Nutrium's Privacy Policy - Client

Introduction

We care about your privacy and want to share with you everything we do with your personal data. Throughout Nutrium's Privacy Policy you can see what rights you have at your disposal, what data we process and with whom we share it, the period for which we keep it, and much more.

We have made sure that this Policy is as transparent and concise as possible. It is important that you read it carefully and calmly, as the privacy we guarantee is only as complete as your knowledge of it.

We also recommend that you read the full Regulation 2016/679 of the European Parliament and of the Council, also known as the General Data Protection Regulation (hereinafter GDPR), where you can find out more about your rights in terms of privacy and the protection of personal data.

Who We Are

Healthium - Healthcare Software Solutions, S.A. (hereinafter "Healthium") with head office at Rua Andrade Corvo, n.º 242, 1st floor, Room 106, postal code 4700-204 Maximinos, city of Braga, registered at the Commercial Registry Office under the single registration and legal person identification number 513 624 503, is the Data Controller for the service you are about to subscribe to.

Healthium is dedicated to developing nutrition software and services. Its mission is to make the world healthier by improving, educating, and influencing the relationship people have with nutrition through two complementary business verticals: a SaaS for nutrition professionals, and a nutritional wellness service for companies.

The first vertical, Nutrium SaaS, is a tool that allows these professionals to holistically manage their work, their clients, and their relationship with those clients, namely through a mobile application.

The second vertical, Nutrium Care, is the application of this network of nutritionists to promote well-being in companies, helping their employees to stay healthier, lose weight, improve mental and physical performance, and helping them to better manage and plan their weekly meals.

Scope of this Policy

This Privacy Policy applies to all users who use Nutrium's nutritional monitoring services from a client perspective ("User"), including Nutrium Care or Nutrium Care Family users. Within the scope of these services, Healthium may be considered, in the light of the GDPR, as Co-Responsible or Responsible for the Processing of Users' personal data.

Processing Purposes and Legal Basis

The collection and processing of data is fundamental to the functioning of Nutrium's nutritional monitoring service. It is based on this data that our project is built and it is this data that allows us to provide you with a reference service, putting you in touch with the best nutritionists on the market and simplifying the booking of nutrition appointments. In this context, Healthium processes your data for the following purposes and on the following grounds:

User Registration on the Platform: registering with Nutrium allows us to properly identify the User and correctly associate them with the desired Professionals and consultations. In addition, this is the data that we consider indispensable for the regular fulfillment not only of the contractual relationship between the User and Healthium, within the scope of the provision of this service, but also of the pre-contractual relationship between the User and the Professional that is formed with the appointment. Depending on the service, we may request the following registration data: full name, gender, country of residence and state of residence, date of birth, email address, and cell phone number, as well as the company and department to which the User is linked. The legal basis for this is the performance of the contract and Healthium's legitimate interest, in accordance with Article 6, nº 1, subparagraphs b) and f) of the GDPR.

Provision of Services: the primary objective of the service is to allow the User to schedule remote nutrition consultations and nutritional monitoring with a Professional chosen from a list of professionals who are subscribed to the Nutrium service. In order to make this possible, Healthium provides the Professional with the User's personal data relevant to the appointment, connecting the parties and thus acting as an intermediary. In addition, within the scope of Nutrium Care and Nutrium Care Family, Healthium may process personal data related to payments and with the evaluation of activation, billing, and service success metrics. The legal basis for this is the performance of the contract and Healthium's legitimate interest, pursuant to Article 6, nº 1, subparagraphs b) and f) of the GDPR.

Sending direct communications: Healthium may send direct communications, by email or through notifications and text messages, relating to the service provided, such as: appointment reminders; dissemination of professionals; dissemination of new services; newsletters, among other communications. The legal basis for this is Healthium's legitimate interest under the terms of Article 6, nº 1, subparagraph f) of the GDPR.

Processing, support, and analysis: this type of data collection is mainly intended to facilitate the work of our team when you need our support and to collect information regarding the use of the platform. This is information that allows us to quickly resolve problems with our platforms or improve them, and which would otherwise not allow us to guarantee the normal functioning of our service and its maintenance. The legal basis in this regard is consent (we refer specifically to cookies) and Healthium's legitimate interest under Article 6, nº 1, subparagraph f) of the GDPR.

With regard to processing purposes that are legally based on a legitimate interest of Healthium, you can ask us to consult our Legitimate Interests Assessment at any time (only available in Portuguese and English).

Integration with Google apps and devices (e.g., Health Connect and Google Calendar): When the Client chooses to integrate Google apps with the Nutrium app—specifically Health Connect, Google Fit, or Google Calendar—personal data from these apps may be collected. In the case of Health Connect, this integration allows the reception of health and wellness data from the User, such as physical activity, distance, calorie expenditure, and steps, whenever the User expressly grants permission. These data are used exclusively to enhance the nutritional monitoring experience, enabling the Professional to provide more comprehensive and personalized follow-up. The processing of these data is based on the Client’s explicit consent, as per Article 6, nº1, line a), of the GDPR, and the Client is free to revoke this consent at any time via the application's settings or the Google platform. These data are not used for any purposes other than providing the contracted service. For more information on how Google processes your personal data, you can refer to Google Privacy Policy.

Storage Period

Healthium will only keep your data for as long as necessary to fulfill the purposes defined in this Policy or for as long as required by applicable legal or regulatory standards. The User's data is kept for as long as the account is not deleted at the User's request. From that moment on, all personal data is permanently deleted.

