update this table at that time.
Information we do not collect
We do not collect:
- Protected health information (PHI) or medical diagnoses
- Biometric data
- Payment or financial data
- Precise geolocation
- Any information from children under 13 (or under 16 for EU/UK visitors), see Children's privacy
Legal bases under GDPR
This section applies to visitors located in the European Union or the United Kingdom, where processing personal data requires a legal basis under UK/EU GDPR Article 6.
You can withdraw consent at any time without affecting prior lawful processing. To object to processing based on legitimate interests, contact us at diabic@mindantic.com.
The cookie consent mechanism required by ePrivacy and PECR for EEA and UK visitors is part of the frontend rollout and will be in place before this site is offered to those regions. Until then we recommend visitors from those regions block analytics in their browser settings.
How we use your information
We use the information described in Information we collect for the following purposes:
- Operate and improve the Site. We analyze usage patterns to fix problems, prioritize new content, and improve the reading experience.
- Send newsletter content only if you have subscribed. We will not email you marketing content without your explicit opt-in.
- Respond to messages sent through /contact. We use your contact details solely to reply to your inquiry.
- Detect, prevent, and investigate fraud, abuse, and security incidents. Server logs and technical signals help us identify and block malicious traffic.
- Comply with legal obligations. We may process or retain certain data when required by applicable law, regulation, or court order.
- Aggregate usage analytics to understand which content helps readers. We review anonymized or pseudonymous trend data, never individual profiles, to guide editorial decisions.
We do not combine analytics data with your newsletter email or contact details to build individual profiles. Each purpose listed above operates in its own silo, and we only use data for a new purpose when we have a valid legal basis to do so, which we will always document and, where required, communicate to you in advance.
We do not use your information to personalize medical advice, profile health conditions, or make automated decisions that produce legal or similarly significant effects about you.
Third-party processors we share data with
We only share data with processors that operate under a written data processing agreement and process data solely on our instructions. We do not sell your personal information to third parties, and we do not share it with advertisers, data brokers, or social-media platforms for targeting purposes.
Each processor in the table below has been selected because it provides strong contractual data protection commitments. Where a processor is outside the EEA or UK, we rely on Standard Contractual Clauses or another approved transfer mechanism, see International data transfers for details.
We do not permit our processors to use your data for their own purposes, and we require them to delete or return your data when the relationship ends. If a processor experiences a security incident affecting your personal data, they are contractually required to notify us so we can meet our own breach-notification obligations.
We may add or change processors. Material changes will be reflected in this policy and announced under Changes to this policy.
International data transfers
Some of our processors are based in or transfer data to the United States or other countries outside the European Economic Area (EEA) or United Kingdom. Where such transfers occur, we take steps to ensure your data receives an equivalent level of protection.
For transfers from the EEA or UK to third countries, we rely on the Standard Contractual Clauses adopted by the European Commission (Decision (EU) 2021/914) and, where applicable, the EU–US Data Privacy Framework. Where required, we carry out transfer impact assessments and apply supplementary technical and organizational measures, such as pseudonymization and encryption in transit, to reduce the risk to your rights and freedoms.
If you have questions about how a specific transfer is safeguarded, contact us at diabic@mindantic.com.
How long we keep your information
We keep your information only for as long as it is needed for the purpose it was collected, or as long as required by law.
When the retention period ends we delete or anonymize the data unless we are legally required to keep it longer.
Your privacy rights
Depending on where you live, you have specific rights over the personal information we hold about you. We honor all of these rights regardless of your country of residence, subject to what is technically and legally possible.
Rights under the GDPR and UK GDPR
If you are in the European Union or the United Kingdom, the following rights apply to you under the EU GDPR and UK GDPR respectively:
- Right of access, you can ask for a copy of the personal data we hold about you.
- Right to rectification, you can ask us to correct inaccurate or incomplete personal data.
- Right to erasure ("right to be forgotten"), you can ask us to delete your personal data where there is no compelling reason for us to keep it.
- Right to restriction of processing, you can ask us to pause processing your data in certain circumstances, for example while a correction request is pending.
- Right to data portability, you can ask us to provide your data in a structured, commonly used, machine-readable format so you can transfer it to another provider.
- Right to object, you can object to processing based on legitimate interests. We will stop unless we have compelling legitimate grounds that override your interests.
