OneBella™
Back to Home

OneBella™ Privacy Policy

Effective Date: March 16, 2026
Last Updated: July 12, 2026

1. Introduction

OneBella™ ("we," "our," or "us") is committed to protecting your privacy and the confidentiality of your personal health information. This Privacy Policy explains how we collect, use, store, and protect your information when you use our comprehensive diabetes management platform.

Your Health Data is Sacred: We understand that your health information is among your most sensitive personal data. We treat it with the highest level of security and respect, following medical-grade privacy standards and age-appropriate protections.

2. Children's Privacy and COPPA Compliance

2.1 Children Under 13

OneBella is designed to serve families with children who have Type 1 Diabetes. We comply with the Children's Online Privacy Protection Act (COPPA) to protect the privacy of children under 13 years of age.

  • Parental Consent Required: We require verified parental consent before collecting any personal information from children under 13.
  • Parent Verification: Parents must verify their identity through a multi-step process before linking their account to their child's account.
  • Limited Data Collection: We only collect information necessary for diabetes management and age-appropriate features.
  • Parent Control: Parents have full control over their child's account, including data access, sharing settings, and feature availability.

2.2 Age-Appropriate Controls

  • Kids (5-12): Restricted communication features, parental oversight required for all activities, simplified data collection.
  • Teens (13-17): Enhanced privacy controls, optional parental monitoring, age-appropriate content moderation.
  • Adults (18+): Full platform access with comprehensive privacy controls.

2.3 Parental Rights Under COPPA

Parents have the right to:

  • Review all personal information collected from their child
  • Request deletion of their child's personal information
  • Refuse to allow further collection or use of their child's information
  • Access and download all health data associated with their child's account

2.4 Age Verification Data (FTC 2026 Compliance)

Date of birth is collected during account creation solely to determine age group eligibility (Kid, Teen, or Adult) and to enforce COPPA protections for children under 13. This data:

  • Is stored securely in our database and never shared with any third-party service
  • Is used only for age group classification, COPPA enforcement, and birthday transition scheduling
  • Is never sent to AI services, analytics providers, or advertising platforms
  • Is redacted from error monitoring systems (Sentry)
  • Appears as age group only (not exact date) in any research or aggregated exports

3. Information We Collect

3.1 Health Information

  • Glucose Readings: Blood sugar measurements, timestamps, and context
  • Food and Nutrition Data: Meal logs, carbohydrate intake, photo analysis results
  • Medication Information: Insulin doses, medication schedules, and adherence tracking
  • Device Data: Connected CGM readings, smartwatch data, and device performance metrics
  • Symptoms and Notes: User-reported symptoms, mood tracking, and personal observations

3.2 Personal Information

  • Account Data: Email address, username, date of birth, and account preferences
  • Profile Information: Diabetes type, diagnosis date, healthcare provider information
  • Emergency Contacts: Contact information for emergency situations
  • Location Data: General location for T1 Nearby™ community features (only when you opt in through privacy settings). Location sharing is entirely optional and can be disabled at any time.

3.3 Community and Messaging Data

  • Community Posts: Content you share in community feeds and T1 Nearby
  • Messages: Direct messages sent and received through the messaging feature
  • Friend Connections: Friend requests, accepted connections, and blocked users
  • Visibility Preferences: Your community visibility and map opt-in settings

4. Data Security and Protection

4.1 Encryption Standards

  • Data at Rest: AES-256 encryption for all stored health data
  • Data in Transit: TLS 1.3 encryption for all data transmission
  • Device Security: Local encryption on mobile devices and computers
  • Backup Protection: Encrypted backups with separate encryption keys

4.2 Privacy and Compliance Standards

  • COPPA Compliance: Full compliance with Children's Online Privacy Protection Act for users under 13
  • GDPR / UK GDPR: Data protection rights for users in the European Economic Area and United Kingdom (see Section 8)
  • California Privacy (CCPA/CPRA): Privacy rights for California residents (see Section 9)
  • FDA Guidelines: Following FDA guidance for medical software
  • Information Security: Security practices aligned with ISO 27001 principles for information security management
  • Age-Appropriate Security: Tailored security measures based on user age group

5. Your Privacy Rights

5.1 Data Access Rights

  • View Your Data: Access all stored health information through the app
  • Data Export: Download your complete health record in standard formats
  • Sharing Reports: Generate reports for healthcare appointments
  • Activity Logs: View history of data access and sharing

5.2 Data Control Rights

  • Correction Rights: Update or correct inaccurate health information
  • Deletion Rights: Delete specific entries or your entire account
  • Sharing Control: Manage who can access your health data
  • Consent Management: Withdraw consent for data sharing at any time

6. Data Sharing

6.1 Never Shared

  • Commercial Purposes: We never sell your health data to advertisers or marketers
  • Insurance Companies: No sharing with health or life insurance providers
  • Employers: Your workplace cannot access your health information
  • Social Media: No integration with social networking platforms

6.2 Third-Party Service Providers

OneBella™ uses the following third-party services to provide core functionality. Each service receives only the minimum data necessary for its purpose:

