pursuant to article 13 of EU Regulation 679/2016


Nutribook s.r.l.s. in the person of the legal representative pro tempore, with registered office in San Lazzaro di Savena (BO) Italy, via Vittoria 23G, C.F. 03967501200, e-mail address - pec address: (hereinafter “Nutribook” or the “Provider”) is the sole owner of the Nutribook software as well as the author and publisher of the website , of the related mobile app "My Diet by Nutribook" and, in general, of the 'Nutribook' Platform, created in order to simplify the nutrition professional's activity and encourage direct and immediate contact with the Patient.

This information is provided by Nutribook s.r.l.s. pursuant to art. 13 of the European Regulation (EU) 2016/679 (hereinafter GDPR) in relation to the personal data which will become available to the Controller or External Processor, based on what is described below, through this website and through the Nutribook mobile app that is aimed at visitors to the website, Users, Professionals who are Nutribook Customers who purchase or obtain for consideration the right to use the services offered through the Platform and it is also aimed at the Patients of the Professionals and/or Customers to whom the Platform is made available.


When providing us with your Personal Data, we invite you to read this Information, pointing out that "Personal Data" means, pursuant to EU Regulation 679/2016, all information relating to natural persons (so-called Interested Parties) that is collected through the this website and stored on the servers of this website and the Nutribook software.


For the purposes of this information it is intended:


- for Provider: Nutribook s.r.l.s., a company that develops software, including customized software, and applications for mobile devices in the nutrition sector;


- for Software or Platform: the applications, web and mobile, developed by Nutribook and of which it is the owner and author, the distribution and use of which are subject to the terms and conditions set out in this link https://www. which must be accepted by the User when accessing the website and/or registering on the Platform and/or purchasing the Services;


- by Account: personal area dedicated to the User who registers on the Platform or who uses the service(s) offered, free of charge or for a fee, offered by Nutribook;


- for User: anyone, by accessing the platform through the relevant registration procedure, proceeds to create the Account or uses the Services offered by Nutribook as a Patient, Professional and/or Customer;


- for access credentials: the username and password generated by the User at the time of registration which - together with the code sent by the Provider to the telephone number indicated by the User - allow access to the Account;


- for Professional: the Nutrition Doctor, the Nutritional Biologist, the Dietitian, the Dietitian and in any case the Nutrition Professional authorized to carry out the relevant activity;  


- for Customer: the Professional, the professional partnership or the professional association that accesses the Platform and uses the services upon payment of the relevant fee;


- for Patient: the Professional's client;


- for Data Controller: “the natural or legal person, public authority, service or other body which, individually or together with others, determines the purposes and means of the processing of personal data;


- for Data Processor: "the natural or legal person, public authority, service or other body that processes personal data on behalf of the data controller".




The Data Controller of the data collected by the site and that communicated through the Platform by the User, with the exception of that relating to Patients, is Nutribook s.r.l.s..

Nutribook is not the Data Controller of the personal data relating to Patients and this both with reference to those communicated to Nutribook by Customers and/or Professionals and to those that are spontaneously communicated by the patient and/or entered into the Platform through the use of the same , including the mobile app.

For this data, the Data Controller is the Professional and/or the Client who - as part of their professional activity - is bound to professional secrecy. Nutribook processes Patient data only following the creation of the Account by the Professional and/or the Customer or in any case communication by the latter of the Patient data.

The Patient must therefore contact the Data Controller to find out the purposes and means of the processing, the times and place of storage of the data, the subjects to whom the data are communicated and - in general - any other information relating to the processing as well as to exercise all the rights provided for by privacy legislation, including that of access to the data themselves.




The data processed by Nutribook as Data Controller consist of the common data referred to in art. 4, par. I, n. 1 GDPR and in particular:


(A) data relating to navigation on the website and therefore, by way of example, IP addresses, domain names of Users' computers (visitors to the website) and other parameters relating to the system operational and IT environment of the User as well as the data deriving from the use of cookies, collected for the management of the website and to improve the service offering by Nutribook and for carrying out marketing activities. The collection of navigation data, with the exception of marketing activities, allows us to guarantee the normal functioning of the service and its maintenance as well as the rapid resolution of problems affecting the Platform. For further information you can consult our cookie policy, which can be reached via the following link:


(B) the data communicated by Users, with the exception of Patients, at the time of registration on the Platform and/or at the time of purchasing the license to use the Platform such as:

- personal data (name and surname);

- contact data and other identifying data: telephone number and/or e-mail address, title, tax code, place of professional activity, gender and other data that the User spontaneously communicates at Nutribook.

- payment data: information relating to the purchase made and the related payment (e.g. credit/debit card number, IBAN address);

- billing data: name, surname, tax code, address, postal code and country of residence.

In case of use of the Platform by the User in its free version, the interested party will be asked exclusively for the name, surname, e-mail address and mobile number, without prejudice to further spontaneous communication of data.

These personal data are collected directly from the interested party when entering their personal data in the appropriate fields provided in the dedicated screen in the application.


