nutribot

Privacy Policy

pursuant to and for the purposes of art. 13, of EU Regulation no. 2016/679

Last update: March 2026

Privacy

HYPAZ SRL (hereinafter "Nutribot") wishes to inform you that European Regulation no. 679 of April 27, 2016 (GDPR), and its subsequent amendments or additions, provide for the protection of natural persons with regard to the processing of their personal data and that therefore, your data will be processed in compliance with the regulations and with respect to the normal prerogatives, opportunities and obligations of confidentiality that govern our activities.

This information concerns the processing of personal data belonging to professional users (nutritionists, dieticians and health professionals) registered on the platform accessible via the site www.nutribot.it (hereinafter "Platform") and extends to all natural persons operating in the relevant organizations. For the processing of personal data of Users' patients, please refer to section 8 of this document.

Pursuant to Article 13 of REG. EU 2016/679, we therefore provide you with the following information.

1. Identification details of the Controller (and any other subjects)

The Data Controller is HYPAZ SRL,

with registered office in Val della Torre (TO), via Castello, 10040 Turin, Italy,

VAT number 13414550015

PEC: hypaz@pec.it

email contact (for privacy purposes): support@nutribot.it

website: www.nutribot.it

2. Purpose of processing

The purpose of this information is to inform all registered users of the site www.nutribot.it (nutritionists, dieticians, food science professionals) that the personal data provided is necessary for the correct performance of the relationship, contractual or otherwise, existing between them and Nutribot for the following purposes:

  • Performance of services by Nutribot in your favor, including the generation of diet plans via artificial intelligence, the management of patient records (personal data and health data), remote anthropometric measurements via a specialized third-party computer vision provider, the management of appointments and the calendar, and the use of the AI conversational assistant (legal basis of processing: performance of the contract — art. 6.1.b GDPR; for health data: explicit consent — art. 9.2.a GDPR)
  • Performance of ancillary services and obligations inherent to the contract, including those of a legal, administrative and fiscal nature, payment processing via Stripe, invoice management, OTP verification and email notifications (legal basis of processing: legal obligation — art. 6.1.c GDPR)
  • Management of any disputes arising in the context of contract execution (legal basis of processing: legal obligation and legitimate interest of the Controller — art. 6.1.c and 6.1.f GDPR)
  • Improvement and development of the Platform, including analysis of anonymized usage data, training and optimization of artificial intelligence models, error analysis and system debugging (legal basis of processing: legitimate interest of the Controller — art. 6.1.f GDPR)
  • Analytics and statistics on the User's professional activity within the Platform, such as new patient trends, patient age and gender distribution (legal basis of processing: performance of the contract — art. 6.1.b GDPR)

3. Processing methods

In relation to the above purposes (point 2), the data is processed electronically according to methods supported by security measures that NUTRIBOT deems appropriate to the state of the art and the nature of the processing, including the encryption of data in transit and at rest. NUTRIBOT does not guarantee the absolute inviolability of such measures. The processing will be carried out in an automated form by the controller and by third-party providers specifically designated as data processors (art. 28 GDPR), with specific processing instructions.

The Controller is guided by the principle of data minimization, collecting data that is adequate and relevant to the requested activity or the phase of the activity in progress (principle of data minimization — art. 5.1.c GDPR).

Processing activities may concern, by way of example and not exhaustively, the phases of: collection, storage, archiving, consultation, transmission, communication, processing, anonymization, aggregation, erasure, etc.

Personal data is collected at the time of Registration and during the use of the Platform's services.

4. Type of data processed

The data processed is of common type, including but not limited to: personal data (name, surname, email, telephone), fiscal data (VAT number, billing data), access credentials, payment data (processed by Stripe — not stored on our servers), as well as any other data that the User provides in the context of using the Platform.

Through the Platform, the User may enter and manage health data (art. 9 GDPR) of their patients, including but not limited to: pathological and family medical history, pharmacological therapies, gastrointestinal health, gynecological health, eating disorder history, body measurements (28+ parameters), 50+ blood test values, food habits and intolerances, body photos for remote measurements. The processing of such data is necessary for the provision of the services described in section 2 and is subject to the explicit consent of the data subject obtained by the User as autonomous Controller.

The Platform also processes data generated through the use of artificial intelligence systems, including: conversation logs with the AI assistant, diet plans generated by AI, nutritional analyses, communications sent by the AI on behalf of the User.

