Privacy Policy

Introduction

We care about your privacy and want to share with you everything we do with your personal data. Throughout the Renourish Privacy Policy, you will be able to verify what rights you have at your disposal, what data we process and with whom we share it, the period for which we keep it, among many other information.

We ensure that this Policy is as transparent and concise as possible. It is important that you read it carefully and calmly, as the privacy we guarantee is only as complete as your knowledge of it.

We also recommend reading the full Regulation 2016/679 of the European Parliament and of the Council, also known as the General Data Protection Regulation (hereinafter, GDPR), where you can find out in more detail about your rights regarding privacy and protection of personal data.

Who We Are

Renourish™ (hereinafter "Renourish"), is the Data Controller in the context of the service you are about to subscribe to.

Renourish's mission is to help create healthier eating habits through education and influencing people's relationship with nutrition.

The Renourish application is designed to help users create healthier eating habits, help them better manage and plan their weekly meals, as well as assist in choosing the best recipes and ingredients for their needs, including help in preparing these recipes.

It also provides personalized nutritional monitoring for clients followed by a partner nutritionist.

Scope of Application of this Policy

This Privacy Policy applies to all users who use nutritional monitoring services as a Client ("User"). Within the scope of these services, Renourish may be considered, under the GDPR, as a Joint Controller or Data Controller of Users' personal data.

Processing of Special Categories of Personal Data

Within the scope of the nutritional monitoring services provided by Renourish, data relating to Users' health may be processed, which are classified as special categories of personal data under Article 9 of the GDPR. This data includes, namely, information about eating habits, health conditions relevant to nutritional monitoring, food allergies, intolerances, nutritional goals and other health information provided by the User.

The processing of this data is essential for the adequate provision of nutrition and personalized monitoring services. In accordance with Article 9(2)(a) of the GDPR, the processing of these special categories of personal data is based on the explicit consent of the User, which is collected clearly and unequivocally at the time of registration or appointment booking.

Additionally, under Article 9(2)(h) of the GDPR, the processing of health data may be necessary for the purposes of preventive or occupational medicine, assessment of the employee's working capacity, medical diagnosis, provision of health or social care or treatment, or management of health or social care systems and services.

It is important to emphasize that the health data collected by Renourish is shared with nutrition Professionals to enable the provision of nutritional monitoring services. These Professionals are subject to professional secrecy and their own legal obligations regarding the protection of personal data, being responsible for the subsequent processing of this data within the therapeutic relationship established with the User.

The User has the right to withdraw their consent at any time, without compromising the lawfulness of processing based on consent previously given. However, withdrawal of consent may make it impossible to continue providing nutritional monitoring services.

Protection of Minors' Data

Renourish recognizes the importance of protecting minors' personal data and is committed to ensuring that the processing of this data is done in full compliance with the GDPR and other applicable legislation.

In accordance with Article 8 of the GDPR, the processing of personal data of minors under 16 years of age is only lawful if and to the extent that consent is given or authorized by the holders of parental responsibility. For users under 16 years of age, it is necessary to obtain consent from parents or legal representatives before proceeding with registration and use of Renourish services.

Holders of parental responsibility have the right to access, rectify or request the deletion of their minor children's personal data, as well as exercise all rights provided for in the GDPR on their behalf. For this purpose, they can contact us through the contacts provided in the "Contacts" section of this Policy.

If we become aware that we have collected personal data from a minor without proper parental consent, we will take the necessary measures to delete this data from our systems as quickly as possible.

Purposes of Processing and Legal Basis

The collection and processing of data is fundamental to the operation of Renourish's nutritional monitoring service. It is based on this data that our project is built and it is this data that allows us to provide you with a reference service, putting you in contact with the best nutritionists on the market and simplifying the booking of nutrition consultations. In this context, Renourish processes your data with the following purposes and bases:

User Registration on the Platform: registration with Renourish allows us to properly identify the User and the use they make of the application. Furthermore, this is the data we consider essential for the contractual relationship between the User and Renourish to be regularly established, within the scope of providing this service. Depending on the service, we may request the following registration data: full name, email and password. Optionally, the User may provide their tax identification number for issuing invoices, in the case of in-app purchases and subscriptions. The legal basis, in this context, is the performance of the contract and the legitimate interest of Renourish, under art. 6(1)(b) and (f) of the GDPR.

Appointment Scheduling on the Platform: scheduling an appointment with Renourish allows us to properly associate the User with a Professional and desired consultations. For this, this is the data we consider essential for the regular establishment not only of the contractual relationship between the User and Renourish, within the scope of providing this service, but also the pre-contractual relationship between the User and the Professional that is formed with the booking of the appointment. Depending on the service, we may request the following scheduling data: full name, country of residence, language, email, phone number, consultation objective, as well as optionally the tax identification number for issuing invoices. The legal basis, in this context, is the performance of the contract and the legitimate interest of Renourish, under art. 6(1)(b) and (f) of the GDPR.

Nutrition Consultation Services: one of Renourish's primary objectives is to allow the User to schedule nutrition consultations remotely and their nutritional monitoring with a Professional chosen from a list of professionals. For this to be possible, Renourish makes available to the Professional the User's personal data relevant for booking the consultation, making the connection between the parties and thus acting as an intermediary. Renourish may process personal data related to the evaluation of service activation and success metrics. The legal basis, in this context, is the performance of the contract and the legitimate interest of Renourish, under art. 6(1)(b) and (f) of the GDPR.

Processing, support and analysis: this type of data collection is primarily intended to facilitate our team's work whenever you need our support and to collect information related to the use of the platform. This is information that allows for quick resolution of problems on our platforms or their improvement and which, otherwise, would not allow us to ensure the normal operation of our service and its maintenance. The legal basis, in this context, is consent and the legitimate interest of Renourish under art. 6(1)(f) of the GDPR.

