Privacy Policy

Last updated: July 5, 2025

A. SCOPE & APPLICATION This Privacy Charter explains how Diamond Star Technologies, Inc. (“DST,” “we,” “our,” “us”) collects, uses, discloses, and safeguards your personal data when you access or use the KarbCoach mobile application, website, APIs, and any related services (collectively, the “Platform”). It also describes your privacy rights and how you can exercise them. Capitalised terms not defined here have the meanings given in the Terms and Conditions. This Charter supplements, and does not replace, any other privacy notices or disclosures that may apply to specific features or relationships.

B. CATEGORIES OF DATA COLLECTED The categories and illustrative examples of personal data we process include, but are not limited to:

  1. Identifiers – full name; display name; postal address; email; telephone number; government IDs (hashed); account username; device and advertising identifiers; IP address; cookies; user agent string.
  2. Demographics – age; date of birth; gender identity; pronouns; height; weight; ethnicity; household composition.
  3. Nutrition Logs – food items; ingredients; portion sizes; photographs of meals; nutritional macros; meal timestamps; micronutrient targets.
  4. Biometric & Health – continuous glucose monitor (CGM) readings; heart‑rate variability; blood pressure; sleep stages; step count; menstrual cycle data; body‑composition metrics; genetic markers (if you connect a third‑party genomics account).
  5. Behavioral & Engagement – screen flows; feature usage telemetry; dwell time; haptic interactions; voice commands; keystroke patterns; error reports.
  6. Content – text prompts you enter; images you upload or annotate; voice notes; feedback surveys; chat transcripts with our AI coach.
  7. Location – precise GPS coordinates; approximate location derived from IP or Bluetooth; altitude; motion data; time zone.
  8. Sensor/Device Metadata – device model; OS version; locale; battery status; camera and microphone settings; network SSID (hashed).
  9. Purchasing & Financial – subscription plan; in‑app purchase receipts; payment card last four digits; billing address; refunds; promotional redemptions.
  10. Social & Community – profile avatar; public posts; group memberships; friend lists; reactions; mentions; user‑generated content metadata.
  11. Inferred & Derived Profiles – caloric needs; nutrient deficiencies; behavioural clusters; propensity scores; adherence predictions; churn risk.
  12. Special Category Data (GDPR) – health, biometrics, genetics, sexual orientation or activity (e.g., menstrual logs). Processed only with explicit consent or where necessary for the performance of a contract.

C. PURPOSES & LEGAL BASES FOR PROCESSING

PurposeIllustrative ActivitiesPrimary Legal Bases (GDPR)
Account creation & authenticationVerify identity, enable login with passkeys, multi‑factor authenticationContract Art. 6(1)(b)
Personalised nutrition coachingGenerate adaptive meal plans, alert on hypo/hyperglycemia, adjust macros using your health data and AI modelsContract; Consent (special data Art. 9(2)(a))
AI‑driven indicative contentProduce product recommendations, chat replies, and predictive insights via large language models (LLMs)Contract; Legitimate Interest; Consent
Product improvement & analyticsAggregate telemetry, run A/B tests, train machine‑learning models, debug crashesLegitimate Interest Art. 6(1)(f)
Marketing & behavioural advertisingSend push notifications, email offers, retarget ads on social platformsConsent Art. 6(1)(a); Legitimate Interest (where permitted)
Regulatory compliance & fraud preventionSatisfy HIPAA (where applicable), tax, accounting, sanctions screening, security monitoringLegal Obligation Art. 6(1)(c); Legitimate Interest
Scientific & medical researchConduct statistical analysis, publish peer‑reviewed studies using de‑identified datasetsLegitimate Interest; Consent
Business operations & transactionsAudit, mergers, acquisitions, corporate reorganisationsLegitimate Interest

We will request additional consent when required by law or when our processing materially differs from the purposes disclosed.

D. DATA SHARING & DISCLOSURE We only disclose personal data to the extent necessary, under confidentiality obligations, and pursuant to appropriate safeguards:

• Infrastructure & Hosting – cloud providers (e.g., AWS, GCP, Azure), CDN operators, backup vendors. • Analytics & AI Vendors – Snowflake, Mixpanel, Amplitude, OpenAI, Anthropic, Hugging Face Inference API, on‑device ML frameworks. • Payment & Subscription Processors – Stripe, Google Play Billing, Apple In‑App Purchase, RevenueCat. • Healthcare Professionals – dietitians, endocrinologists, or coaches you explicitly authorise. • Advertising & Attribution Partners – Meta, Google Ads, TikTok, Branch, Adjust (with pseudonymisation where possible). • Business Transfers – prospective buyers, investors, or affiliates during restructuring. • Legal & Compliance – competent courts, regulators, law‑enforcement agencies, tax authorities. • Consent‑based Sharing – integrations you enable (e.g., Fitbit, Dexcom, Apple Health, MyFitnessPal).

International transfers rely on adequacy decisions, Binding Corporate Rules, or the EU/UK Standard Contractual Clauses with supplemental technical and organisational measures, including encryption, split‑key trust, and data‑minimisation.

