Privacy Policy - Nutri-Bay

PRIVACY POLICY Last updated: March 4, 2026 Version: 1.0 1. Introduction This Privacy Policy explains how we collect, use, and protect your personal data when you use the Nutri-Bay App. The Nutri-Bay App uses data and, in certain cases, algorithmic and AI-based processing to help you plan your endurance nutrition. This Policy describes how this data is used, the general logic behind such processing, and your rights, in accordance with the GDPR and applicable European law. This Policy supplements the General Terms of Use and License Agreement for the Nutri-Bay App and forms an integral part thereof. We encourage you to read this Policy carefully. If you have any questions, you can contact us at contact@nutri-bay.com. 2. Who is responsible for your data? The data controller is: Back2Basics Sàrl 15, rue de Grass L-8378 Kleinbettingen Luxembourg Email: contact@nutri-bay.com We process your personal data in accordance with Regulation (EU) 2016/679 (GDPR) and applicable national data protection laws. We have not appointed a Data Protection Officer (DPO) to date. If such a DPO is appointed, this Privacy Policy will be updated. 3. What data do we collect? The data we collect depends on your use of the Application and the features you enable. 3.1. Account and identification data First and last name (optional or required depending on your choices) Email address Password (stored in encrypted/hashed form) Language, country, time zone Technical identifiers associated with the account (e.g., internal ID, session tokens) necessary for authentication and security. 3.2. Profile Data and Data Related to Sports Activities · Basic physical data you enter (e.g., weight, approximate fitness level, sports practiced) · Information about your sessions or events (date, duration, intensity, type of event) · Your nutrition strategies and plans (timing and quantities of products before, during, and after exercise) · 3.3. Data from connected devices or services (e.g., Garmin) If you connect the App to a third-party device or service (e.g., a Garmin watch or another sports platform), we may receive, depending on the permissions you grant: - Activity data: - start and end time of the activity; - duration, distance, pace/speed; - type of activity (running, cycling, triathlon, etc.); - basic training metrics (laps, intervals, etc.). - Context data for reminders: - start or imminent start of an activity; - crossing certain time or distance thresholds (to trigger a refueling reminder); - end of the activity. In some cases, we may also receive additional information (e.g., heart rate, training load indicators), if you choose to share it. This data may be considered health data (see Section 4). Please note that the data received depends on the permissions you grant to the third-party service. Certain information (e.g., heart rate) may constitute health data (see Section 4). You can disconnect a connected device or service at any time, from within the App and/or directly through your third-party account. 3.4. Usage and Technical Data - App usage information (features used, screens viewed, clicks, session duration) - Device information (model, operating system and version, app version) - Technical logs and crash reports - Approximate location based on IP address or device settings (e.g., to adjust language or time zone). We do not use “traditional” cookies in the mobile App. However, identifiers and similar technologies (e.g., technical identifiers, SDKs) may be used depending on the App’s technical architecture and integrated services. Where applicable, we will inform you appropriately and, when required by applicable regulations, we will obtain your consent prior to any non-essential activation. 3.5. Communication Data - Messages and emails you send to contact@nutri-bay.com - Feedback, survey responses, reviews, when you choose to share them with us 3.6. Payment and Subscription Data (if applicable) If you purchase paid features or subscriptions via the Apple App Store or Google Play: - We do not store your full payment details (card number, etc.). - We may receive limited information from the store (e.g., transaction ID, product purchased, date, status) to manage your subscription. The Apple/Google platforms process your payments under their own responsibility, in accordance with their privacy policies. 4. Special Categories of Data (Health Data) Certain information you enter or share via the Nutri-Bay App (e.g., weight, sweat rate, training load, heart rate from a connected device, nutritional habits) may be considered health data under the GDPR. We process this data only: - if you voluntarily provide it to us or explicitly authorize the connection of a device or service that shares it with us; - to provide and improve sports nutrition and fueling planning features (including reminders and post-session analyses); and - based on your explicit consent (Article 9, §2, a) of the GDPR), in addition to the other legal bases described in this Policy. Important: Explicit Consent (Article 9 of the GDPR): When you choose to enter information that may relate to health (or to enable the sharing of such data via a third-party service), you are expressing your willingness to provide it to us in order to benefit from the corresponding features. You may at