Your Privacy
What we collect, why, and what you can do
This page tells you, in plain English, how The Glucose Never Lies looks after personal data. It covers the Grace app, the newsletter, email correspondence, and everything in between. If anything is unclear, email us.
The Glucose Never Lies Ltd
The Glucose Never Lies Ltd (GNL) is a UK private limited company, registered in England and Wales (Company No. 16733595). We run the diabetes education website at theglucoseneverlies.com, the Grace AI education assistant at app.theglucoseneverlies.com, a newsletter, a podcast, and a consultancy service.
We are the data controller under UK GDPR and the Data Protection Act 2018. That means we decide how and why your data is processed, and we are responsible for looking after it correctly.
We are registered with the UK Information Commissioner’s Office (ICO) as a data controller, registration number ZC057708.
Our data protection contact is John Pemberton, GNL Founder and Director. You can reach him at john@theglucoseneverlies.com for any data-related question, request, or concern. We aim to respond within five working days for general enquiries and within 30 days for formal subject access or erasure requests (as required by UK GDPR Article 12(3)).
The personal data we hold
Newsletter subscribers (via Brevo)
When you sign up to GNL email updates, we collect your name and email address. You are added to Brevo, our newsletter delivery platform. The newsletter checkbox is ticked by default when you create a Grace account; you can untick it at any point during registration, or unsubscribe at any time afterwards with one click. We never add you to a list without your knowledge.
Grace user accounts
When you register for Grace at app.theglucoseneverlies.com, we collect your email address, display name, and audience self-identification (person with diabetes, supporter, healthcare professional, researcher, or industry). If you choose to enter a date of birth, weight, or total daily insulin dose, those values are stored in your profile.
One thing worth being clear about: those profile values are never used to silently pre-fill clinical outputs. Every time you run an educational query, you select your own inputs fresh. GNL is an educational tool, not a personalised medical service; the distinction matters.
Grace’s AI responses are generated by Anthropic’s Claude model. Your query text passes through Anthropic’s API to generate a response; Anthropic does not store or train on those queries under its standard API terms.
Email correspondence
If you email us at any GNL address (john@, anj@, phillip@, dani@theglucoseneverlies.com), that correspondence is stored in Google Workspace. We archive emails; we do not permanently delete them, which means we can trace any exchange if a question or dispute arises later.
Accounts and financial records
Invoices, receipts, and VAT records contain the names, addresses, and payment details of clients and suppliers. These are kept as required by UK law.
System and security logs
Our servers record standard access logs (IP address, request type, timestamp). These are used for security monitoring and incident investigation, not for user profiling.
Our lawful basis for each type of processing
Newsletter subscription: consent
We send the newsletter because you consented, either by subscribing directly or by leaving the default-ticked checkbox in place during Grace account registration. You can withdraw consent at any time; there is a one-click unsubscribe link at the bottom of every email we send.
Grace account and service delivery: contract
Creating a Grace account forms a service agreement between you and GNL. We process your account data because it is necessary to provide that service, including authenticating your access and routing educational outputs to the correct audience type.
Logs, security, and incident traceability: legitimate interests
We have a legitimate interest in keeping our systems secure and being able to investigate problems. Server logs and the archive-only email policy both serve that interest. We have weighed this against your privacy interests and concluded the processing is proportionate.
Accounts data: legal obligation
UK tax and company law requires us to keep financial records for six years. This is a statutory obligation, not a choice.
