Privacy Policy

Effective date: 23 April 2026

This Privacy Policy ("Policy") describes how NutriMind ("Company", "we") collects, uses, stores, and discloses the personal data of users ("you") when you use our Platform. This Policy has been prepared in compliance with the EU General Data Protection Regulation (GDPR / Regulation (EU) 2016/679), the UK GDPR, the Cyprus Law on the Protection of Natural Persons with Regard to the Processing of Personal Data (Law 125(I)/2018), and other applicable rules.

1. Data Controller

The controller of your personal data is the legal entity owning the NutriMind Platform, registered in the Republic of Cyprus. Contact: legal@nutrimind.com.

2. Data We Collect

2.1. Data You Provide

  • First and last name.
  • Email address.
  • Password (stored in hashed form).
  • Country and language preferences.
  • Payment details (for subscription purchases — processed by the payment provider).

2.2. Data Collected Automatically

  • Exercise and test progress.
  • IP address, browser type, operating system.
  • Date and time of visits, pages viewed.
  • Cookies and similar technologies (see Section 9).

2.3. Referral Programme Data

If you participate in the Referral Programme, we process:

  • your referral link and code;
  • information about users you have invited (email address, registration date) — subject to their explicit consent to disclose this information to you;
  • data on accrued and redeemed rewards.

2.4. Authorization via Google OAuth

A user can register and log in to the website using Google OAuth. In this case, we receive the following from the Google API:

  • First and last name (userinfo.givenName, userinfo.familyName)
  • Email (userinfo.email)

This data is used exclusively for:

  • Account creation and security;
  • Personalization of the user experience;
  • Preventing unauthorized access.

3. Purposes and Legal Bases for Processing

We process personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b) GDPR): account registration and management, provision of access to the Platform, payment processing.
  • Legitimate interest (Art. 6(1)(f) GDPR): Platform security, fraud prevention, service improvement, basic analytics.
  • Consent (Art. 6(1)(a) GDPR): marketing communications, display of your email address in a referrer's dashboard (multi-level referral network), use of non-essential cookies.
  • Legal obligation (Art. 6(1)(c) GDPR): retention of financial records, responding to requests from authorities.

4. Referral Programme and Data Visibility

This section explains the specific processing of data within the Referral Programme.

4.1. Direct Referrer (Level 1)

If you registered using another user's referral link, that user (your direct referrer) can see your email address and registration date — exclusively on the basis of your explicit, separate, and voluntary consent given at registration.

Legal basis: your consent (Art. 6(1)(a) GDPR). You may withdraw your consent at any time under Settings → Privacy.

4.2. Extended Visibility (Level 2 and Beyond)

If you have given additional consent for extended visibility, your email address may be visible to users above your direct referrer in the referral network (within the limits specified when consent was obtained). Such consent is voluntary: withholding it does not affect your ability to use the Platform or to receive a referral reward.

Users in the referral network who have access to your email address are obliged to use it exclusively within the Platform and may not disclose it to third parties.

4.3. Right to Withdraw Consent

Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal. Following withdrawal, your email address will be hidden from all referral network dashboards within 30 days.

5. Disclosure of Data to Third Parties

We do not sell or transfer your personal data to third parties for commercial purposes. Disclosure may occur in the following circumstances:

  • Service providers (data processors under Art. 28 GDPR): payment systems, hosting providers, analytics and mailing services — solely for the performance of their functions under data processing agreements.
  • Other users in the referral network: exclusively where you have given your explicit consent (see Section 4).
  • Authorities: where there is a lawful requirement or obligation to disclose.
  • Successors: in the event of a merger, acquisition, or asset sale — with notice to you and maintenance of the level of data protection.

6. International Data Transfers

Your data is stored on servers located in the European Economic Area (EEA). Where data is transferred outside the EEA, we ensure an adequate level of protection through EU Standard Contractual Clauses (SCCs) approved by the European Commission, or other transfer mechanisms compliant with Chapter V GDPR.

7. Data Retention Periods

  • Account data: retained for the duration of the account and deleted within 90 days of account closure.
  • Referral programme data: retained for up to 3 years from the end of the referral cycle.
  • Payment data: retained in accordance with tax law requirements (typically 7 years).
  • Web analytics data: retained for no more than 26 months.
  • Data on withdrawn consent: retained for 3 years as evidence of compliance.

8. Your Rights

Under the GDPR you have the following rights:

  • Right of access (Art. 15): request a copy of your personal data.
  • Right to rectification (Art. 16): correct inaccurate data.
  • Right to erasure (Art. 17): request deletion of data where grounds exist.
  • Right to restriction of processing (Art. 18).
  • Right to data portability (Art. 20): receive data in a machine-readable format.
  • Right to object (Art. 21): object to processing based on legitimate interest.
  • Right to withdraw consent: at any time, without prejudice to the lawfulness of prior processing.
  • Right to lodge a complaint: with the Cyprus Commissioner for Personal Data Protection or the supervisory authority of your country of residence.

To exercise your rights, send a request to: privacy@nutrimind.com. We will respond within 30 days.

9. Cookies

We use the following categories of cookies:

  • Essential: ensure the basic functionality of the Platform. Do not require consent.
  • Analytical: help us analyse Platform usage. Applied only with your consent.
  • Marketing: used for personalised advertising. Applied only with your consent.

You can manage cookie preferences through the banner on your first visit or under Settings → Cookies.

10. Protection of Minors' Data

The Platform is intended for persons over 18 years of age. We do not knowingly collect personal data of persons under 18. If you become aware of a minor's registration, please notify us promptly at: privacy@nutrimind.com. The minor's data will be deleted.

11. Security Measures

We apply technical and organisational measures to protect your data: encryption in transit (TLS) and at rest, role-based access control, regular security audits, and incident response procedures. In the event of a breach affecting your rights, we will notify you and the supervisory authority within the periods established by Arts. 33–34 GDPR.

12. Changes to the Policy

In the event of material changes to the Policy, we will notify you by email or via a notice on the Platform at least 14 days before the changes take effect. Continued use of the Platform after the changes take effect constitutes your acceptance of the updated version.

13. Contact Details

For data protection queries, please contact:

Data Protection Officer (DPO): privacy@nutrimind.com

NutriMind, Republic of Cyprus

Cyprus Commissioner for Personal Data Protection: www.dataprotection.gov.cy