any time limit the health data you provide to us, disconnect a third-party service, request the deletion of data, or withdraw your consent (see Sections 8, 10, and 11). We retain, to the extent necessary for compliance, technical records demonstrating that you have enabled/provided this data (e.g., field creation date, activation of an integration), without prejudice to your rights. You are free to: - limit the health-related information you provide; - revoke access to connected devices or services at any time; - delete your account or specific entries; - withdraw your consent to the processing of this data, without retroactive effect on the lawfulness of processing already carried out. Nutri-Bay App is not intended to process health data for diagnostic, treatment, or clinical monitoring purposes. If you intend to use the app in a clinical setting, it is your responsibility to verify compliance with medical regulations and medical device regulations in your country, and, if necessary, to establish a specific agreement with us. 5. For what purposes and on what legal grounds do we use your data? We use your data for the following purposes: 5.1. Providing and operating the Nutri-Bay App - Creating and managing your user account - Enabling the creation, saving, and management of your meal plans - Synchronizing with connected devices/services when you choose to connect them Legal basis: - Performance of a contract (Article 6, §1, b) GDPR) When the processing involves health data, the legal basis also includes your explicit consent (Article 9, §2, a) GDPR). 5.2. Sending nutrition reminders and other notifications - Sending notifications and reminders regarding product consumption times before, during, and after your sessions or events - Triggering reminders during activity based on time, distance, or other activity data (including from connected devices) - Sending service messages (changes to the Terms, important updates, security alerts) Legal bases: - Performance of the contract (core functionality of the App); and - where required for certain types of tracking/notifications, your consent (Article 6(1)(a) GDPR). You can manage your notification preferences within the App and/or via your device settings. When reminders are based on health data, we also rely on your explicit consent (Article 9, §2, a) GDPR). 5.3. Use of Automated Processing and AI-Based Recommendations The Nutri-Bay App uses automated calculations and, in some cases, AI-based models (optimization algorithms, pattern recognition, etc.) to: - generate or adapt nutrition and hydration plans based on the parameters you provide; - estimate energy, carbohydrate, and hydration needs for a session or event; - suggest schedules, quantities, or types of products. These processing activities are intended to support your sports nutrition planning and do not produce significant legal or similar effects within the meaning of Article 22 of the GDPR. Key features: - the algorithms use the data you provide (e.g., weight, duration, intensity), potentially combined with environmental data (temperature, elevation gain) and general references from sports science; - we regularly review and improve our models, but cannot guarantee that the results will always be accurate, complete, or suitable for your specific situation; - You are free at any time to ignore, adjust, or replace any recommendation generated by the App. Legal bases: - Performance of a contract (Article 6(1)(b) GDPR): these calculations are part of the App’s core functionality; - Legitimate interest (Article 6(1)(f) GDPR): to improve our models and your experience; - Where required by law (for certain types of tracking or profiling), your consent (Article 6(1)(a) GDPR). When such processing involves health data, it is also based on your explicit consent (Article 9(2)(a) GDPR). You can contact us at contact@nutri-bay.com if you would like more information about the main logic behind these automated processing activities, subject to the protection of our trade secrets and intellectual property rights. 5.4. Improving the App and the user experience - Understanding App usage (analytics and statistics) - Fixing bugs, improving performance and usability - Developing new features Legal basis: - Legitimate interest (Article 6(1)(f) of the GDPR) in improving our services; - where local laws require it for certain analytics or tracking tools, your consent. Where possible, we use aggregated or anonymized data for these analyses. If certain analytics or tracking tools are used and applicable regulations require prior consent, we will comply with this requirement. 5.5. Customer Support and Communications This includes: - Responding to your questions, requests, or complaints - Assisting you with any account or technical issues Legal bases: - Performance of the contract; - Legitimate interest in responding to users. 