Privacy Policy

What data we collect

• Identity data: name
• Contact data: email address and phone number
• Delivery data: shipping address and delivery preferences
• Payment data: processed securely by Shopify (we do not store card details)
• Order data: purchase history, subscription frequency, and personalized box recommendations
• Preference data: health goals, lifestyle, protein preferences, taste preferences, dietary restrictions, and restrictions (collected through our personalization wizard)
• Box generation data: personalized box recommendations generated using OpenAI based on your preferences (stored as draft until order completion)
• Technical data collected automatically via Vercel Analytics and Vercel Speed Insights (device, browser, page views, performance metrics, short-term anonymised IP addresses)
• We do not collect sensitive personal data (special categories under GDPR)

Why we collect it

• Processing and fulfilling your personalized snack box orders and subscriptions
• Generating personalized box recommendations using AI based on your preferences
• Managing recurring subscription deliveries (weekly, bi-weekly, monthly)
• Managing shipping and delivery logistics
• Responding to customer inquiries and providing support
• Sending transactional messages via Resend (order confirmations, shipping updates, subscription reminders)
• Improving product experience and website performance
• Monitoring system integrity and preventing fraud

Automated decision-making

We do not use personal data for automated decision-making or profiling. All decisions with legal or similarly significant effects are reviewed by humans.

Legal bases

• Contractual necessity – processing orders, generating personalized recommendations, managing subscriptions, and delivering products
• Legitimate interest – preventing fraud, improving services, personalizing box recommendations, and understanding aggregated engagement
• Consent – optional marketing communications and non-essential cookies (withdrawable at any time)

How long we keep data

Order and delivery records are stored while you remain an active customer and for up to 24 months after your last order or subscription cancellation. Subscription data is retained for the duration of your subscription and 24 months after cancellation. Personalized box recommendations (drafts) are stored until order completion, then retained for 12 months for customer service purposes. Payment information is processed by Shopify and retained according to their policies. Accounting and invoicing information is retained for up to five years under Bulgarian tax law requirements. Analytics data follows Vercel's default retention periods. When a retention window closes we delete or irreversibly anonymise the data.

Who can access your data

• Nutreal team members with role-based access
• Hosting, infrastructure, and analytics providers (Vercel, including Vercel Analytics and Speed Insights)
• Email provider: Resend for transactional communication
• Payment processor: Shopify for secure payment processing and subscription management
• AI service provider: OpenAI for generating personalized box recommendations (preferences are sent to OpenAI, but no directly identifiable personal data)
• Shipping partners: only delivery addresses and contact information necessary for fulfillment

We never sell personal data. All third parties process information on our behalf under GDPR-compliant Data Processing Agreements (DPAs). OpenAI processes your preferences anonymously to generate recommendations and does not receive your name, email, or address.

How we protect your data

We host Nutreal on Vercel with TLS encryption in transit, encrypt data at rest, enforce least-privilege access, and review permissions quarterly. Payment processing is handled securely by Shopify, which is PCI-DSS compliant. Production data is isolated from testing environments, and we keep activity logs for incident response. Personalized box recommendations are generated using OpenAI's secure API, and we do not send directly identifiable personal information to OpenAI.

International transfers

Our primary hosting region is the EU, but service providers such as Vercel, Resend, Shopify, or OpenAI may process data in the United States. When data leaves the EEA, we rely on Standard Contractual Clauses and provider commitments to maintain GDPR-level safeguards. OpenAI processes preference data (not directly identifiable personal data) for box generation and maintains appropriate safeguards.

Cookies and tracking

We use strictly necessary cookies for site functionality and first-party analytics cookies via Vercel Analytics and Speed Insights for aggregated performance insights. You can block or delete cookies in your browser settings; some features may be limited without them. If we later introduce marketing or advertising cookies, this section will be updated.

Your GDPR rights

• Access – request a copy of your personal data
• Rectification – update incomplete or inaccurate data
• Erasure – ask us to delete data when there is no legal reason to keep it
• Restriction or objection – limit or oppose certain processing activities
• Portability – receive your data in a structured, machine-readable format
• Withdraw consent – for any processing based on consent

To exercise any right, email privacy@nutreal.bg. We respond within 30 days and may request proof of identity.

Updates to this policy

We review this notice at least once per year and whenever we add new products, vendors, or legal requirements. Material changes will be announced on this page with a new effective date. Continued use of Nutreal services after an update means you accept the revised policy.