Nutribook also processes, as Data Controller, the personal data referred to in the articles. 4, par. I, n. 1 and 9 GDPR, communicated spontaneously by the User through the section on the website "fill in the form below"; in this case the processing is carried out under the sole condition that the interested party's consent to the processing exists, which is considered explicitly expressed in the event of spontaneous communication of such data to the Data Controller.


Finally, Nutribook processes the personal data relating to Patients who use the mobile app made available by Customers and/or Professionals, in the exclusive capacity of External Data Processor pursuant to art. 28 GDPR. In fact, Nutribook processes the personal data of Patients only after their communication by the Professional and/or Customer, also through specific creation of Accounts, and following specific instructions provided by the Customer and/or by the Professional himself who - in the relationship with the Patient – is the Data Controller and therefore chooses the purposes and means of the processing. The creation of the Patient's account and the use of the Nutribook mobile app are optional and any agreement in this regard has effect exclusively between the Professional and/or the Customer and the Patient.

The personal data relating to Patients are those referred to in art. 4, par. I, n. 1 GDPR and referred to in art. 9 GDPR (such as, by way of example, health and nutritional data, also deduced from medical records) and in particular those collected on the occasion of the creation of the Patient's Account carried out by the Professional and/or the Client, those that the Professional and/or the Customer enters into the relevant account of the relevant Patient and those that the latter enters into his own Account, even where evident from the relevant documents and/or photographs uploaded therein.





1) The processing of the common data listed above sub. A and B) referring to the User who is not a Patient is aimed at the creation of the account and/or the correct and complete execution of the license agreement for the use of the services offered by the Platform and, in particular, in order to make the services offered by the Owner, provide technical and commercial assistance, process the related requests as well as payment. In this case the legal basis of the processing is the execution of a contract of which the interested party is a party or the execution of pre-contractual measures adopted at the request of the interested party pursuant to art. 6, par. 1., lit. b) GDPR

and the failure to communicate personal data prevents the completion of the contractual relationship itself and therefore does not allow you to proceed with the creation of the Account and/or activate the services offered by Nutribook.

2) The personal data listed above sub. A and B) relating to the User who is not a Patient may also be processed in order to fulfill the obligations established in the tax and accounting fields as well as in order to comply with the obligations incumbent on the Owner and provided for by current legislation. In this case the legal basis of the processing is the fulfillment of a legal obligation incumbent on the Data Controller, pursuant to art. 6, par. 1., lit. c), GDPR and the failure to communicate personal data prevents the completion of the contractual relationship itself.

3)Personal data relating to the User who is not a Patient could also be processed for one or more specific purposes not included among those indicated above, on the basis of the consent expressly expressed pursuant to art. 6, par. 1, letter. a).

In this case the consent will be collected by the Data Controller separately, on the occasion of the specific purpose for which it is necessary, which will be expressly identified and communicated to you. The provision of such data is optional, and any failure to provide it will not prevent the completion of the license agreement for the use of the Services offered through the Platform and you, as an interested party, may decide to revoke the consent previously given by communicating the revocation. to the Owner, without any formality, to the address indicated in this information, without prejudice to the lawfulness of the

processing based on consent given before revocation.

Where personal data is communicated spontaneously through the dedicated section of the site "fill in the form below", consent is considered explicitly expressed by the interested party.

4) Personal data relating to the User who is not a Patient may be processed for the purposes of statistical analysis and improvement of the service, also through the use of analytical, technical and/or profiling cookies. In this case the legal basis is legitimate interest pursued by the Data Controller pursuant to art. art. 6, par. 1 letter f) GDPR (pursuit of its social purposes, also improving the browsing experience of visitors and customers and thus meeting their expectations of information and offers) or, as regards profiling cookies, the consent expressly expressed by the interested party to pursuant to the art. 6, par. 1, letter. a) GDPR.

For more information on the processing of data for these purposes, you can consult the cookie information provided by the Data Controller and available at the following:


The purposes and legal bases relating to the processing of Patients' personal data are determined exclusively by the Professional and/or the relevant Client, the only person legitimated in this sense, to whom the Patient must refer in order to receive information regarding the processing itself. 




Personal data are processed in compliance with the principles of lawfulness, correctness, minimization, necessity, relevance, transparency and confidentiality within the scope of the purposes indicated above and may be processed:

a) through paper and IT tools;

b) depending on the case, collecting, recording, structuring, conserving, adapting, extracting, consulting, using, communicating, possibly disseminating, making available, comparing, interconnecting, limiting, deleting and/or destroying the acquired data;

c) without implementing processing involving automated evaluation and/or decision-making processes or profiling activities, except for the use of profiling cookies, as indicated above and for which please refer to the aforementioned cookie policy;

d) with the adoption of specific security measures in order to protect the computer archives on which the data are allocated, prevent the loss and/or unavailability of the data, illicit or incorrect use of the same or unauthorized access.

Security measures are adopted to guarantee the integrity and confidentiality of the data, in order to prevent the risk associated with their loss, violation, illicit and/or incorrect use as well as unauthorized access.