Failure to communicate and/or refusal to process personal data identified as mandatory in the registration form makes it impossible to establish and continue the supply relationship.

5. Storage period

In compliance with the principles of lawfulness, purpose limitation and data minimization, personal data will be stored for the period of time necessary to achieve the purposes for which it is collected and processed.

  • Account data and patient data: for the duration of the contractual relationship and for 30 (thirty) days following any request for account deletion (grace period), after which they will be permanently deleted.
  • Fiscal and billing data: for 10 (ten) years from the end of the contractual relationship, as required by current tax legislation.
  • AI conversation logs and generated content: for the duration of the contractual relationship, and permanently deleted upon account deletion.
  • Anonymized data used for analysis and improvement of AI models: stored indefinitely as they are no longer classifiable as personal data.

6. Scope of communication and dissemination of data

The data collected will never be disseminated and will not be subject to communication without the explicit consent of the Data Subject, except for communications related to the purposes of point 2 which may involve the transfer of data to third parties, including but not limited to the following providers. The updated list of providers is maintained by NUTRIBOT and available upon request:

  • Cloud and infrastructure service providers necessary for the operation of the Platform (Google Cloud Platform — servers located in Europe, region europe-west1)
  • Artificial intelligence service providers (at the date of this policy: Anthropic, LLC and OpenAI, Inc., based in the USA) — for AI content generation, diet plan generation, conversational assistance and audio transcription. Patient data summaries are normally transmitted to these providers in pseudonymized form, to the extent technically feasible. It is specified that some functionalities (such as the conversational AI Assistant) may require the transmission of patient identifying data (name and other personal data in the patient record) to AI providers in non-pseudonymized form, in order to enable the processing of Generated Content intended exclusively for the User. AI service providers may be changed, replaced or supplemented by NUTRIBOT with at least 30 days' notice via communication to the User or update of the provider list on the Platform.
  • Remote measurement services: third-party computer vision provider (USA) for anthropometric measurements via smartphone, to whom the patient's email address, name, gender, height and weight are transmitted
  • Payment services: Stripe, Inc. (USA) for the processing of payments and invoice management
  • Authentication services: Google Firebase (USA) for authentication and identity management
  • Calendar services: Google Calendar API (USA) for the bidirectional synchronization of appointments, if activated by the User via OAuth2 authentication
  • Translation services: Google Translate API (USA) for the translation of content generated by the Platform; Workflow automation: n8n (for management of automated notifications)

To NUTRIBOT's knowledge at the date of this policy, some of the above-mentioned service providers are based in the United States of America. The transfer of personal data to these subjects takes place on the basis of adequate safeguards pursuant to art. 46 GDPR, including Standard Contractual Clauses (SCC) adopted by the European Commission and, where applicable, pursuant to the EU-US Data Privacy Framework (DPF). NUTRIBOT is not responsible for any changes to the safeguards adopted by third-party providers. The User may request a copy of the safeguards adopted by contacting support@nutribot.it.

Third-party subjects to whom data is communicated, where engaged in processing activities, are designated by the Controller as external data processors pursuant to art. 28 GDPR, with specific instructions. The Controller can provide the complete and updated list of sub-processors upon request.

Data may also be communicated to consultants (accountants, lawyers, tax advisors) for the fulfillment of legal, administrative and fiscal obligations, and to public entities in compliance with legal obligations or the Public Authority and Judicial Authority.

7. Rights pursuant to arts. 15, 16, 17, 18, 20, 21 and 22 of REG. EU 2016/679

Nutribot wishes to inform you that, as a data subject, you have the right to lodge a complaint with the supervisory authority (Italian Data Protection Authority — Garante per la Protezione dei Dati Personali), as well as to exercise the rights listed below, which you can assert by sending a specific written request to the Data Controller, indicated in point 1.

Art. 15 - Right of access

The data subject has the right to obtain confirmation from the controller that processing of personal data concerning them is or is not taking place and, if so, to obtain access to the personal data and information concerning the processing.

Art. 16 - Right of rectification

The data subject has the right to obtain from the controller the rectification of inaccurate personal data concerning them without undue delay. Taking into account the purposes of the processing, the data subject also has the right to obtain the integration of incomplete personal data, by providing a supplementary statement.

