Privacy Policy

Effective Date: March 2026

XD420 GenussWerk Weyarn für Bayern GmbH, operating under the brand name NutriSensei ("we", "us", "our"), is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our website, online shop, and AI-powered health assessment services at www.nutrisensei.com.

1. Data Controller

The data controller responsible for processing your personal data is:

2. Data Protection Officer

If you have questions about data protection, you may contact us at: privacy@nutrisensei.com

Note: If your company has 20 or more employees regularly processing personal data, you are legally required to appoint a Data Protection Officer (DPO). Please update this section accordingly.

3. Types of Personal Data Collected

3.1 Data You Provide Directly

• Account registration data: name, email address, password (encrypted), date of birth, gender.
• Health assessment data: responses to our AI-powered health questionnaire, including information about your lifestyle, diet, physical activity, sleep patterns, stress levels, and general health goals.
• Purchase data: billing address, shipping address, payment information (processed by our payment provider; we do not store full credit card numbers).
• Communication data: emails, support requests, feedback.

3.2 Data Collected Automatically

• Technical data: IP address, browser type and version, operating system, device type, screen resolution.
• Usage data: pages visited, time spent on pages, click behavior, referral source.
• Cookie data: session cookies, preference cookies, and analytics cookies (see our Cookie Policy for details).

3.3 Health-Related Data (Special Category Data)

Our health assessment collects information that may qualify as health-related data under Article 9 GDPR. This data is processed exclusively on the basis of your explicit consent (Article 9(2)(a) GDPR) for the purpose of providing you with personalized supplement recommendations. You may withdraw your consent at any time.

4. Purposes and Legal Basis for Processing

We process your personal data for the following purposes:

• Contract performance (Art. 6(1)(b) GDPR): Processing orders, delivering products, managing your account, providing customer support.
• Consent (Art. 6(1)(a) GDPR): Processing health assessment data to generate personalized supplement recommendations; sending marketing communications; setting non-essential cookies.
• Legitimate interests (Art. 6(1)(f) GDPR): Improving our website and services; fraud prevention; website security and stability; analytics for service optimization.
• Legal obligations (Art. 6(1)(c) GDPR): Tax and accounting obligations; commercial record-keeping requirements.

5. AI-Powered Health Assessment

Our platform uses artificial intelligence to analyze your health questionnaire responses and generate personalized supplement recommendations. Specifically:

• Your health assessment responses are processed by our AI system to calculate pillar scores across four health dimensions (Metabolism, Energy & Recovery, Immunity & Inflammation, Mind & Hormones).
• The AI generates a personalized health report and supplement plan based on these scores.
• No fully automated decision-making with legal or similarly significant effects takes place. The AI recommendations are informational only and do not constitute medical advice.
• You have the right to request human review of any AI-generated recommendation at any time.
• Your health data is stored securely and is not shared with third parties for their own purposes.

6. Data Sharing and Recipients

We may share your personal data with the following categories of recipients:

• Payment processors: For secure payment handling (e.g., Stripe, PayPal). These providers act as independent data controllers.
• Shipping partners: Name and delivery address for order fulfillment.
• Hosting and infrastructure providers: Our servers are located in the European Union (Hetzner Online GmbH, Germany).
• Analytics providers: Anonymized or pseudonymized usage data for website optimization.
• Legal and regulatory authorities: When required by law.

We do not sell your personal data to third parties. We do not transfer personal data outside the European Economic Area (EEA) unless adequate safeguards are in place as required by Chapter V GDPR.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Account data: For the duration of your account plus 30 days after deletion request.
• Health assessment data: Until you delete your account or withdraw consent, whichever is earlier.
• Order and transaction data: 10 years from the end of the calendar year in which the transaction occurred (§ 147 AO, § 257 HGB).
• Marketing consent records: Until withdrawal of consent plus documentation period.
• Server logs: 7 days.

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR): Obtain confirmation of whether your data is being processed and request a copy.
• Right to rectification (Art. 16 GDPR): Request correction of inaccurate data.
• Right to erasure (Art. 17 GDPR): Request deletion of your personal data ('right to be forgotten').
• Right to restriction (Art. 18 GDPR): Request restriction of processing under certain conditions.
• Right to data portability (Art. 20 GDPR): Receive your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21 GDPR): Object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent (Art. 7(3) GDPR): Withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. The competent authority is: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany.

To exercise your rights, contact us at: privacy@nutrisensei.com

9. Cookies

Our website uses cookies and similar technologies. For detailed information, please refer to our separate Cookie Policy. You can manage your cookie preferences at any time through our cookie consent banner.

10. Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including: TLS/SSL encryption for data in transit; encrypted storage for sensitive data; access controls and authentication mechanisms; regular security assessments; data minimization principles.

11. Children

Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete such data promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on our website or by email. The date of the most recent revision is indicated at the top of this document.

13. Contact