The personal data are subject to periodic verification of their obsolescence and consequent cancellation.




The data are processed at the operational headquarters of the Data Controller, located within the European Union and in particular in Italy as well as in the places where the Platform's servers are located, located in Europe and in any other place where the parties involved in the treatment are localized.

The personal data processed for the purposes referred to in this information may also be partly transferred and stored on servers located outside the European Union.

The transfer of data outside the European Union is carried out by the Data Controller in compliance with the provisions of the art. 45 et seq. GDPR, with the implementation of suitable guarantees, such as the adoption of standard contractual clauses (SCC) or treaties by virtue of the existence of an adequacy decision by the Commission relating to the recipient state of the data.

In any case, we inform you that the transfer of your data outside the European Union, in the absence of an adequacy decision, may entail possible risks for the protection of your data.

It is possible to contact the Owner for further information.





The personal data relating to Users who do not qualify as Patients, subject to processing for the purposes indicated above, are kept for the time necessary to achieve the purposes for which they were collected and therefore for the time necessary to provide the requested services , including assistance following the purchase of the license to use the Platform and, subsequently, for the time in which the Owner is subject to conservation obligations for tax purposes or for other purposes, also connected to the protection of his rights, required by law or regulation.

In the case of data processing based on specific and separate consent, the data will be processed by the Data Controller starting from the moment in which consent is obtained from the interested party and until its possible revocation. The revocation of consent does not affect the processing carried out by the Data Controller before the revocation.


Patients' personal data are stored by Nutribook, as External Data Processor for the time specifically agreed with the Customer and/or Professional. If the Patient deletes their Account independently, Nutribook will retain only the Patient data necessary to comply with the contract with the Customer and/or the Professional and therefore generally the navigation data and common data of the Patient himself.





Your personal data may be communicated to:

1. AUTHORIZED TO PROCESSING: persons authorized by the Data Controller who are appropriately educated and trained, after signing a confidentiality agreement (e.g. employees and/or external collaborators of the Data Controller).


to. subjects who offer services necessary for the use of the Platform and Services offered therein;

b. the accountant or other suppliers who provide functional services for the purposes indicated above;

c. banking institutions that provide functional services for the purposes indicated above and payment system operators.

You can contact the Data Controller to find out the exact and updated list of all the external data processing managers appointed by the Data Controller.


5. PARTIES WHO PROCESS THE DATA AS INDEPENDENT DATA CONTROLLERS: such as, by way of example, the subjects to whom the data must be mandatorily communicated for the purpose of executing the contract of which the interested party is a party.






Among the rights recognized by the GDPR to the interested party of the processing carried out by the Data Controller, include those of:

- ask the Data Controller if processing and access to personal data and information relating to them is underway, who must acknowledge the request within 30 days;

- request the rectification of inaccurate data or the integration of incomplete data; the deletion of personal data concerning you (upon the occurrence of one of the conditions indicated in art. 17, paragraph of the GDPR and in compliance with the exceptions provided in paragraph 3 of the same article); the limitation of the processing of your personal data (in the event of one of the hypotheses indicated in art. 18, paragraph 1 of the GDPR); - request and obtain from the Data Controller - in the cases in which the legal basis of the processing is the contract or consent, and the same is carried out by automated means - your personal data in a structured and machine-readable format, also for the purpose of communicate such data to another data controller (so-called right to portability of personal data);

- object at any time to the processing of your personal data in the event of particular situations concerning you;

- revoke consent at any time, limited to cases in which the processing is based on your consent for one or more specific purposes. Processing based on consent and carried out prior to its revocation, however, retains its lawfulness;

- lodge a complaint with a Supervisory Authority (Authority for the protection of personal data - if you believe that the processing of your personal data is contrary to the legislation in force. Alternatively, you can lodge a complaint with the Guarantor Authority of the EU State in which you reside or usually work or in the place where the alleged violation occurred.

The exercise of the rights listed above must be carried out in writing, by sending a request to the Data Controller to the data indicated in this information. The Data Controller will respond to the request within 30 (thirty) days of actual receipt of the communication. In the event that a longer period of time is necessary due to the particular complexity of the case, the deadline of 30 (thirty) days may be extended by a further 60 (sixty) days with a reasoned written communication within 30 (thirty) days of receipt of the request. In the event of manifestly unfounded, excessive and/or repeated requests, a contribution may also be requested, without prejudice to administrative costs.


The exercise of the Patient's rights must be carried out by the Patient himself towards the Data Controller alone and therefore the Client and/or Professional.

Nutribook, in its capacity as External Data Processor, is in fact not responsible for the data processing carried out by the Customer and/or the Professional.

Nutribook is in any case required to collaborate with the Data Controller in order to provide feedback to the interested party's requests and protect the latter's data. The Patient can contact Nutribook to request information and/or help and to report any problems and/or situations deemed non-compliant with this information, with the protection of personal data and/or harmful to the GDPR.


Document updated as of August 31, 2023









Enable collaborative features and customize widget: Bing Webmaster Portal