nutribot

DATA PROCESSING AGREEMENT

pursuant to art. 28 of Regulation (EU) 2016/679 (GDPR)

Last update: March 2026

Parties to the Agreement

This Data Processing Agreement ("DPA") is entered into between:

  • The User registered on the NUTRIBOT Platform (hereinafter "Data Controller" or "Controller"), as a nutrition professional who enters and manages their patients' data on the Platform;
  • HYPAZ SRL, with registered office in Val della Torre (TO), VAT number 13414550015, PEC: hypaz@pec.it, as operator of the NUTRIBOT Platform (hereinafter "Data Processor" or "Processor").

This DPA constitutes an integral part of the General Conditions for use of the NUTRIBOT Platform and the Privacy Policy. Acceptance of the General Conditions implies full acceptance of this DPA.

1. Subject matter and purpose of processing

The Processor processes personal data on behalf of the Controller exclusively for the purpose of providing the NUTRIBOT Platform Services, as defined in the General Conditions.

The processing includes, by way of example and not limited to: the storage and management of the Controller's patient data, the generation of diet plans through artificial intelligence systems, the processing of remote anthropometric measurements, the recording of blood tests, the management of the appointment calendar and the functionalities of the conversational AI Assistant.

The Processor processes personal data exclusively on the basis of the Controller's documented instructions, unless processing is required by Union or Member State law to which the Processor is subject.

2. Types of data processed

The categories of personal data subject to processing include, by way of example and not limited to:

  • Personal data of the Controller's patients (name, surname, date of birth, gender, email, phone, address)
  • Health-related data pursuant to art. 9 GDPR (pathological and family medical history, pharmacological therapies, blood test values, anthropometric measurements, food intolerances, gastrointestinal and gynecological health data, eating disorders, body photos for remote measurements)
  • Lifestyle data (diet, physical activity, quality of life, sleep, personal habits)
  • Diet plans and Content Generated through artificial intelligence
  • Conversation logs with the AI Assistant
  • Appointment calendar data

3. Categories of data subjects

The personal data processed concerns the Controller's patients (natural persons who consult the Controller for nutritional advice). The Controller is solely responsible for obtaining consent from their patients for the processing of their personal data on the Platform, where required by applicable law.

4. Duration of processing

The processing of personal data has the same duration as the contractual relationship between the Controller and the Processor, as governed by the General Conditions.

In the event of deletion of the Controller's account, the Processor will permanently delete all patient data within 30 days from account deletion, except for legal obligations that require longer retention.

5. Obligations of the Processor

The Processor undertakes to:

  • process personal data exclusively on the basis of the Controller's documented instructions, including with regard to transfers of personal data to a third country, unless required by Union or Member State law;
  • ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • take all appropriate technical and organizational measures pursuant to art. 32 GDPR to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing;
  • assist the Controller, to the extent reasonably possible and taking into account the nature of processing, in responding to requests for the exercise of data subject rights pursuant to arts. 15-22 GDPR;
  • assist the Controller, taking into account the nature of processing and the information available to it, in ensuring compliance with the obligations pursuant to arts. 32-36 GDPR (security of processing, breach notification, data protection impact assessment);
  • make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, within the limits of what is reasonably practicable and with at least 30 days' written notice;

6. Sub-processors

The Controller hereby authorizes the Processor to engage the sub-processors listed in the Privacy Policy (Section 6) for the provision of the Services. The updated list of sub-processors is available upon request by contacting support@nutribot.it.

The Processor will inform the Controller with at least 30 days' notice of any changes to the list of sub-processors (addition or replacement), via communication on the Platform or by email. The Controller has the right to object to the change within 15 days of the communication; in such case, the Controller may withdraw from the contract pursuant to the General Conditions.

The Processor ensures, through written contracts, that sub-processors are bound by the same data protection obligations contained in this DPA.

The Processor remains fully liable to the Controller for the performance of sub-processors, within the limits set by art. 82 GDPR.

7. Security measures

The Processor adopts, by way of example and not limited to, the following technical and organizational security measures:

  • Hosting on Google Cloud Platform infrastructure (region europe-west1, Belgium) with encryption of data in transit (TLS) and at rest;
  • User authentication through Google Firebase Authentication;
  • Fernet symmetric encryption for Google Calendar OAuth2 tokens;
  • Platform access exclusively through authentication credentials;
  • Logical separation of data between different Users (multi-tenancy);
  • Transmission of data to AI providers in pseudonymized form, to the extent technically feasible;
  • No direct access by patients to the Platform (the only communication sent to patients is the anthropometric measurement link, at the Controller's initiative).

Security measures may be updated by the Processor over time to adapt them to the state of the art, without the need to update this DPA, provided that the overall level of security is not reduced.

8. Personal data breach (Data Breach)

The Processor undertakes to notify the Controller, without undue delay and where feasible within 72 hours of becoming aware of it, of any personal data breach pursuant to art. 33 GDPR.

The notification will contain, to the extent information is available: the nature of the breach, the categories and approximate number of data subjects concerned, the likely consequences of the breach and the measures taken or proposed to remedy the breach.

The Processor will assist the Controller in notifying the supervisory authority and communicating to data subjects, where necessary pursuant to arts. 33 and 34 GDPR, to the extent reasonably possible and taking into account the information available to it.

9. Data transfers to third countries

Transfers of personal data to third countries (in particular the USA) occur exclusively to the sub-processors indicated in the Privacy Policy (Section 6) and on the basis of the safeguards indicated therein (adequacy decisions, Standard Contractual Clauses, EU-U.S. Data Privacy Framework). The Processor undertakes not to transfer personal data to third countries in the absence of adequate safeguards pursuant to art. 46 GDPR.

10. Audit rights

The Controller has the right to verify compliance with the obligations of this DPA, through written request with at least 30 days' notice.

The Processor undertakes to provide the information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and art. 28 GDPR. Audit activities shall not unreasonably interfere with the Processor's normal operations.

The costs of audit activities are borne by the Controller, unless the audit reveals a breach by the Processor.

11. Return and deletion of data

At the end of the contractual relationship, the Processor, at the Controller's choice, will return or delete all personal data processed on behalf of the Controller, unless Union or Member State law requires its retention.

In the absence of specific instructions from the Controller within 30 days of the termination of the relationship, the Processor will proceed with the permanent deletion of all patient data, subject to retention requirements for legal obligations.

12. Liability and limitations

The Processor's liability under this DPA is governed by art. 82 GDPR.

The Processor will not be liable for processing carried out by the Controller in violation of applicable law, nor for the absence or inadequacy of consent obtained by the Controller from their patients.

In any case, except in cases of intent or gross negligence, the Processor's aggregate liability to the Controller under this DPA shall not exceed the total amount paid by the Controller to the Processor in the 12 months preceding the event giving rise to the liability.

13. Final provisions

This DPA is governed by Italian law and Regulation (EU) 2016/679.

For any dispute arising from this DPA, the parties undertake to attempt an amicable resolution. In the event of failure, the Court of Turin shall have exclusive jurisdiction.

This DPA may be amended by the Processor to adapt it to regulatory changes or variations in the Services, in the same manner provided by art. 10 of the General Conditions.

In the event of conflict between this DPA and the General Conditions, the provisions of this DPA regarding personal data protection shall prevail.