Retention periods
We keep data for as long as there is a clear reason to hold it and no longer.
| Data category | How long we keep it |
|---|---|
| Newsletter subscriber data (Brevo) | Until you withdraw consent via one-click unsubscribe, or 3 years of inactivity, whichever comes first |
| Grace user account data | Until you delete your account via the app, or 5 years of inactivity, whichever comes first |
| Business correspondence (email) | 6 years, per UK statutory record-keeping requirements |
| Accounts and financial records | 6 years, per UK statutory record-keeping requirements |
| System and security logs | 6 years, for incident traceability and insurance audit purposes |
| Explorer session inputs (glucose, weight, etc.) | Not retained: transient processing only; no value is stored after the response is returned |
Our data processors
We do not sell personal data. We do not use personal data for advertising or profiling outside the GNL educational service. We share data only with the processors listed below. Each one is either UK-based, EU-based, or operates under a UK GDPR-compatible transfer mechanism (Standard Contractual Clauses or the UK International Data Transfer Addendum, where applicable).
| Processor | Purpose | Data involved |
|---|---|---|
| Brevo (Sendinblue) | Newsletter and transactional email delivery | Name, email address, subscription preferences |
| Anthropic | Powers Grace AI responses via the GNL API key hosted on Forge | Query text passed transiently to generate a response; not stored or trained on under standard API terms |
| Laravel Forge | Hosts the GNL Grace API | Grace account data, query logs |
| Vapor (Laravel) | Serverless deployment infrastructure | Application data in transit during deployments |
| AWS Lightsail and CloudFront | WordPress site hosting and content delivery network | All website traffic; EU (London) region |
| Google Workspace | Email, calendar, Drive, and Docs | Business correspondence and documents; Google operates under the UK adequacy decision |
| Stripe | Payment processing for paid clients and commercial partners | Payment card details and billing information; PCI-DSS certified; GNL does not store card data |
Your rights and how to use them
Unsubscribe from the newsletter
Every GNL email contains a one-click unsubscribe link in the footer. Clicking it removes you from the list immediately; no login or form is required. The newsletter checkbox is ticked by default when you register for Grace, so if you did not untick it at the time and would now like to opt out, use the link in any email you have received.
Delete your Grace account
Registered Grace users can delete their account at any time from within the app. Deletion removes all account data from our system. If you have trouble accessing the deletion option, email john@theglucoseneverlies.com and we will complete the deletion manually within five working days.
Subject access requests
You have the right to ask us for a copy of the personal data we hold about you. Email john@theglucoseneverlies.com with the subject line “Subject access request”. We will confirm receipt and provide the information within 30 days, as required by UK GDPR Article 12(3).
Correction and erasure
If any data we hold is wrong, email us and we will correct it. If you want us to delete data that we are not required by law to keep, email us and we will do so. We cannot delete data covered by statutory retention obligations (financial records, for example), but we will tell you clearly if that applies to any part of your request.
Other rights under UK GDPR
You also have the right to restrict processing, the right to data portability, and the right to object to processing based on legitimate interests. To exercise any of these, contact john@theglucoseneverlies.com. We will respond within 30 days.
Response commitment. We aim to respond to all data-related emails within five working days for general enquiries. For formal subject access requests, erasure requests, and complaints, the legal deadline is 30 days from receipt. We will acknowledge your email as soon as we receive it.
Something gone wrong? We want to know
If you believe we have handled your personal data incorrectly, please email john@theglucoseneverlies.com first. Most issues can be resolved quickly and directly, and we take every concern seriously.
You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at any time, without needing to contact us first:
Website: ico.org.uk
Telephone: 0303 123 1113
Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
The ICO is the supervisory authority for UK data protection law.
What runs on this site
GNL uses Google Analytics 4 (GA4) for anonymised traffic analysis. IP addresses are anonymised at collection. We do not use advertising features, cross-site tracking cookies, or build individual profiles from analytics data.
The Grace widget in the bottom-right corner of every GNL page is a functional button that routes to app.theglucoseneverlies.com. It does not collect data on anonymous visitors, does not use advertising cookies, and does not track your behaviour across other sites.
No third-party advertising trackers are used on any GNL page.
When this notice changes
We review this notice at least every quarter and update it when our data practices change. The effective date at the foot of this page shows when the current version came into force. If we make a material change, such as adding a new processor or a new category of data, we will notify registered Grace users by email before the change takes effect.
If you would like to read the more detailed internal data-protection policy (written for insurers and auditors rather than for users), email john@theglucoseneverlies.com and we will send a copy.