Regarding processing purposes that have as legal basis a Legitimate interest of Renourish, you can request our Legitimate Interests Assessment at any time (only available for consultation in Portuguese).

Retention Period

Renourish will only keep your data for the period necessary to fulfill the purposes defined in this Policy or for the period required by applicable legal or regulatory norms. In accordance with the principle of storage limitation provided for in Article 5 of the GDPR, we have established the following specific periods for each data category:

• Registration and profile data: kept while the account is active and until the deletion request by the User.

• Billing data: tax identification number, invoices and payment receipts are kept for 10 years after issuance, in compliance with tax and accounting obligations provided for in Article 52 of the Corporate Income Tax Code.

• Health data and consultation history: kept during the active nutritional monitoring period and up to 5 years after the last consultation held, or until deletion request by the User, whichever comes first.

• Technical support data: records of communications, tickets and support interactions are kept for up to 3 years after the request is resolved.

• Security backups: data contained in security backups are retained for up to 90 days after deletion of data from main systems.

• Recovery period after account deletion: when the User requests deletion of their account, a retention period of 30 days is granted to allow recovery in case of accidental deletion. After this period, all personal data is permanently deleted from our systems, with the exception of billing data that must be kept for the legally required period.

It is important to emphasize that Renourish is completely unrelated to the processing of personal data carried out by the nutrition Professional within the therapeutic relationship established. The deletion of data relating to the User's Renourish account does not imply the simultaneous deletion of personal data processed by the Professional, who is subject to their own retention periods and legal obligations regarding clinical records.

Transmission of Data to Third Parties

Some of the information you provide us may be processed by third parties external to our team. We have limited this sharing to the minimum necessary to continue operating efficiently and, although in many of the cases listed here there is no true data transfer in the classic sense of the term, we make available to you the list of subcontractors and respective categories of data to which they have access.

• Nutrition professionals: the personal data you provide us within the scope of the appointment booking service is transmitted to the Professional so that they can manage and book consultations. The data in question are: full name, country of residence, language, email, phone number, consultation objective, as well as optionally the tax identification number for issuing invoices.

• Data storage and processing (AWS): we use Amazon Web Services (AWS) services for storage, processing and backup of your personal data. The servers are located in the Ireland region (EU), ensuring that your data remains in the European Economic Area and is protected securely and encrypted, in accordance with GDPR standards.

• Subscription and payment management (RevenueCat): for subscription management and in-app payment processing, we use the services of RevenueCat, Inc., headquartered in the United States of America. RevenueCat processes information related to your purchases and subscriptions, including user identifiers and transaction data. Data transfers to the United States are carried out on the basis of Standard Contractual Clauses approved by the European Commission, under Article 46 of the GDPR, ensuring an adequate level of protection of your personal data.

• Payment processing (Google Pay and Apple Pay): to ensure certain payments, users can choose to use Google Pay and Apple Pay services. In these circumstances, your payment information will be processed directly by these entities, which may collect additional information, such as your billing address and bank details, in accordance with their respective privacy policies.

All subcontractors with whom we work are bound by contractual obligations of confidentiality and data protection, processing personal data only in accordance with our instructions and in compliance with the GDPR and other applicable legislation.

User Rights

We want to ensure that your rights are fully respected. In situations where the automatic mechanisms already implemented do not allow us to fully ensure these rights, you can contact us at geral@renourish.pt to enforce them.

• Right of access: the data subject has the right to access information concerning them and to know the purposes of processing their personal data, the categories of data processed, among other information.

• Right to rectification: the data subject has the right to obtain the correction of inaccurate or incomplete personal data, being given, whenever compatible with the processing purposes, the right to rectify them.

• Right to erasure of data ("right to be forgotten"): the data subject has the right to the deletion of their personal data, without undue delay.

• Rights of objection and limitation of processing: the rights of objection and limitation of processing may be exercised, if applicable, via email, to one of the contacts provided above. In specific situations, you can exercise this right automatically through the links provided for this purpose, such as, for example, in the case of advertising communications by email.

• Right to portability: the data subject has the right to receive, in a digital, reusable format, all information concerning them that has been provided by them.

• Right to withdraw consent: whenever data processing is carried out based on your consent, you may withdraw consent at any time. Withdrawal of consent does not compromise the lawfulness of processing based on consent previously given.

• Objection to automated individual decisions: automated individual decisions, including profiling, that produce significant effects on the legal sphere of Users are not applied.

Security

The security of your data and the services we provide are one of our highest priorities. As such, we regularly analyze our platforms and respective servers to ensure that all measures are taken to mitigate security risks, using the most current encryption and surveillance and audit techniques. These measures may be reflected only on our servers or, then, have an immediate reflection on our platforms, such as the requirement for greater password complexity, new SSL certificates, among others.

Policy Update

Renourish's Privacy Policy is subject to constant and periodic review. As a result of legal and jurisprudential evolution and recommendations issued by supervisory authorities or, also, changes to our business model, among others, we may have to make changes to it. We recommend that you visit this page regularly and keep up to date with the most recent updates. We will always alert you when we make substantial changes that may affect your rights.

Contacts

If at the end of this reading you still have doubts or to exercise your rights, please contact us at:

Eduardo Martins

Data Protection Officer

Supervisory Authority

Without prejudice to any complaints you may submit to Renourish or our Data Protection Officer, through the contacts provided on this page, you may also submit a complaint to the National Data Protection Commission (CNPD), the competent supervisory authority in Portugal for the protection of personal data.

National Data Protection Commission (CNPD)

Av. D. Carlos I, 134, 1.º

1200-651 Lisbon, Portugal

Tel.: (+351) 213 928 400

Fax: (+351) 213 976 832