This policy describes how GlucoWorks LLC collects, uses, protects, and discloses information in connection with the DoseAdvisor platform — including the clinician web dashboard and patient mobile application.
DoseAdvisor is a clinical decision support platform developed and operated by GlucoWorks LLC, a healthcare technology company. DoseAdvisor enables licensed clinicians to configure structured insulin dosing regimens, which are then executed safely by patients through the DoseAdvisor mobile application.
GlucoWorks LLC is the data controller for information collected through the DoseAdvisor platform. Our principal place of business is in the United States.
We collect the minimum information necessary to operate the DoseAdvisor platform safely and effectively.
| Data category | Collected from | Contains PHI? |
|---|---|---|
| Clinician profile | Clinician at registration | No |
| Patient demographics | Clinician entry | Yes |
| Insulin regimen config | Clinician entry | Yes |
| Blood glucose readings | Patient entry in app | Yes |
| Dose history & audit log | Platform-generated | Yes |
| Device & session data | Automatically collected | No |
| Crash & error logs | Automatically collected | No (anonymized) |
Information collected through DoseAdvisor is used exclusively for the following purposes:
DoseAdvisor is built on a HIPAA-ready architecture. Where GlucoWorks LLC operates as a Business Associate to a Covered Entity (such as a medical practice or health system), all PHI is handled in accordance with HIPAA's Privacy Rule (45 CFR Part 164, Subpart E) and Security Rule (45 CFR Part 164, Subparts A and C).
We apply the HIPAA minimum necessary standard to all PHI access and disclosure. Users of the clinician dashboard may only access records of patients assigned to them within their organization. Platform administrators have access controls that are role-based and logged.
We do not sell, rent, or trade personal information or PHI. We share information only in the following limited circumstances:
DoseAdvisor is hosted on Google Cloud Platform (GCP). GlucoWorks LLC maintains a signed BAA with Google covering all services that process PHI. GCP services used include Cloud Run (compute), Cloud SQL (database), Cloud Storage (file storage), and Secret Manager (credentials). All data remains within GCP's HIPAA-eligible services.
Patient data entered or generated within DoseAdvisor is accessible to the prescribing clinician and authorized members of their organization as configured in the platform. Patients are informed of this at the time of enrollment by their clinician.
We may disclose information where required by law, court order, or governmental authority — including HIPAA-mandated disclosures to the Secretary of Health and Human Services for compliance investigations.
In the event of a merger, acquisition, or sale of assets, PHI and user data will only be transferred to a successor entity that agrees in writing to be bound by terms at least as protective as this policy and applicable law, including HIPAA.
| Recipient | Purpose | BAA in place? |
|---|---|---|
| Google Cloud Platform | Hosting, database, storage | Yes |
| Prescribing clinician & org | Clinical care | N/A — treatment relationship |
| Push notification service | Dose reminders (non-PHI) | Yes (if applicable) |
| Analytics / crash reporting | Platform reliability (anonymized) | N/A — no PHI involved |
We retain information for as long as necessary to provide the DoseAdvisor service and comply with our legal, regulatory, and clinical documentation obligations.
| Data type | Retention period | Basis |
|---|---|---|
| Dose history & audit logs | 7 years from creation | Clinical documentation standards; HIPAA |
| Patient records | Duration of active care relationship + 7 years | Medical record retention requirements |
| Clinician account data | Duration of active account + 3 years | Business records |
| Insulin regimen configurations | 7 years from last active use | Clinical documentation; audit trail |
| Session & access logs | 2 years | Security monitoring; HIPAA audit requirements |
| Crash & error logs (anonymized) | 90 days | Platform reliability |
Upon account termination or a valid deletion request, we will de-identify or securely delete personal information within 30 days, subject to our legal retention obligations above. PHI subject to a BAA will be handled as specified in the applicable agreement.
We implement technical, administrative, and physical safeguards designed to protect information collected through DoseAdvisor.
No method of electronic transmission or storage is 100% secure. While we strive to protect your information using commercially reasonable means, we cannot guarantee absolute security. In the event of a security incident affecting PHI, we will notify affected parties as required by the HIPAA Breach Notification Rule and applicable state law.
Depending on your role and jurisdiction, you may have the following rights with respect to your information. To exercise any of these rights, contact us at privacy@gluco-works.com.
Request a copy of the personal information or PHI we hold about you.
Request correction of inaccurate personal information or PHI held by us.
Request deletion of your personal information, subject to our legal retention obligations.
Request an export of your data in a structured, machine-readable format where technically feasible.
Request restriction of processing of your information in certain circumstances.
As a patient, you have additional rights under HIPAA including access to your designated record set. Direct requests to your prescribing clinician or to us.
We will respond to verified requests within 30 days. For PHI-related requests, we may need to coordinate with the applicable Covered Entity (your clinician's practice or health system) before we can fulfill the request.
DoseAdvisor is a clinical platform intended for use under the supervision of a licensed healthcare provider. Patients under the age of 18 may use the DoseAdvisor patient app only with the explicit involvement of a parent or legal guardian and under the care of a licensed clinician who has established the patient account.
We do not knowingly collect personal information directly from children under 13 without verifiable parental consent. If you believe we have inadvertently collected information from a child under 13 without appropriate consent, please contact us immediately at privacy@gluco-works.com and we will take prompt action to delete it.
We may update this Privacy Policy from time to time to reflect changes in our practices, platform capabilities, or applicable law. When we make material changes, we will:
Your continued use of DoseAdvisor after the effective date of a revised policy constitutes acceptance of the updated terms. If you do not agree with the changes, you may close your account by contacting us at privacy@gluco-works.com.
For BAA-covered organizations, material changes that affect the handling of PHI will be communicated in accordance with the terms of the applicable Business Associate Agreement.
For questions, requests, or concerns about this Privacy Policy or your information, please contact us:
GlucoWorks LLC — Privacy Office
For privacy requests, HIPAA inquiries, BAA questions, and data subject rights.
For general inquiries: info@gluco-works.com
For clinical partnership inquiries: clinical@gluco-works.com
DoseAdvisor is a trademark of GlucoWorks LLC. This Privacy Policy applies to the DoseAdvisor web dashboard and patient mobile application operated by GlucoWorks LLC. It does not apply to third-party services or websites linked from within the platform.
This document does not constitute legal advice. GlucoWorks LLC recommends that covered entities review this policy with qualified HIPAA counsel prior to deploying DoseAdvisor in a clinical environment.