  • OpenAI (Bella AI): Receives conversation text for AI responses. User identification is limited to a SHA-256 hashed ID (with a c_ prefix for child users). No date of birth, real name, email, or health data identifiers are sent.
  • Dexcom: Receives OAuth credentials to retrieve your CGM glucose data. No age, demographic, or personal data beyond authentication tokens is shared.
  • Garmin: Receives OAuth credentials to retrieve fitness and wellness data. No age, demographic, or personal data beyond authentication tokens is shared.
  • Firebase (Google): Handles user authentication (email/password). Receives email address and encrypted password only.
  • SendGrid (Twilio): Delivers transactional emails (account verification, consent notifications, alerts). Receives email address and email content only. No health data is included in emails.
  • Stripe: Processes subscription payments. Receives email address and payment information only. No health data is shared with Stripe.
  • Sentry: Monitors application errors. A beforeSend hook automatically redacts all PII (email, date of birth, passwords, tokens) from error reports before they leave the server.

7. Data Retention

  • Active Accounts: Your data is retained for the duration of your active account.
  • Account Deletion: Upon request, your personal data and health records are permanently deleted within 30 days.
  • Inactive Accounts: Accounts inactive for more than 24 months may be flagged for review and potential deletion after notification.
  • Child Account Data: If parental consent is revoked or expires without renewal, the child's account is suspended and data is retained for 90 days before deletion to allow for consent re-verification.
  • Legal Requirements: Certain data may be retained as required by law or to protect our legal rights.
  • Anonymized Data: De-identified, aggregated data may be retained indefinitely for research and service improvement purposes.

8. International Users (GDPR & UK GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the following additional terms apply to you.

8.1 Legal Bases for Processing

We process your personal data only where we have a legal basis to do so under the EU General Data Protection Regulation (GDPR) and the UK GDPR:

  • Consent: For health data you choose to log, optional features such as location sharing, and children's data (with verified parental consent). You may withdraw consent at any time.
  • Contract: To provide the Service you signed up for, including account management and core diabetes management features.
  • Legitimate Interests: For service security, fraud prevention, and improving the platform — balanced against your rights and freedoms.
  • Legal Obligation: Where we must retain or disclose data to comply with applicable law.

8.2 Your Rights in the EEA and UK

In addition to the rights described in Section 5, you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate or incomplete data
  • Erase your data ("right to be forgotten")
  • Restrict or object to processing of your data
  • Data Portability: receive your data in a structured, commonly used, machine-readable format
  • Withdraw Consent at any time, without affecting the lawfulness of processing before withdrawal
  • Lodge a Complaint with your local data protection supervisory authority (in the UK, the Information Commissioner's Office)

To exercise any of these rights, contact us at support@onebella.org. We will respond within one month as required by law.

8.3 International Data Transfers

OneBella™ is operated from the United States, and your data is processed and stored on servers located in the United States. If you use the Service from outside the United States, your personal data will be transferred to the United States. Where required by law, we protect international transfers using appropriate safeguards, such as the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, together with the technical protections described in Section 4 (AES-256 encryption at rest, TLS encryption in transit).

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you the following rights:

  • Right to Know: Request details about the categories and specific pieces of personal information we collect, use, and disclose
  • Right to Delete: Request deletion of your personal information, subject to legal exceptions
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt Out of Sale or Sharing: We do not sell your personal information, and we do not share it for cross-context behavioral advertising. Because we never sell or share personal information as defined by the CCPA/CPRA, there is nothing to opt out of.
  • Right to Limit Use of Sensitive Personal Information: We use sensitive personal information (such as health data) only to provide the Service you request — never for advertising or profiling
  • Right to Non-Discrimination: We will never discriminate against you for exercising your privacy rights

To exercise these rights, email us at support@onebella.org. You may also use an authorized agent to submit requests on your behalf; we will verify the agent's authorization and your identity before responding. We respond to verified requests within 45 days.

10. Cookies and Analytics

  • This Website: Our marketing website (onebella.org) does not use advertising cookies and does not currently load third-party analytics or tracking scripts. If we introduce analytics in the future, we will update this policy and request consent where required by law (including under the EU ePrivacy rules).
  • Essential Technical Data: Our hosting provider (Netlify) processes standard server logs — including IP addresses — for security, abuse prevention, and content delivery. This is essential technical processing, not tracking.
  • Waitlist: If you join our launch waitlist, you do so by sending us an email at support@onebella.org. We use your email address solely to send you a single launch notification. It is never sold, shared, or used for other marketing.
  • The App: The OneBella™ application uses essential session storage needed for you to stay signed in, along with privacy-safe usage analytics and error diagnostics (with personal information automatically redacted — see Section 6.2). We do not use advertising trackers in the app.

11. Contact Us

If you have questions about this Privacy Policy, your data rights, GDPR/UK GDPR or CCPA/CPRA requests, or COPPA compliance, please contact us:

  • Email: support@onebella.org
  • Privacy Inquiries: support@onebella.org
  • Parental Consent Questions: support@onebella.org
  • Mailing Address: OneBella LLC, 975 Western Ave, Dixmont, ME 04932-9998, United States

This privacy policy is designed to protect families managing Type 1 diabetes across all age groups. Your family's health data security and children's privacy protection are our highest priorities.

© 2025-2026 OneBella LLC. All Rights Reserved.