- Right to withdraw consent, where we rely on your consent as the legal basis, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
- Right to lodge a complaint, if you are not satisfied with how we handle your data, you have the right to complain to your local supervisory authority. Find your EU authority at https://edpb.europa.eu/about-edpb/about-edpb/members_en or the UK's Information Commissioner's Office at https://ico.org.uk/.
Rights under the CCPA / CPRA
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) gives you the following rights:
- Right to know, you can ask what categories and specific pieces of personal information we have collected about you, the sources, the business purpose, and the categories of third parties we share it with.
- Right to delete, you can ask us to delete personal information we collected from you, subject to certain legal exceptions.
- Right to correct, you can ask us to correct inaccurate personal information we hold about you.
- Right to opt out of sale or sharing for cross-context behavioral advertising, we do not sell or share personal information, so this right is already satisfied. No opt-out is required.
- Right to limit use of sensitive personal information, we do not collect or use sensitive personal information for inferring characteristics about you, so no limitation request is needed.
- Right to non-discrimination, we will not deny you goods or services, charge you a different price, or provide a different level of quality because you exercise any of your privacy rights.
How to exercise your rights
To make any privacy rights request, email us at diabic@mindantic.com with a description of your request. We may ask you to verify your identity by providing a few confirming details before we process the request, this protects you against unauthorized requests on your behalf.
We respond as follows. For GDPR / UK GDPR requests, within one (1) month of receiving a verified request, extendable by a further two months for complex or numerous requests (Art. 12(3)). For CCPA / CPRA requests, within 45 calendar days, extendable once by an additional 45 calendar days (90 days total) when reasonably necessary, with prior notice to you (Cal. Civ. Code § 1798.130). There is no fee for the first request in any rolling 12-month period; if subsequent requests are excessive or repetitive, we reserve the right to charge a reasonable fee or decline.
California residents may submit requests through an authorized agent. The agent must provide written proof of authorization, and we may still require you to verify your own identity directly with us.
Children's privacy
Diabic is a general-audience diabetes-education site. It is not directed to, and we do not knowingly collect personal information from, children under the age of 13 in the United States (as required by COPPA) or under the age of 16 in the European Union and United Kingdom.
If you believe that a child in one of those age groups has provided us with personal information without the appropriate consent, please contact us immediately at diabic@mindantic.com. We will investigate and delete the information promptly.
When the Diabic mobile app launches, we will implement appropriate age-gating and, where required, verifiable parental-consent mechanisms. Those practices will be described in Mobile app data practices.
How we secure your information
We apply technical and organizational measures proportionate to the risk to protect your personal information from unauthorized access, alteration, disclosure, or destruction. These measures include:
- HTTPS/TLS in transit, all data exchanged between your browser and our servers is encrypted during transmission.
- Encrypted backups at rest, database backups are encrypted before storage.
- Least-privilege admin access, team members can access only the data they need for their specific role, and multi-factor authentication (MFA) is required for all admin accounts.
- No payment data on our servers, we do not handle or store payment card information directly; any future payments will be routed entirely through PCI-DSS-compliant payment processors.
- Vendor due diligence, every processor handling personal data on our behalf is reviewed for security practices before engagement and bound by a data processing agreement.
- Breach notification, if we become aware of a personal data breach we notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware, as required by GDPR Article 33. Where a breach is likely to result in a high risk to your rights and freedoms, we notify affected individuals directly without undue delay, as required by GDPR Article 34. CCPA breach-notification obligations under Cal. Civ. Code § 1798.82 apply separately to California residents.
No system is fully secure. If you believe your account or information has been compromised, contact diabic@mindantic.com.
Do Not Track and Global Privacy Control
Global Privacy Control (GPC). We honor the GPC browser signal as a valid opt-out of the sale and sharing of your personal information under the CCPA/CPRA. If your browser or extension sends a GPC signal when you visit diabic.com, we treat it as a CCPA opt-out request and will not sell or share your personal information for cross-context behavioral advertising. Because we do not sell or share personal information to begin with, this signal has no practical effect on our current data practices, but your preference is recorded and respected.
Legacy "Do Not Track" header. We do not respond to the legacy DNT browser header. There is no agreed industry standard for what the DNT signal requires a website to do, so honoring it inconsistently would be misleading. We rely on the GPC signal as the legally recognized opt-out mechanism instead.
Third-party links
The Site may contain links to, or embed content from, third-party websites and services, for example, YouTube videos, medical reference resources, or Pinterest boards. These third parties are independent of Mindantic LLC. We do not control their data practices, and this Privacy Policy does not apply to them. When you click a third-party link or interact with embedded content, their own privacy notices govern how they collect and use your information. We encourage you to review those notices before engaging with third-party content.
