1. Introduction
NutriFix ("NutriFix", "we", "us", or "our") is operated by Activ-X Sport Vision, a company registered at Calea Dorobanti 126-130, Bucharest, Romania ("the Company"). We provide a personalized nutrition and health optimization platform accessible via our website and application (collectively, "the Service").
We take your privacy seriously. This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, and what rights you have.
This policy applies to users in all regions. Whether you are located in the UK or European Economic Area (EEA), additional rights apply under the UK GDPR and EU GDPR respectively. Whether you are located in California, additional rights apply under the CCPA/CPRA.
If you do not agree with this policy, please do not use the Service.
2. Data Controller
The data controller responsible for your personal data is:
Activ-X Sport Vision
Calea Dorobanti 126-130, Bucharest, Romania
Contact: [email protected]
For UK/EEA users, we are the data controller within the meaning of the UK GDPR / EU GDPR.
3. Data We Collect
We collect the following categories of personal data:
3.1 Account and Identity Data
- Email address
- Username
- Profile picture
- Region (US or UK)
- Date of birth
- Biological sex
- Ethnicity
3.2 Health and Biometric Data (Special Category)
We collect the following health-related data, which is classified as special category data under the UK GDPR and EU GDPR:
- Weight, height, body fat percentage
- Activity level, fitness goals, exercise frequency
- Medical conditions (including but not limited to: diabetes, hypertension, coeliac disease, cancer, IBD, pregnancy, and up to 23 tracked conditions)
- Current medications (free text)
- Allergies and intolerances (14+ categories plus free text)
- Dietary philosophy and food preferences
- Daily physiological self-reports (energy, mood, satiety, cravings — scored 1–10)
- Meal compliance and deviation logs
3.3 Genetic Data (Special Category)
- Raw genetic data files uploaded from consumer testing providers (23andMe, AncestryDNA, FGA, Opus)
- Normalized SNP (single nucleotide polymorphism) records derived from those files
Genetic data is classified as special category data under the UK GDPR / EU GDPR and is subject to heightened protection.
3.4 Biomarker and Laboratory Data
- Blood test results ordered via DirectLabs (US) or Randox (UK)
- Test values, units, normal ranges, health scores, and timestamps
- Longitudinal results across multiple test rounds
3.5 Dietary and Behavioral Data
- Macronutrient and micronutrient tracking data
- Shopping list contents and modifications
- Daily meal plan interactions and feedback
3.6 Financial and Transaction Data
- Payment transactions processed via PayPal
- Order history and fulfillment status
- We do not store credit or debit card numbers. All payment data is handled directly by PayPal.
3.7 Technical and Usage Data
- IP address
- Browser type and version
- Device type and operating system
- Pages visited and features used
- Referral source
- Session duration and click behavior (via Google Analytics)
3.8 Communications Data
- Email communications sent or received through the platform
- In-app notification preferences and interaction history
4. How We Collect Data
- Directly from you: when you register, complete the health questionnaire, upload genetic files, log meals, or make purchases.
- Automatically: when you use the Service, via cookies, analytics tools, and server logs.
- From third parties: when you sign in using Google or Facebook OAuth, we receive limited profile data (email, name, profile picture) from those providers.
5. Why We Collect and Use Your Data
5.1 Legal Bases (UK/EU Users)
| Purpose | Legal Basis |
|---|---|
| Account creation and authentication | Contract (Art. 6(1)(b)) |
| Delivering personalized meal plans | Contract + Explicit Consent (Art. 6(1)(b) + Art. 9(2)(a)) |
| Processing health questionnaire data | Explicit Consent (Art. 9(2)(a)) |
| Processing genetic data | Explicit Consent (Art. 9(2)(a)) |
| Processing biomarker/lab data | Explicit Consent (Art. 9(2)(a)) |
| Payment processing | Contract (Art. 6(1)(b)) |
| Sending transactional emails | Contract (Art. 6(1)(b)) |
| Analytics and service improvement | Legitimate Interests (Art. 6(1)(f)) / Consent for cookies |
| Legal obligations and compliance | Legal Obligation (Art. 6(1)(c)) |
5.2 Purposes of Processing
- Creating and managing your account
- Generating personalized meal plans, supplement recommendations, and genetic dietary insights
- Processing biomarker test orders and returning results
- Processing payments for genetic kits, lab tests, and supplements
- Sending transactional and service notifications via email
- Improving the accuracy of our recommendation algorithms
- Detecting and preventing fraud and abuse
- Complying with legal obligations
6. Special Category Data — Additional Safeguards
Health data, genetic data, and biomarker data are classified as special category data. We apply additional safeguards:
- We only process this data with your explicit, separately given consent, obtained at the point of data collection (not buried in these terms).
- Genetic files are encrypted at rest using Fernet symmetric encryption.
