Privacy Policy
Last updated 21 May 2025
Who we are
Nutripy B.V. ("we", "us", or "our") respects your privacy and is committed to protecting your personal data in accordance with the General Data Protection Regulation ("GDPR").
- Registered address: Du Meelaan 582D, 2722 ZM Zoetermeer, NL
- Email: contact@nutripy.io
1. Roles and responsibilities
Gym customers are the Data Controllers for any personal data they upload or generate in the Nutripy platform (e.g., member phone numbers, message templates, delivery logs). Nutripy B.V. acts as their Data Processor and processes such data solely on their instructions.
For other data—such as visits to this website, admin‑user accounts, and marketing enquiries—Nutripy B.V. is the Data Controller.
2. Personal data we collect (when we are Controller)
- Identification data: name, phone number, business e‑mail
- Message metadata: timestamps, delivery & read status
- Message content: processed only in encrypted transit queues and deleted within 72 h
- Technical data: IP address, browser type, cookies & usage logs
When we act as Processor, the gym determines which data are uploaded. Please consult the gym’s own privacy notice for details.
3. Legal basis (Controller processing)
For the data where Nutripy is Controller we rely on:
| Data category | Legal basis (Art. 6 GDPR) |
|---|---|
| Identification & metadata | Consent (WhatsApp opt‑in) / Contractual necessity (platform account) |
| Message content (transient) | Contractual necessity |
| Technical logs | Legitimate interest (security) / Legal obligation |
When we act as Processor, the gym—as Controller—determines the legal basis for its member data.
4. Purpose of processing
We use controller‑side data to:
- deliver service and marketing communications via WhatsApp on behalf of gyms;
- provide support and troubleshoot delivery issues;
- monitor performance and compile aggregated statistics.
Processor‑side activities are limited to the purposes defined by the gym Controller.
5. Data sharing
Data are shared only with processors bound by Data‑Processing Agreements (DPAs):
- Twilio Ireland Limited – WhatsApp Business API provider
- Meta Platforms Ireland Limited – WhatsApp network operator
- Hetzner – hosting infrastructure
6. Data retention
- Message logs (Controller): 30 days
- Contact data & templates (Controller): contract lifetime + 12 months
- Encrypted back‑ups: 35‑day rolling window
For Processor data, retention follows the gym’s instructions.
7. Your rights
You may request access, rectification, erasure, portability, restriction, object to processing, and withdraw consent at any time. Send requests to contact@nutripy.io. We will respond within 30 days.
If your request concerns data controlled by a gym, we will forward it to the relevant Controller.
8. International transfers
Where data leave the EEA, we rely on Standard Contractual Clauses and Twilio’s Binding Corporate Rules. Details are available on request.
9. Security
We employ TLS 1.3 in transit, AES‑256 at rest, role‑based access controls, and continuous monitoring.
10. Children
This service is not intended for children under 16. We do not knowingly process such data.
11. Automated decision‑making
We do not perform automated decision‑making that produces legal or similarly significant effects.
12. Cookies
See our Cookie Notice for website‑tracking details.
13. Changes
We may update this notice; the latest version is always available at https://nutripy.io/privacy.
14. Complaints
You may lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or your local supervisory authority.