GDPR Compliance
This page sets out NutriFell's obligations and your rights under the EU General Data Protection Regulation (GDPR) and equivalent EEA legislation. It supplements our Privacy Policy, which contains full details of the data we collect.
01 Data Controller
The data controller for NutriFell is the individual operator:
NutriFell
Operator: Individual developer
Location: Georgia (the country)
Email: support@nutrifell.com
As a small-scale, sole-operator service, NutriFell is not required to appoint a Data Protection Officer (DPO) under GDPR Article 37. All data protection enquiries can be directed to the email above.
02 Legal Basis for Processing
We process personal data on the following legal bases (GDPR Article 6):
| Processing Activity | Legal Basis |
|---|---|
| Account creation and authentication | Contract (Art. 6(1)(b)) — necessary to provide the service |
| Storing profile data (age, weight, height, goals) | Contract — necessary to deliver personalised calorie plans |
| Food logs, water, quit-smoking data | Contract — core features you explicitly use |
| Social content (posts, comments, DMs) | Contract — explicit action by the user to post |
| Email verification | Contract — required for secure registration |
| Sending to Google Gemini for AI responses | Legitimate interest (Art. 6(1)(f)) — core product feature; data minimisation applied |
| Server request logs (IP, timestamp, path) | Legitimate interest — security, abuse prevention, and debugging |
| Payment processing via Stripe | Contract — necessary to process subscription payments |
We do not rely on consent as the legal basis for any processing that is essential to providing the service. Where we rely on legitimate interest, you have the right to object (see Section 4).
03 Special Category Data
Some data NutriFell collects — specifically health-related profile data such as body weight, height, BMI, calorie targets, and quit-smoking information — may qualify as "special category data" under GDPR Article 9 (data concerning health).
We process this data under Article 9(2)(a) — explicit consent — which you provide by voluntarily entering this data into your profile and using the tracking features. You may delete this data at any time by updating your profile or requesting account deletion.
This data is never shared with third parties for advertising, sold, or used for purposes other than providing NutriFell's core features.
04 Your Rights Under GDPR
As an EU/EEA resident, you have the following rights regarding your personal data:
- Right of access (Art. 15) — request a copy of all personal data we hold about you, including the purposes for which we process it.
- Right to rectification (Art. 16) — request correction of inaccurate or incomplete data. Most data can be updated directly in your profile settings.
- Right to erasure / "right to be forgotten" (Art. 17) — request deletion of your personal data. We will process this within 30 days. Note: some data retained for legal obligations cannot be deleted immediately.
- Right to restriction of processing (Art. 18) — request that we temporarily stop processing your data in certain circumstances.
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format (JSON) for transfer to another service.
- Right to object (Art. 21) — object to processing based on legitimate interest, including profiling. If you object, we will cease that processing unless we can demonstrate compelling legitimate grounds.
- Right not to be subject to automated decision-making (Art. 22) — NutriFell does not make automated decisions with legal or similarly significant effects. Calorie targets are formula-based calculations presented to you as guidance, not as binding determinations.
05 How to Exercise Your Rights
To exercise any of the rights listed above, send a request to support@nutrifell.com with:
- Your name and the email address associated with your account
- The right you are exercising (e.g., "Right to erasure")
- Any specific data or processing activity you are referring to
We will respond within 30 days (or 72 hours for data breaches affecting you). If we cannot fulfil your request, we will explain why. We will not charge a fee for reasonable requests.
We may need to verify your identity before processing your request. We will do this by confirming your email address.
06 Data Retention
| Data Type | Retention Period |
|---|---|
| Account data (name, email, password hash) | Until account deletion + 30 days backup window |
| Profile & health data | Until account deletion or user update |
| Food logs, water logs, quit-smoking data | Until account deletion |
| Social posts and comments | Until deleted by user or account deletion |
| Direct messages | Until account deletion (both participants) |
| Stories | 24 hours (auto-deleted) |
| Server request logs | Up to 90 days (security and debugging) |
| Waitlist entries | Until the waitlist closes or you request removal |
07 International Data Transfers
NutriFell is hosted on Hostinger servers in European data centres, so primary data storage is within the EU/EEA.
Some processing involves transfers outside the EU/EEA:
- Google Gemini (US): When you use NutriAI or generate meal plans, your profile data is sent to Google's servers in the US. Google LLC participates in EU-US data transfer mechanisms. See Google's data transfer documentation.
- Stripe (US): Payment processing uses Stripe, which processes data under standard contractual clauses approved by the European Commission.
All other data remains on EU-based Hostinger servers.
08 Supervisory Authority
If you are located in the EU/EEA and believe we have not handled your data in compliance with GDPR, you have the right to lodge a complaint with your local data protection supervisory authority.
- You can find your national authority at: European Data Protection Board — Members
- We encourage you to contact us first at support@nutrifell.com so we can resolve the concern directly.
09 Contact the Data Controller
For all GDPR-related requests and enquiries:
NutriFell — Data Controller
Email: support@nutrifell.com
Location: Georgia
Response time: within 30 days (urgent requests within 72 hours)
Also see our full Privacy Policy for details on all data we collect and process.