It is important to emphasize that Healthium is totally uninvolved in the processing of personal data carried out by the Professional, so the deletion of data relating to the User's Nutrium account does not imply the simultaneous deletion of personal data processed by the Professional.

Transmission of Data to Third Parties

Some of the information you provide may be processed by third parties outside our team. We have limited this sharing to the bare minimum so that we can continue to operate efficiently and, although in many of the cases listed here there is no real transfer of data in the classic sense of the term, we provide you with a list of potential third parties and the respective categories of data to which they have access.

• Nutrition professionals: the personal data you provide us with as part of the appointment booking service is passed on to the professional so that they can manage and book appointments. The data in question is your full name, gender, country of residence, date of birth, email address, and cell phone number.
• Analysis of software use: we use applications designed to analyze the use of our software, such as Google Analytics. These applications collect small pieces of information about your mobile devices and browsers and your general use of the platform. It is therefore a set of data that allows us to know precisely how you use the platform, the country, the date and time you enter the platform, among other information. We also collect data such as your IP address, the browser you use and its version, your language, your operating system, etc.
• Communications: the mailing and management of newsletters and contacts are processed by companies external to Healthium that specialize in sending mass emails and managing advertising campaigns, such as Mailjet.
• Support: we use external applications to provide you with support, for example via chat.
• Data storage and processing: your personal data is stored, processed, and backed up securely and encrypted by hosting and computing companies located mainly in Europe.
• Audits and maintenance: your data may be accessed as part of independent audits to control the quality and security of our services. All audits are subject to confidentiality and are closely monitored by the Healthium team. We also use external software to help us detect and correct errors.
• Payment processing: to ensure certain payments, we use subcontractors who specialize in this type of operation, such as the Stripe service. In these circumstances, your payment information will be processed by these entities, which may collect additional information, such as your billing address and bank details.
• Where the transmission of personal data to third parties involves an international transfer of personal data, Healthium:
  • will carry out such a transfer on the basis of an adequacy decision by the Commission, pursuant to which the country or international organization concerned guarantees a level of protection of personal data equivalent to that deriving from European Union legislation;
  • if there is no adequacy decision by the Commission, it will ensure that such data transfers are carried out in strict compliance with legal provisions and that adequate guarantees are implemented to ensure the protection of personal data.
• Sharing with the referrer: the User's name and photo are shared with the User who has sent an invitation to Nutrium Care Family.
• Sharing with partners: In the context of subscribing to the Nutrium Care service, whether through direct partnerships with Adhering Entities - such as employers - or indirect partnerships via benefits platforms - such as Wellhhub, Vale Saúde, Deel, among others - some of the users’ personal data may be shared with these partners. This sharing is based on Healthium’s legitimate interests and the execution of the contract, and is intended exclusively to evaluate the performance and success of the partnerships, to ensure the verification of activation and billing metrics, and to provide a more tailored and personalized service to users’ needs. The data shared may include information such as name, telephone contact, or user IDs, as well as information on registration in the program and the number of appointments carried out, strictly for the purpose of verifying the use of the service, ensuring that the identification of users is reduced to the minimum necessary for the purposes described. It should be noted that more sensitive data, such as medical records or information, may be shared exclusively in an aggregated and anonymized form, guaranteeing that it is not possible to identify users individually.

User Rights

We want to ensure that your rights are fully respected. In situations where the automatic mechanisms already in place do not fully guarantee these rights, you can contact us at privacy@nutrium.com or dpo@nutrium.com to make them effective.

• Right of access: the holder of personal data has the right to access information concerning them and to know the purposes for which their personal data is processed, the categories of data processed, among other information.
• Right to rectification: the data subject has the right to obtain the correction of inaccurate or incomplete personal data and, where compatible with the purposes of the processing, is given the right to rectify it.
• Right to erasure (“right to be forgotten”): the data subject has the right to have their personal data erased without undue delay.
• Rights of opposition and limitation of processing: the rights of opposition and limitation of processing can be exercised, if applicable, by emailing one of the contacts provided above. In specific situations you can exercise this right automatically via the links provided for this purpose, for example in the case of advertising communications by email.
• Right of portability: the data subject has the right to receive, in a digital, reusable format, all the information that concerns them and that they have provided.
• Right to withdraw consent: whenever data processing is carried out on the basis of your consent, you may withdraw your consent at any time. Withdrawal of consent does not compromise the lawfulness of the processing carried out on the basis of the consent previously given.
• Opposition to automated individual decisions: automated individual decisions, including profiling, that have significant effects on the legal sphere of Users are not applied.

Security

The security of your data and the services we provide is one of our top priorities. As such, we regularly analyze our platforms and their servers to ensure that all measures are taken to mitigate security risks, using the latest encryption, surveillance, and auditing techniques. These measures may only apply to our servers, or they may have an immediate impact on our platforms, such as requiring more complex passwords, new SSL certificates, two-step verification, etc.

Policy update

Nutrium's Privacy Policy is subject to constant and periodic review. As a result of legal developments, case law, and recommendations issued by supervisory authorities or changes to our business model, among others, we may have to change it. We recommend that you visit this page regularly and keep up to date with the latest updates. We will alert you whenever we make substantial changes that could jeopardize your rights.

Supervisory authority

Without prejudice to any complaints you may lodge with Healthium or our Data Protection Officer through the contacts provided on this page, you may also lodge a complaint with the supervisory authority in your country.