NutriFind

Privacy Policy

Last updated: 7 June 2026

1. Who We Are

NutriFind Limited, a company registered in England and Wales (company number 16754201). Registered office: 70 Lovibonds Avenue, Orpington, BR6 8EW.

NutriFind Limited is registered with the UK Information Commissioner's Office (ICO) under registration number ZC168444.

NutriFind operates as both a data controller (for data about you, the dietitian user) and a data processor (for data about your clients, which you control). This policy addresses both roles.

For questions or to exercise your rights, contact us at: contact@nutrifind.ai

2. Data We Collect About You

When you register and use NutriFind, we collect:

  • Account data: name, email address, password (hashed — we never store plaintext passwords);
  • Professional details: any qualification or registration information you provide;
  • Usage data: pages visited, features used, timestamps — used to improve the Service;
  • Payment data: subscription tier and billing dates. Payment card details are processed by Stripe and never stored on our servers;
  • Credit activity: AI credit usage and balance;
  • Communications: emails you send to us for support purposes.

3. How We Use Your Data

We use your data to:

  • Provide and maintain your account and the Service;
  • Process subscription payments via Stripe;
  • Send transactional emails (account confirmations, invoices, critical service notices);
  • Improve the Service through aggregated, anonymised usage analytics;
  • Meet our legal obligations.

We do not sell your personal data to third parties. We do not use your data for advertising.

4. Legal Bases for Processing (UK GDPR)

PurposeLegal basis
Providing the ServiceContract (Article 6(1)(b))
Processing paymentsContract (Article 6(1)(b))
Sending service emailsLegitimate interests (Article 6(1)(f))
Legal complianceLegal obligation (Article 6(1)(c))
Usage analyticsLegitimate interests (Article 6(1)(f))

5a. Your Client Data — Our Role as Data Processor

When you store client information in NutriFind (client profiles, session notes, progress logs, documents), you are the data controller and we act as your data processor. We process that data only on your instructions and only to provide the Service to you.

You are responsible for:

  • Having a lawful basis to process your clients' personal data;
  • Providing your clients with an appropriate privacy notice;
  • Handling data subject rights requests from your clients.

If you require a formal Data Processing Agreement, contact us at contact@nutrifind.ai.

5b. Consumer Portal Accounts

When a client accepts an invitation to create a NutriFind consumer portal account, NutriFind becomes a data controller for their account-specific data (name, email address, password hash, session cookie). The clinical content they can view in their portal — session notes, meal plans, progress reports — remains data for which you are the data controller; NutriFind processes it as your data processor. The consumer portal account is a separate data relationship between NutriFind and your client.

5c. Intake Form Submissions

Intake form data: when a client submits an intake form via the tokenised link, their answers are not sent to any AI service. They are stored against the client record exactly as submitted and visible only to the dietitian. The token grants one-time access to complete the form and does not create a consumer portal account.

6. Cookies and Analytics

We use essential cookies to maintain your logged-in session. We do not use advertising cookies or cross-site tracking. We may use privacy-respecting, cookieless analytics tools that do not require consent; if we change this, we will update this policy and seek consent where required.

7. AI Tools and Third-Party AI Processing

When you use our AI Tools (meal plan generation, progress reports, client emails, menu analyses), we transmit certain inputs to Anthropic, the company that provides our underlying AI model.

What we send to Anthropic:

  • Free-text inputs you provide (health goals, dietary preferences, clinical notes, purposes);
  • Uploaded images (for menu analysis);
  • Contextual parameters (number of days, calorie targets, etc.).

What we do not send to Anthropic:

  • Your clients' names — these are stripped before transmission;
  • Any other direct identifiers, provided you follow our Acceptable Use Policy.

What Anthropic does with this data:

Retained by Anthropic for up to 30 days for abuse monitoring, then deleted. Not used for model training.

Your responsibility: Do not enter client names, NHS numbers, or other identifying information into AI free-text fields. See our Acceptable Use Policy for full details.

8. File Storage

Uploaded files (e.g., menu images for analysis) are stored in Cloudflare R2, a secure cloud object storage service operated by Cloudflare. Files are stored in a private bucket accessible only through our application.

9. Email

We use Postmark to send transactional emails (account confirmations, invoices, service notifications). Postmark receives the recipient email address and email content necessary to deliver the message. Postmark does not use this data for its own marketing purposes.

10. Payments

Stripe processes all subscription payments. When you enter payment details, they are transmitted directly to Stripe and never pass through our servers. Stripe is PCI-DSS certified. We receive confirmation of payment status and your subscription tier from Stripe.

11. Data Retention

Data typeRetention
Account dataFor the duration of your account, plus 30 days after closure
Client dataAs above — deletion requests can be made at any time
Payment records7 years (legal obligation)
Usage logs90 days, then deleted

You can request deletion of your account and data at any time by emailing contact@nutrifind.ai. We will process deletion requests within 30 days.

12. Your Rights Under UK GDPR

You have the right to:

  • Access the personal data we hold about you;
  • Rectify inaccurate or incomplete data;
  • Erase your data (subject to our legal retention obligations);
  • Restrict processing in certain circumstances;
  • Data portability — receive your data in a machine-readable format;
  • Object to processing based on legitimate interests;
  • Withdraw consent where processing is based on consent.

To exercise any of these rights, email contact@nutrifind.ai. We will respond within one month.

13. Supervisory Authority

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

We would welcome the opportunity to resolve any concern directly before you contact the ICO.

14. International Transfers

Some of our third-party providers (Anthropic, Cloudflare, Stripe, Postmark) may process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the UK ICO or adequacy decisions.

15. Security

We implement appropriate technical and organisational measures to protect your data, including:

  • TLS encryption for all data in transit;
  • Hashed passwords (never stored in plaintext);
  • Access controls limiting who within our team can access production data;
  • Regular review of our security practices.

No system is completely immune to breach. In the event of a data breach affecting your rights and freedoms, we will notify you and the ICO as required by law.

16. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by email or in-app notice at least 14 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.

17. Contact

For questions about this policy, please contact us at:

NutriFind

Email: contact@nutrifind.ai

Website: nutrifind.ai

← Back to home