Art. 17 - Right to erasure (right to be forgotten)

The data subject has the right to obtain from the controller the erasure of personal data concerning them without undue delay and the controller has the obligation to erase personal data without undue delay.

Art. 18 - Right to restriction of processing

The data subject has the right to obtain from the controller the restriction of processing when one of the following hypotheses occurs:

  • the data subject contests the accuracy of the personal data, for the period necessary for the controller to verify the accuracy of such personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests instead the restriction of their use;
  • although the controller no longer needs the personal data for the purposes of processing, they are necessary for the data subject to ascertain, exercise or defend a right in court;
  • where the data subject has objected to the processing pursuant to Article 21, paragraph 1, pending the verification as to whether the controller's grounds for processing override those of the data subject.

Art. 20 - Right to data portability

The data subject has the right to obtain from the processing organization the transmission of personal data to third parties, in an interoperable format, for use by the data subject, for a third country or an international organization, or for the organization itself.

In exercising their rights regarding data portability pursuant to paragraph 1, the data subject has the right to obtain direct transmission of personal data from one controller to another, where technically feasible.

Art. 21 - Right to object

The data subject has the right to object at any time, for reasons related to their particular situation, to the processing of personal data concerning them, including in terms of profiling, pursuant to Article 6, paragraph 1, letters e) or f).

Art. 22 - Right not to be subject to automated decision-making, including profiling

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. The Platform uses artificial intelligence systems (Anthropic Claude, OpenAI) to generate diet plans and provide nutrition-related assistance. These contents must be subject to professional review by the User (nutritionist) before being used with patients and therefore do not constitute fully automated decision-making. The User is solely responsible for the use of such outputs.

You can exercise your rights by written request sent to the Controller HYPAZ SRL at support@nutribot.it or via PEC at hypaz@pec.it.

8. Processing of User's patient data

This section regulates the processing of personal data, including health data (art. 9 GDPR), of the User's patients entered into the Platform.

Roles and responsibilities

With reference to the patient data entered by the User into the Platform, the User acts as the sole autonomous Data Controller pursuant to art. 4.7 GDPR and is the sole party responsible for the lawfulness of entering data into the Platform. NUTRIBOT provides the User with a technological infrastructure for data processing and assumes no responsibility regarding the lawfulness, correctness or completeness of data entered by the User. The User fully indemnifies NUTRIBOT from any liability, sanction, claim for damages or dispute arising from the processing of their patients' data. The User is responsible for: providing their patients with an adequate privacy notice regarding the use of the Platform, obtaining explicit consent from patients for the processing of health data (art. 9.2.a GDPR), verifying the lawfulness of data transfers to third-party providers indicated in section 6.

Security measures

Nutribot adopts technical and organizational measures that it deems appropriate for the protection of patient data, in accordance with the state of the art and the nature of the processing. NUTRIBOT does not guarantee the absolute inviolability of such measures. In case of personal data breach (data breach), the provisions of articles 33, 34 and 82 of the GDPR shall apply.

Sub-processors

For the performance of services, patient data may be transmitted to the sub-processors indicated in section 6, within the limits strictly necessary for the provision of each specific service. In particular: Anthropic receives patient data summaries, normally in pseudonymized form, for diet plan generation; OpenAI receives the content of conversations with the AI assistant, which may include patient identifying data when the User refers to patients by name; the third-party computer vision provider receives the patient's email, name, gender, height and weight for remote measurements.

Data Processing Agreement

The User may, if deemed appropriate, request the signing of a formal Data Processing Agreement (DPA) pursuant to art. 28 GDPR by contacting support@nutribot.it. The signing of a DPA does not imply the assumption by NUTRIBOT of any liability beyond that expressly provided for in the DPA itself. Any liability of NUTRIBOT under the DPA shall in any case be limited to the amount of the annual Subscription fee paid by the User.

ACKNOWLEDGMENT AND CONSENT TO THE PROCESSING OF PERSONAL DATA REGULATION (EU) 2016/679

The undersigned declares to have received the information referred to in art. 13 of EU Regulation 2016/679, in particular regarding the rights recognized by EU Regulation 2016/679 and subsequent amendments, to have taken note of the relevant documents and to consent, pursuant to and for the purposes of art. 7 et seq. of the Regulation, to the processing of personal data, including special data (health data pursuant to art. 9 GDPR), with the methods and for the purposes indicated in the information itself, in any case strictly connected and instrumental to the management of the relationship.