E. COOKIES, SDKs & SIMILAR TRACKING TECHNOLOGIES The Platform leverages first‑ and third‑party cookies, mobile SDKs, device fingerprinting, pixel tags, and local storage objects to: • maintain session state and authentication tokens; • remember preferences and dark‑mode settings; • measure campaign performance and attribution; • detect bots and malicious activity; • deliver contextual or personalised advertising; • facilitate crash diagnostics and performance monitoring. You can manage or withdraw consent via our in‑app Privacy Center, browser settings, or your mobile OS advertising controls (AAID/IDFA). Disabling certain trackers may degrade functionality.

F. DATA RETENTION & LIFECYCLE MANAGEMENT We adhere to a data‑minimisation principle. Personal data is retained for the shortest period necessary to fulfil the purposes described above, taking into account statutory requirements and limitation periods. By default, we retain: • Active Account Data – for the life of your account plus seven (7) years after closure; • Transaction Records – minimum seven (7) years for tax and audit; • Crash & Telemetry Logs – thirteen (13) months; • Model Training Snapshots – up to five (5) years, after which they are aggregated or deleted; • De‑identified or anonymised datasets – may be stored indefinitely. Secure deletion methods (cryptographic erasure, zero‑fill, or secure wipe) are applied. Backups roll off within thirty‑five (35) days.

G. SECURITY MEASURES DST maintains a defence‑in‑depth security programme aligned with ISO 27001, SOC 2 Type II, and NIST CSF. Safeguards include: • AES‑256 or stronger encryption at rest; TLS 1.3/QUIC in transit; • Hardware Security Modules (HSMs) for key management; • Zero‑trust network access, least‑privilege RBAC, and Just‑in‑Time (JIT) elevation; • Continuous vulnerability scanning, container image hardening, dependency SBOM & SAST/DAST pipelines; • Annual external penetration tests and quarterly red‑team simulations (including AI model red‑teaming); • Differential‑privacy noise injection for certain analytics reports; • Rate limiting and Web Application Firewall (WAF) against injection and scraping; • Formal incident‑response plan with 24×7 security operations centre (SOC) and breach notification procedures. No system is 100 % secure; by using the Platform you acknowledge residual risk.

H. YOUR PRIVACY RIGHTS Depending on your jurisdiction (e.g., GDPR, UK DPA 2018, CCPA/CPRA, LGPD, PDPA), you may have the right to: • Access – obtain a copy of your personal data and metadata; • Rectification – correct incomplete or inaccurate data; • Erasure – request deletion (right to be forgotten); • Restriction – limit processing in specific contexts; • Portability – receive data in a structured, machine‑readable format; • Objection – opt out of profiling, direct marketing, or data sales/sharing; • Automated Decision‑Making – obtain human review of decisions that significantly affect you; • Non‑Discrimination – exercise rights without adverse treatment. Submit verified requests to privacy@karbcoach.app (or use in‑app Privacy Center). We respond within one (1) month, extendable by two (2) months for complex requests. If we deny your request, we will state the reasons and provide redress options.

I. CHILDREN & MINORS The Platform is not directed to children under 13 (or the minimum age required by local law). We do not knowingly collect data from them. If we learn that a child’s data has been collected, we will delete it and disable the account unless a parent or guardian provides verifiable consent through our supervised‑account flow.

J. CHANGES TO THIS CHARTER We may update this Privacy Charter to reflect legislative changes, industry standards, or new practices. Material changes will be communicated via email, push notification, or prominent in‑app banner at least thirty (30) days before taking effect. Your continued use of the Platform after the effective date constitutes acceptance of the revised Charter.

K. COMPLAINTS & DISPUTE RESOLUTION EU/UK residents can lodge a complaint with their local Data Protection Authority (DPA). We encourage you to contact our Data Protection Officer (DPO) first so we can seek to resolve any issue. Under certain circumstances, you may have the right to pursue binding arbitration or initiate a private right of action.

L. AI & AUTOMATED DECISION‑MAKING PRACTICES

  1. Model Training Sources – We use first‑party data, publicly available data, and licensed datasets to train and fine‑tune our models. Your personal data may contribute to model training only with your opt‑in consent. Training datasets undergo bias and toxicity audits.
  2. Explainability – We provide plain‑language summaries of the logic involved in AI‑generated recommendations. For high‑stakes health guidance, a human‑in‑the‑loop review is always available.
  3. Monitoring & Fairness – Continuous evaluation pipelines measure model drift, disparate impact across protected classes, and hallucination rates. We publish transparency metrics periodically.
  4. Adversarial Protections – Techniques such as differential privacy, gradient clipping, and watermarking are applied to mitigate model inversion, data leakage, or deepfake abuse.
  5. Opt‑Out – You may disable personalised AI features or exclude your data from future model training via settings > Privacy > AI Controls.

M. CONTACT For questions about this Charter or our privacy practices, please contact: Data Protection Officer (DPO) Diamond Star Technologies, Inc. 99 Howdy Drive, Suite 200 San Francisco, CA 94105, USA Email: privacy@karbcoach.app