Privacy Policy

Privacy Policy

Last updated: 2026-03-07

This Privacy Policy explains how Hismis Kft. (“B-Sense”, “we”, “us”) collects, uses, and shares personal data when you use:

  • the website at https://b-sense.hismis.com
  • the B-Sense device firmware and companion services (API, account, membership)

If you do not agree with this Privacy Policy, do not use the Service.

B-Sense does not directly sell the physical hardware device. If our website links to a third-party hardware seller, that purchase is handled by the external seller under its own terms and privacy notice.

1. Controller and Contact

Data controller: Hismis Kft.

Address: Hungary, 2071 Paty, Napfeny utca 11/1

Email: info@b-sense.hismis.com

2. What Data We Collect

2.1 Account and subscription data

We may collect:

  • username and email address
  • subscription status and plan level
  • billing references (we do not store full card details; payment is handled by our payment providers)

2.2 Device and technical data

We may collect:

  • device identifiers used by the Service (for example persistent random `device_id`)
  • API keys and authentication tokens
  • heartbeat/diagnostic metadata (for example firmware version, device model, mode snapshot, connectivity status, server-received timestamp)
  • service logs (for example IP address, timestamps, request metadata, and error logs)

2.3 Glucose and health-related data (if you use our cloud API)

Depending on your configuration, we may process glucose readings and related metadata (“health data”).

Health data can be considered a special category of personal data under GDPR. Where required by law, we will process health data only with your explicit consent (or another lawful basis that applies).

If you use Nightscout (or another third-party data source) directly and do not send data to our cloud API, we do not receive that health data (except what you explicitly submit through our Service).

2.4 Website data (cookies and similar technologies)

We use cookies and similar technologies to provide and secure the website, keep you logged in, and remember preferences. See “Cookies” below.

2.5 Website form submissions and selected interests

If you use our homepage form, we may collect:

  • your email address
  • the topics you select (for example news, updates, compatibility interest, “Notify me about new supported display hardware”, or tester interest)
  • optional setup details you provide (for example CGM model and phone model/OS)
  • optional notes you submit
  • confirmation metadata needed to operate the sign-up / follow-up flow

2.6 Support communications

If you contact us, we may collect the information you provide, including messages and attachments.

3. Why We Use Data and Legal Bases

We process personal data for the following purposes (legal bases may vary by jurisdiction):

  • provide and operate the Service, including account management (contract)
  • manage device entitlement and device registration (contract; legitimate interests where applicable)
  • process payments and manage subscriptions (contract; legal obligation)
  • secure the Service, prevent abuse, and debug issues (legitimate interests)
  • monitor fleet health and service reliability, including device heartbeat telemetry and latest device status data (legitimate interests; consent where required by local law)
  • communicate service updates and required notices (contract; legitimate interests)
  • manage homepage form submissions for updates, compatibility-interest follow-up, “Notify me about new supported display hardware” requests, and tester-program interest (consent; legitimate interests for administration and abuse prevention where applicable)
  • operate double opt-in confirmation, submission review, and related admin export flows for homepage form submissions (consent; legitimate interests for administration, abuse prevention, and service operation where applicable)
  • improve the Service and measure website usage (legitimate interests; consent for analytics where required)

For health data, we generally rely on your explicit consent or another applicable lawful basis.

4. Sharing and Processors

We may share personal data with:

  • hosting and infrastructure providers used to operate the website, API, databases, caching, backups, and monitoring
  • WordPress-related service providers and plugins used for forms, membership handling, and site operation
  • email delivery providers used for transactional and confirmation emails
  • analytics providers where analytics is enabled or accepted
  • social login providers (if you choose to use social login)
  • payment providers (for subscription billing, if payment processing is enabled)
  • professional advisors (legal/accounting) where necessary
  • authorities if we are legally required to do so

We require processors to protect personal data and process it only on our instructions.

5. International Transfers

If personal data is transferred outside the EEA/UK, we use appropriate safeguards where required (for example Standard Contractual Clauses).

6. Retention

We keep personal data only as long as necessary for the purposes described above, including:

  • account data: while your account is active and for a reasonable period after deletion (for support, security, and legal compliance)
  • device registry data (for example `device_id` mappings): while the related account/device relationship remains active and until the relevant deletion workflow is completed
  • heartbeat telemetry: the current API architecture stores the latest heartbeat state per device in a `latest` collection rather than a full heartbeat history in the same collection; retention is tied to the related device lifecycle and deletion workflow
  • latest glucose/device status records: the currently deployed API environment keeps `entries_latest` and `device_status_latest` records for 1 hour
  • logs: typically short retention unless needed for security investigations, abuse analysis, or incident handling
  • health data: according to your subscription and retention settings (if applicable)
  • homepage form submissions: pending confirmation records are kept until confirmation, token expiry, deletion, or later cleanup; confirmed records are kept until removal, unsubscribe, closure, deletion, or later cleanup under the relevant process
  • confirmation tokens: until expiry or successful confirmation (current operational token expiry is 7 days)
  • billing records: as required by law

7. Security

We implement reasonable technical and organizational measures to protect personal data, including encryption in transit (TLS) and access controls. Some sensitive data may be encrypted at rest.

No method of transmission or storage is 100% secure.

8. Your Rights

Depending on your location, you may have rights to:

  • access, correct, delete, or restrict processing of your personal data
  • object to certain processing
  • data portability
  • withdraw consent at any time where processing is based on consent

To exercise your rights, contact: info@b-sense.hismis.com

If you are in the EEA/UK, you also have the right to lodge a complaint with your local supervisory authority. For Hungary, the supervisory authority is NAIH: https://www.naih.hu/

9. Cookies

We use cookies for:

  • essential site functionality (for example login/session, security)
  • performance/analytics (where enabled or accepted)

You can control non-essential cookies through the cookie banner / cookie settings controls on the website, where available, and through your browser settings. See the Cookie Policy for current categories and inventory details.

10. Children’s Privacy

The Service is not intended for children. If you believe a child has provided personal data, contact us at info@b-sense.hismis.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version on https://b-sense.hismis.com and update the “Last updated” date.

12. Contact

Privacy questions: info@b-sense.hismis.com