Privacy Policy

Last updated: 18 March 2026

This Privacy Policy explains how NutriGenius collects, uses, stores, and protects your personal data when you use our website and services. NutriGenius is operated as an Irish sole trader and is committed to full compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR).

1. Data Controller

The data controller responsible for your personal data is:

NutriGenius

Operated as an Irish sole trader

Cork, Ireland

Email: privacy@nutrigenius.co

2. Data We Collect

We collect the following categories of data when you use NutriGenius:

2.1 Health & Special Category Data (Article 9 GDPR)

When you complete the health assessment quiz, you may voluntarily provide:

Current health conditions and medical history
Prescription medications and supplements
Allergies and dietary restrictions
Laboratory test results (blood markers, biomarkers)
Genetic data (optional — MTHFR, COMT, VDR variants)
Pregnancy and breastfeeding status
Physical characteristics (age, sex, height, weight)
Lifestyle data (activity level, sleep, stress, alcohol, smoking)

Note: Health data, genetic data, and information about medication constitute special category data under Article 9 GDPR and are subject to enhanced protection. We only process this data with your explicit consent.

2.2 Contact Data

Email address (when provided voluntarily for plan delivery or newsletter)

2.3 Technical & Usage Data

Browser language and locale preference
Cookie consent preferences
Anonymous site analytics (page views, session duration)
Affiliate link click data (for commission tracking)

3. Legal Basis for Processing

Data Type	Legal Basis
Health & genetic data	Explicit consent — Article 6(1)(a) and Article 9(2)(a) GDPR
Email — newsletter	Consent — Article 6(1)(a) GDPR
Email — transactional (plan delivery)	Legitimate interests — Article 6(1)(f) GDPR
Analytics cookies	Consent — Article 6(1)(a) GDPR
Strictly necessary cookies	Legitimate interests — Article 6(1)(f) GDPR
Affiliate click tracking	Legitimate interests — Article 6(1)(f) GDPR

4. How We Use Your Data

Personalised recommendations: Your health data is processed by our algorithm to generate a personalised supplement protocol, including drug interaction safety checks.
Plan delivery: If you provide your email, we send your supplement plan and optionally a PDF summary.
Newsletter: If you opt in, we send biweekly health insights and supplement updates. You may unsubscribe at any time.
Service improvement: Anonymous analytics data helps us understand how the site is used and improve the user experience.
Advertising: With your consent, we may display relevant advertisements via Google AdSense.
Affiliate commissions: Clicks on product links may be tracked for affiliate commission purposes. This does not share your health data with affiliate partners.

5. Data Storage & Security

Your data is stored in Supabase, a database platform hosted in the EU, with encryption at rest and in transit (TLS).
We implement appropriate technical and organisational security measures to protect your data against unauthorised access, loss, or disclosure.
We do not sell your personal data to any third party.
Health data entered into the quiz is not linked to your email address unless you voluntarily provide it. Quiz sessions can be completed anonymously.

6. Your Rights (GDPR)

Under GDPR, you have the following rights regarding your personal data:

Right of Access (Art. 15)

You may request a copy of all personal data we hold about you.

Right to Rectification (Art. 16)

You may request correction of inaccurate or incomplete data.

Right to Erasure (Art. 17)

You may request deletion of your personal data ("right to be forgotten"). We will comply unless we have an overriding legal obligation to retain the data.

Right to Restrict Processing (Art. 18)

You may request that we limit how we use your data while a dispute is resolved.

Right to Data Portability (Art. 20)

You may request your data in a structured, machine-readable format.

Right to Object (Art. 21)

You may object to processing based on legitimate interests, including for direct marketing.

Right to Withdraw Consent (Art. 7)

Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

Right to Lodge a Complaint

You have the right to lodge a complaint with the Irish Data Protection Commission (DPC) at www.dataprotection.ie.

To exercise any of these rights, contact us at privacy@nutrigenius.co. We will respond within 30 days.

7. Third-Party Services

We use the following third-party services, each with their own privacy policies:

Service	Purpose	Location
Supabase	Database hosting, authentication	EU
Vercel	Website hosting and CDN	Global (EU edge nodes available)
Resend	Transactional email delivery	US (Standard Contractual Clauses apply)
Google AdSense	Display advertising (future)	US (Standard Contractual Clauses apply)
iHerb Affiliate	Product affiliate links	US (click tracking only)
Anthropic Claude API	AI-powered supplement explanations	US (no health data retained by Anthropic)

8. Cookies

We use cookies and similar technologies. You can manage your preferences via the cookie consent banner that appears on your first visit, or at any time via the "Cookie Settings" link in the footer.

Necessary

Session management, language preference. Always active.

Analytics

Anonymous traffic analysis to understand site usage. Requires consent.

Advertising

Google AdSense and affiliate tracking. Requires consent.

Functional

Saved preferences and quiz progress. Requires consent.

9. Data Retention

Health assessment data: Retained until you request deletion. You may email privacy@nutrigenius.co to request erasure.
Email and newsletter data: Retained until you unsubscribe or request deletion.
Analytics data: Anonymised after 24 months.
Cookie consent records: Stored locally in your browser. Cleared when you clear browser data.

10. Children's Privacy

NutriGenius is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@nutrigenius.co and we will promptly delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Significant changes will be communicated via a notice on the website or by email where appropriate.

12. Contact

For any privacy-related questions, requests to exercise your rights, or complaints, please contact us:

NutriGenius — Privacy

Email: privacy@nutrigenius.co

If you are unhappy with our response, you may lodge a complaint with the Irish Data Protection Commission (DPC): www.dataprotection.ie