5.6. Marketing, Newsletters, and Campaigns Related to Nutri-Bay (Store and App) We may use your contact information (e.g., your email address) and certain information related to your profile or your use of the App (type of sport, frequency of use, categories of products consumed or planned, etc.) to: - send you information about the Nutri-Bay App (news, tips, updates); - send you offers, promotions, or news regarding the Nutri-Bay online store and its sports nutrition products; - personalize the content of these communications to a certain extent (for example, based on your athletic profile or products that may meet your needs). Legal bases for use: - your consent (Article 6, §1, a) GDPR), when required for email marketing or notifications; - our legitimate interest (Article 6, §1, f) GDPR) in promoting our services and products, when a legal exception (e.g., for existing customers) permits it, subject to your rights (including your right to object). You may at any time: - object to receiving marketing communications; - withdraw your consent where it serves as the legal basis; - by using the unsubscribe link in our emails, adjusting your preferences in the App (where available), or by contacting us at contact@nutri-bay.com. We do not use your health data (as defined in Article 9 of the GDPR) to personalize marketing communications, unless you have given separate explicit consent for this purpose (which is not the default setting). You may object to direct marketing at any time. This objection also applies to any personalization/profiling to the extent that it is related to direct marketing. Refusing or withdrawing your consent to commercial prospecting does not affect your use of the Nutri-Bay App, except with regard to receiving these marketing communications. 5.7. Legal and Regulatory Obligations - To comply with accounting, tax, or other legal obligations - To respond to legitimate requests from competent authorities. Legal basis: Legal obligation (Article 6, §1, c) GDPR). We do not make decisions that produce legal effects based solely on automated processing, within the meaning of Article 22 of the GDPR. 6. Who has access to your data? Access to your personal data is limited to: - Our internal teams (product, technical, support) who need it to operate the Application and assist you, subject to confidentiality agreements; and - Our service providers acting as processors, such as: - hosting providers and infrastructure providers (e.g., cloud-based hosting providers); - analytics and bug reporting tools; - email and communication tools. These service providers act on Back2Basics’ instructions and are bound by data processing agreements compliant with the GDPR. We may also share data when required by law or in response to a legitimate request from a competent authority. We do not sell your personal data. Data may be accessed, to the extent necessary for their duties, by Back2Basics Sàrl’s internal teams, including the product, technical, and support teams, and—for prospecting and campaigns related to the Nutri-Bay store—the marketing and e-commerce teams. Service providers may be located within the European Union or outside the European Union (see Section 9). 7. Coaches, Clubs, and Organizations In certain cases, you may decide to: - link your account to a coach, nutritionist, or trainer using the Nutri-Bay App; - join a club, team, event, or other organization that invites you to use the App as part of its services. Depending on the available features and your choices within the App, this may allow these coaches or organizations to: - view certain information related to your profile, your sessions, and your nutrition plans; - suggest or customize plans directly within the App. In these cases: - you remain the primary user of your account and decide whether or not to accept this sharing; - the coach or organization is responsible for complying with its own obligations regarding data protection and sports/health regulations, including informing athletes; - Back2Basics Sàrl remains an independent data controller for the processing necessary for the operation of the Nutri-Bay App. For certain B2B uses (e.g., a dedicated environment for a team, a federation, or an organizer), we may enter into specific agreements, including subcontracting or joint liability agreements, which will take precedence over this Policy. If you no longer wish to share your data with a coach or an organization, you can leave the relevant group or configuration within the App (where possible) or contact us at contact@nutri-bay.com for assistance. Depending on the available features, you can choose whether or not to consent to sharing and, if necessary, request assistance at contact@nutri-bay.com if you cannot find the opt-out option in the App. 8. Sharing with Third-Party Device and Service Providers When you connect the Nutri-Bay App to third-party devices or services (e.g., Garmin, other fitness platforms): - we receive certain data from them, as described in Section 3.3; - we may send them certain information (e.g., reminders to display on your device). These third parties generally act as independent data controllers for the data they process in their own systems. Their processing is governed by their own privacy policies and terms of use. We only share the data necessary for connecting and operating the feature you have chosen. You can manage or revoke these permissions via: - the App settings (where available); - the settings of your third-party account or device. We recommend that you review the privacy policies of these third parties, as they may process data (including health data) under their own responsibility. 