Privacy Policy

What data we collect

• Identity data: name, company name, role or job title
• Contact data: business email and phone number
• Delivery & operational data: company address for tastings, subscription deliveries, and snack preferences where applicable
• Feedback data: ratings, comments, survey responses, tasting evaluations
• Technical data collected automatically via Vercel Analytics and Vercel Speed Insights (device, browser, page views, performance metrics, short-term anonymised IP addresses)
• We do not collect sensitive personal data

Why we collect it

• Organising tastings, demos, and delivery logistics
• Responding to enquiries and providing customer support
• Managing subscriptions and preparing recurring box deliveries
• Sending transactional messages via Resend (confirmations, reminders, delivery updates)
• Improving product experience, website performance, and operational workflows
• Monitoring system integrity, preventing abuse, and ensuring service reliability

Automated decision-making

We do not use personal data for automated decision-making or profiling. All decisions with legal or similarly significant effects are reviewed by humans.

Legal bases

• Contractual necessity – fulfilling tasting requests, deliveries, and support obligations
• Legitimate interest – preventing misuse, improving services, personalising operations, and understanding aggregated engagement
• Consent – optional marketing communications and non-essential cookies (withdrawable at any time)

How long we keep data

Operational and commercial records are stored while you remain an active prospect or customer and for up to 24 months after the last interaction. Accounting and invoicing information is retained for up to five years under Bulgarian requirements. Feedback data is anonymised after 12 months and analytics data follows Vercel’s default retention periods. When a retention window closes we delete or irreversibly anonymise the data.

Who can access your data

• Nutreal team members with role-based access
• Hosting, infrastructure, and analytics providers (Vercel, including Vercel Analytics and Speed Insights)
• Email provider: Resend for transactional communication
• Specialist partners supporting tastings or operations, only when necessary

We never sell personal data. All third parties process information on our behalf under GDPR-compliant Data Processing Agreements (DPAs).

How we protect your data

We host Nutreal on Vercel with TLS encryption in transit, encrypt data at rest, enforce least-privilege access, and review permissions quarterly. Production data is isolated from testing environments, and we keep activity logs for incident response.

International transfers

Our primary hosting region is the EU, but service providers such as Vercel or Resend may process data in the United States. When data leaves the EEA, we rely on Standard Contractual Clauses and provider commitments to maintain GDPR-level safeguards.

Cookies and tracking

We use strictly necessary cookies for site functionality and first-party analytics cookies via Vercel Analytics and Speed Insights for aggregated performance insights. You can block or delete cookies in your browser settings; some features may be limited without them. If we later introduce marketing or advertising cookies, this section will be updated.

Your GDPR rights

• Access – request a copy of your personal data
• Rectification – update incomplete or inaccurate data
• Erasure – ask us to delete data when there is no legal reason to keep it
• Restriction or objection – limit or oppose certain processing activities
• Portability – receive your data in a structured, machine-readable format
• Withdraw consent – for any processing based on consent

To exercise any right, email privacy@nutreal.bg. We respond within 30 days and may request proof of identity.

Updates to this policy

We review this notice at least once per year and whenever we add new products, vendors, or legal requirements. Material changes will be announced on this page with a new effective date. Continued use of Nutreal after an update means you accept the revised policy.