Changes to this policy
We may update this Privacy Policy from time to time. The Effective date and Last reviewed lines at the top of this page always reflect the date of the most recent version.
For material changes, such as collecting new categories of personal information, adding new processors, introducing new processing purposes, or starting transfers to new countries, we will post a prominent notice at the top of the Site for at least 30 days before the change takes effect. If you are a newsletter subscriber at the time of a material change, we will also notify you by email.
Minor clarifications that do not change the substance of our data practices (such as correcting a typo or adding a more detailed explanation of an existing practice) may be made without advance notice.
Previous versions of this policy are available on request. Email diabic@mindantic.com with "Privacy Policy Archive" in the subject line and we will provide the version you need.
Mobile app data practices
Pending mobile app launch. This section is published in advance of the Diabic mobile app launch. Until the app ships, no in-app data is collected. Once the app is available the items below will reflect actual practice and the "Effective date" and "Last reviewed" lines will be updated.
The Diabic mobile app will be available on Android (Google Play) and iOS (Apple App Store). When installed, the app may request or use the following device permissions:
- Push notifications, to send you reminders, weekly recipe picks, and service messages. You can disable these at any time in your device settings.
- Camera (if enabled), optionally used to photograph meals for a personal food log. Photos are stored on-device only and are never uploaded to our servers unless you explicitly share them.
- HealthKit / Google Fit (if enabled, opt-in only), to read steps, blood glucose readings, or other health metrics you choose to expose. Health data accessed through these frameworks is processed on-device. No health data leaves your device without your explicit, separate consent for that specific sync.
- Local storage, the app stores meal logs, reading history, and user preferences locally by default. This data does not leave your device unless you enable cloud sync in the app settings.
Any data you sync to our servers, such as saved recipes or account preferences, will be identified and listed in this section before that feature ships. At this time no server-side sync is planned.
You can delete your account and all associated data in two ways. Inside the app, go to Settings → Account → Delete account. Outside the app, email diabic@mindantic.com with "Account Deletion" in the subject line. Either path completes within 30 days.
The app will use the following third-party mobile SDKs. Items marked "if enabled" depend on features that have not been confirmed for the initial release:
- PostHog Mobile SDK, product analytics
- Firebase Cloud Messaging (FCM), push notification delivery
- Brevo Mobile SDK, transactional email
- RevenueCat (if enabled), subscription and purchase management
- Apple App Analytics (opt-in via iOS settings), aggregated usage metrics Apple provides to developers; you control this via iOS → Privacy → Analytics & Improvements
Regarding iOS App Tracking Transparency (ATT): we do not plan to request the ATT permission prompt because we do not engage in cross-app tracking. If that changes, we will update this section and request permission before any tracking begins.
The Diabic app is not directed to children under 13 (US) or under 16 (EU/UK). We will not enroll the app in Apple's Kids Category or Google's Designed for Families program. Age verification practices will follow those described in Children's privacy.
Apple App Store privacy categories
Pending mobile app launch. This section is published in advance of the Diabic mobile app launch. Until the app ships, no in-app data is collected. Once the app is available the items below will reflect actual practice and the "Effective date" and "Last reviewed" lines will be updated.
Apple requires developers to declare how their apps handle data using the App Store Privacy Nutrition Label. The categories below reflect our planned data practices. They will be reviewed and reconciled with the App Store Connect privacy form at submission time.
Data Used to Track You
None. We do not use any data collected from the Diabic app to track you across apps or websites owned by other companies, and we do not share data with data brokers.
Data Linked to You
The following categories of data may be associated with your account once account features ship:
- Contact information, your email address, used to identify your account and send transactional messages
- User content, recipes you save, meal logs you choose to sync, and custom lists you create
- Identifiers, your internal account ID used to associate data with your profile
- Usage data, product analytics events captured by PostHog where those events are tied to a logged-in session
Data Not Linked to You
The following categories are collected but are not tied to your identity:
- Diagnostics, crash logs and performance reports used to detect and fix bugs
- Pseudonymous analytics, aggregated usage events from anonymous or logged-out sessions collected by PostHog
Categories will be reconciled with the App Store Connect privacy form at submission time.
Google Play Data Safety alignment
Pending mobile app launch. This section is published in advance of the Diabic mobile app launch. Until the app ships, no in-app data is collected. Once the app is available the items below will reflect actual practice and the "Effective date" and "Last reviewed" lines will be updated.