9. International Data Transfers Some of our service providers or their servers may be located outside the European Union. When data is transferred outside the European Union, we ensure that appropriate safeguards are in place, such as: - an adequacy decision by the European Commission; - Standard Contractual Clauses (SCCs) and, where applicable, additional measures. You can contact us at contact@nutri-bay.com for more information about these safeguards. Where applicable, when we use Standard Contractual Clauses (SCCs), we may also implement additional technical and organizational measures tailored to the identified level of risk. 10. Data Retention Period We retain your personal data only for as long as necessary for the purposes described, specifically: - Account and profile data: for the entire duration of your account’s activity. If you delete your account, we will delete or anonymize your data, subject to legal retention obligations. - Replenishment plans and strategies: as long as your account is active or until you delete them. - Data from connected devices/services: for the time necessary to provide the features, and until you disconnect or request deletion. - Analytical data: for a reasonable limited period for analysis (e.g., 13 to 24 months), then aggregated or anonymized. - Support communications: for the time necessary to process your request and then for a limited archiving period. - Data subject to legal obligations: for the duration required by accounting, tax, or other regulatory obligations. When data is deleted, it may remain for a limited time in technical backups before being overwritten, in accordance with our backup cycles and security requirements. Apple/Google platforms retain their own payment and billing data in accordance with their policies, independently of Back2Basics Sàrl. 11. Your Rights In accordance with the GDPR and applicable laws, you have the following rights (subject to conditions and limitations): · Right of access: to obtain confirmation that we are processing your data and to receive a copy of it. · Right to rectification: to correct inaccurate or incomplete data. · Right to erasure: to request the deletion of your data in certain cases. · Right to restriction: to request the restriction of certain processing activities in specific situations. · Right to data portability: to receive your data in a structured, commonly used, and machine-readable format, and to transmit it to another data controller. · Right to object: object to certain processing activities based on our legitimate interest, as well as to related profiling, and object to direct marketing at any time, including profiling to the extent it is related to such direct marketing. · Right to withdraw consent: where processing is based on your consent, you may withdraw it at any time, without affecting the lawfulness of prior processing. You may exercise these rights by contacting us at :contact@nutri-bay.com We may need to verify your identity before responding, particularly to protect your data from fraudulent requests. 12. Complaints If you believe that your data protection rights have not been respected, you may file a complaint with: - your local supervisory authority, - the Luxembourg authority: National Commission for Data Protection (CNPD) 1, Avenue du Rock’n’Roll L-4361 Esch-sur-Alzette Luxembourg Website: cnpd.lu However, we invite you to contact us first at contact@nutri-bay.com to attempt to resolve the situation amicably. 13. Security We implement technical and organizational measures appropriate to the nature of the data and the risks (e.g., access control, application security measures, limiting access to authorized personnel). However, no system is completely secure. You also play an important role by: - keeping your login credentials confidential; - using secure devices; and - locking or logging out of your session when appropriate. In the event of a personal data breach, we will comply with the notification obligations set forth in the GDPR when required. 14. Children’s Data The Nutri-Bay App is not intended for children under 16 without the consent of their parents or legal guardians: we do not knowingly collect personal data from children under 16 without such consent. If you believe a child has provided us with data without proper authorization, please contact us at contact@nutri-bay.com so that we can delete this information. If we learn that a child under the age of 16 has created an account and provided us with data without proper parental authorization, we will take reasonable steps to delete this data and/or close the account. 15. Changes to This Policy We may update this Privacy Policy, including to: - reflect changes to the App or our processing practices; - comply with legal or regulatory developments. We will notify you of significant changes via the App or by any other appropriate means. The “Last Updated” date will be updated accordingly. If you continue to use the App after the updated Policy takes effect, you will be deemed to have accepted it. Where appropriate, we may also display an “in-app” notification to draw your attention to significant changes. 16. Contact If you have any questions regarding this Privacy Policy or how we process your personal data, you can contact us at: Back2Basics Sàrl 15, rue de Grass L-8378 Kleinbettingen Luxembourg Email: contact@nutri-bay.com