Privacy Policy

What data we collect

• Identification data: name, company name, role or position
• Contact data: work email and phone
• Delivery and operations data: business address for tastings, deliveries, and box preferences
• Feedback data: ratings, comments, surveys, tasting forms
• Technical data via Vercel Analytics and Speed Insights: device, browser, pages viewed, performance metrics, IP address (short-term and anonymized)
• We do not collect sensitive personal data

Why we use them

• Organizing tastings, demonstrations, and logistics
• Responding to inquiries and customer support
• Managing subscriptions and preparing regular deliveries
• Sending transactional messages via Resend (confirmations, reminders, statuses)
• Improving the product, website, and internal processes
• Monitoring system integrity, preventing abuse, and ensuring reliability

Automated decisions

We do not use personal data for automated decision-making or profiling. All significant decisions are reviewed by humans.

Legal basis

• Contractual necessity – execution of tastings, deliveries, and support
• Legitimate interest – preventing abuse, improvements, personalized operations, and aggregated analytics
• Consent – for marketing notifications and non-essential cookies (can be withdrawn at any time)

Retention periods

Operational and commercial records are kept while you are an active potential or current client, and up to 24 months after last contact. Accounting and invoice data is stored for five years according to Bulgarian legislation. Feedback data is anonymized after 12 months, and analytics data follows Vercel's standard periods. When the period expires, we delete or irreversibly anonymize the information.

Who has access

• Nutreal team with role-based access
• Hosting, infrastructure, and analytics services (Vercel, including Vercel Analytics and Speed Insights)
• Email provider: Resend for transactional messages
• Specialized partners who assist with tastings or deliveries, only when necessary

We do not sell personal data. All partners process information only on our behalf under GDPR-compliant contracts.

How we protect data

We host Nutreal on Vercel with TLS encryption in transit, encrypt data at rest, apply the principle of least privilege, and conduct quarterly access reviews. Production data is separated from test environments and we maintain logs for incident response.

International transfers

The primary hosting region is the EU, but providers like Vercel or Resend may process data in the US. For transfers outside the EEA, we rely on Standard Contractual Clauses and partner commitments to protect data under GDPR.

Cookies and tracking

We use strictly necessary cookies for website operation and first-party analytics cookies (Vercel Analytics and Speed Insights) for aggregated metrics. You can block or delete cookies through your browser settings; some features may be limited without them. If we later add marketing or advertising cookies, this section will be updated.

Your GDPR rights

• Access – copy of your personal data
• Correction – correction of incomplete or inaccurate data
• Deletion – erasure when there is no legal basis for storage
• Restriction or objection – for certain processing
• Portability – provision in a structured, machine-readable format
• Withdrawal of consent – for any processing based on consent

To exercise rights, write to privacy@nutreal.bg. We respond within 30 days and require verification when necessary.

Policy updates

We review this document at least once a year and with any significant change to product, provider, or legal requirement. Substantial changes will be published here with a new effective date. Continued use of services after an update means you accept the updated policy.