Google Play requires developers to complete a Data Safety form disclosing how their app collects, shares, and secures data. The information below reflects our planned practices and will be kept in sync with the Play Console form.
Data collected. The app is expected to collect the following categories:
- Personal info, email address, collected when you create an account
- App activity, in-app events and navigation captured by PostHog for product analytics
- App info and performance, crash logs and diagnostic data used to identify and fix bugs
Data shared. Data may be shared with the following processors that act on our behalf:
- PostHog, receives pseudonymous analytics events to power our product analytics dashboard
- Brevo, receives your email address to deliver transactional and newsletter messages
- Firebase Cloud Messaging (FCM), receives device push tokens to deliver push notifications
Security practices. All data in transit is protected with TLS encryption. Data stored on our servers is encrypted at rest. We do not sell your personal information. You can request deletion of your account and all associated server-side data through the in-app flow (Settings → Account → Delete account) or by emailing diabic@mindantic.com.
Deletion requests. You may also submit a deletion request at /account-deletion (this page will be published at app launch) or by emailing diabic@mindantic.com with "Account Deletion" in the subject line. Deletion completes within 30 days.
Categories will be reconciled with the Play Console Data Safety form at submission time.
How to contact us
Data controller: Mindantic LLC Registered address: 117 S Lexington St, Ste 100, Harrisonville, MO 64701, United States Privacy / data-rights requests: diabic@mindantic.com Legal notices (including DMCA): diabic@mindantic.com General inquiries: /contact D-U-N-S Number: 14-320-1099
We respond to verifiable data-rights requests within the statutory deadlines described in How to exercise your rights, one month under GDPR / UK GDPR (extendable by two months) and 45 days under CCPA / CPRA (extendable by an additional 45 days). If you are unsure which address to use, start with diabic@mindantic.com, we will route your message to the right person. For copyright or legal notices, always use diabic@mindantic.com so we can track them properly. For everything else, the contact form at /contact is the fastest route.
EU/UK representative
Under GDPR Article 27 and UK GDPR Article 27, controllers not established in the EU or UK must appoint a local representative unless their processing is (a) occasional, (b) does not include large-scale processing of special categories of data or data relating to criminal convictions and offences, and (c) is unlikely to result in a risk to the rights and freedoms of natural persons. Mindantic LLC currently relies on this exemption: our processing of EU and UK visitor data is limited and occasional, we do not process special categories of data, and the processing we do is unlikely to result in such a risk. Mindantic LLC is directly accountable and reachable at diabic@mindantic.com for all data-protection matters. We re-evaluate this assessment regularly and will appoint a representative if the exemption no longer applies.
If you are in the EU or UK and would prefer to contact a local representative, write to diabic@mindantic.com and we will provide the most current information.
Frequently asked questions
How do I request a copy of my data?
Section 9 ("Your privacy rights") describes all the rights you have, including the right to access, correct, delete, and port your personal information. To start a request, email diabic@mindantic.com with a brief description of what you need. We will ask you to confirm your identity before we process the request, this protects you against unauthorized requests on your behalf. We respond within one month under GDPR / UK GDPR (extendable by two months for complex requests) and within 45 calendar days under CCPA / CPRA (extendable by an additional 45 days with notice).
Do you sell my personal information?
No. We do not sell or share personal information for cross-context behavioral advertising under CCPA/CPRA. We also do not show ads on diabic.com. Your information is shared only with the processors listed in Section 6 ("Third-party processors we share data with"), and they act on our instructions only.
Is Diabic HIPAA-compliant?
No. HIPAA applies to covered entities and business associates, US healthcare providers, health plans, healthcare clearinghouses, and their contractors who handle protected health information (PHI). Diabic is a publisher, not a covered entity or business associate. We do not collect, store, or transmit protected health information. Our medical disclaimer is in our Terms & Conditions.
How long do you keep my newsletter subscription?
We keep your email address until you unsubscribe, plus an additional 30 days to maintain a suppression list. The suppression list exists so we do not accidentally re-add you if your address is imported again. After 30 days your address is permanently deleted.
Do you use my data to train AI models?
No. We do not feed your personal information, messages, or analytics data to AI or machine-learning training systems. AI tools are used only for image generation as described in our Terms & Conditions, AI Content Transparency.
Effective date: May 01, 2026
Last reviewed: May 01, 2026
Operator: Mindantic LLC