- Access to special category data is restricted to authorized systems and personnel with a documented need.
- You may withdraw consent for processing special category data at any time (see Section 10).
7. AI-Generated Content
NutriFix uses Google Gemini AI to generate meal recipes. When generating recipes, we send meal ingredient names and quantities to Google's API. We do not send your name, health data, genetic data, or any other personally identifiable information to the AI model.
AI-generated content is not verified by a licensed dietitian. See our Medical / Health Disclaimer for more detail.
8. Sharing Your Data
We share data with the following third parties for the purposes described:
| Recipient | Purpose | Data Shared |
|---|---|---|
| Google LLC | OAuth login, analytics (Google Analytics), AI recipe generation (Gemini) | Profile data (login); usage data (analytics); ingredient lists (Gemini) |
| Meta Platforms, Inc. | OAuth login | Email, name, profile picture |
| PayPal, Inc. | Payment processing | Order amounts, email address |
| DirectLabs | US biomarker lab test ordering and results | Order IDs, test results |
| Randox Laboratories Ltd | UK biomarker lab test ordering and results | Order IDs, test results |
| Personalized Nutrients | Custom supplement formulation and pricing | Ingredient lists, quantities |
| Mailgun (Sinch) | Transactional email delivery | Email address, notification content |
We do not sell your personal data to third parties. We do not share health or genetic data with advertising networks.
Where required under the UK GDPR / EU GDPR, we have or will establish Data Processing Agreements (DPAs) with each of the above parties before processing your data through their services.
9. Cookies
We use the following categories of cookies:
| Category | Examples | Can be rejected? |
|---|---|---|
| Strictly necessary | Session authentication cookies | No — required for the Service to function |
| Functional | User preference cookies | No — required for personalization |
| Analytics | Google Analytics | Yes — via cookie consent banner |
| Marketing | (none currently) | N/A |
You can manage your cookie preferences at any time via the cookie consent banner displayed on first visit to the website. For more detail, see our separate Cookie Policy.
10. Your Rights
All Users
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate data.
- Deletion: Request deletion of your account and associated data ("right to be forgotten").
- Portability: Request an export of your data in machine-readable format.
- Withdraw consent: Withdraw consent for special category data processing at any time. This does not affect the lawfulness of processing before withdrawal.
UK and EU Users (UK GDPR / EU GDPR)
All rights above, plus:
- Restriction: Request restriction of processing in certain circumstances.
- Objection: Object to processing based on legitimate interests.
- Right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk (UK users) or your local supervisory authority (EU users).
California Users (CCPA/CPRA)
- Right to know what personal information is collected, used, shared, or sold.
- Right to delete personal information.
- Right to opt out of the sale of personal information (we do not sell personal information).
- Right to non-discrimination for exercising CCPA rights.
To exercise any of these rights, contact us at: [email protected]
We will respond within 30 days (UK/EU) or 45 days (US/California) of receiving a verifiable request.
11. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 2 years after deletion request |
| Health questionnaire data | Duration of account + 2 years after deletion |
| Genetic files (raw) | Deleted immediately upon account deletion request, or upon withdrawal of genetic data consent |
| Genetic SNP records | Deleted upon account deletion or consent withdrawal |
| Biomarker results | Duration of account + 2 years after deletion |
| Financial transaction records | 7 years (legal/tax obligation) |
| Usage and analytics data | 26 months (Google Analytics default) |
You may request deletion of your data at any time. Certain financial records may be retained longer where required by law.
12. Data Security
We implement appropriate technical and organizational measures to protect your data, including:
- Encryption of genetic files at rest (Fernet symmetric encryption)
- HTTPS encryption for all data in transit
- Password hashing for account credentials
- Email verification required at registration
- Access controls limiting staff access to personal data
- Regular security reviews
No system is 100% secure. If you believe your account has been compromised, contact us immediately at [email protected].
13. International Data Transfers
NutriFix operates across the US and UK. Data may be processed by our service providers in the United States and other countries. Where data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, such as:
- Standard Contractual Clauses (SCCs) approved by the European Commission or UK ICO
- Adequacy decisions where applicable
14. Children
The Service is intended for users aged 18 and over. We do not knowingly collect personal data from individuals under 18. If you believe a minor has provided us with personal data, please contact us at [email protected] and we will delete it promptly.
15. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email and/or an in-app notification before the changes take effect. The "Last updated" date at the top of this page will always reflect the most recent revision.
Continued use of the Service after changes take effect constitutes acceptance of the revised policy.
16. Contact Us
For privacy-related questions, data requests, or to exercise your rights:
- Email: [email protected]
- Post: Activ-X Sport Vision, Calea Dorobanti 126-130, bl 8, ap 53, Bucharest, Romania
For urgent security concerns: [email protected]