Privacy Policy

NutraCheckout, Inc. ("NutraCheckout," "we," "us," or "our") is a corporation organized under the laws of the State of Delaware, United States of America, with its principal place of business at 548 Market Street, Suite 35435, San Francisco, CA 94104, USA.

This Privacy Policy applies to: (a) visitors of our website at nutracheckout.com; (b) users of the NutraCheckout platform ("merchants"); and (c) end customers of our merchants when they interact with checkout pages powered by NutraCheckout.

NutraCheckout, Inc. is the data controller for the personal data described in this policy. We are committed to protecting your personal data and ensuring compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Lei Geral de Proteção de Dados (LGPD), and all other applicable data protection laws.

a) Information You Provide Directly

• Account registration data: your name, email address, phone number, company name, and business address
• Payment information: billing details processed through Stripe, Inc. — NutraCheckout does NOT store your credit card numbers or sensitive payment credentials
• Profile information: company logo, business description, industry category, and website URL
• Communications: support emails, feedback, survey responses, and any other correspondence you send to us

b) Information Collected Automatically

• Device information: IP address, browser type and version, operating system, device identifiers, and screen resolution
• Usage data: pages visited, features used, clicks, session duration, and navigation paths
• Log data: access times, error logs, referral URLs, and server-side request information
• Cookies and similar technologies: as described in our Cookie Policy

c) Information from Third Parties

• Payment processors (Stripe): transaction status, payment confirmations, and settlement data
• Analytics providers (Google Analytics): aggregated and anonymized usage data
• Identity verification services: business verification data for compliance purposes

d) End Customer Data (Processed on Behalf of Merchants)

• Payment card data: tokenized by Stripe and never stored on NutraCheckout servers
• Billing name, email address, and billing or shipping address
• Transaction details: amount, date, status, currency, and items purchased
• Device fingerprint data for fraud detection and prevention

We use the information we collect for the following purposes:

• To provide, maintain, and improve the NutraCheckout platform and services
• To process transactions and send related confirmations, receipts, and notifications
• To create and manage your account
• To communicate with you about service updates, maintenance windows, and security alerts
• To analyze usage patterns and improve the user experience
• To detect, prevent, and address fraud, security threats, and technical issues
• To comply with our legal obligations, including anti-money laundering and tax reporting requirements
• To provide customer support
• To send marketing communications (with opt-out available) — only to merchants, never to end customers
• To generate aggregate analytics and reporting using anonymized data

For individuals located in the European Economic Area (EEA) and the United Kingdom, we process personal data on the following legal bases:

• Performance of a contract: processing necessary to provide the services you have requested
• Consent: processing based on your explicit consent, such as for marketing communications and optional cookies
• Legitimate interests: processing necessary for our legitimate interests, including security, fraud prevention, and service improvement, where such interests are not overridden by your rights
• Legal obligation: processing required to comply with applicable laws, including anti-money laundering regulations and tax reporting obligations

We may share your personal information with the following categories of recipients:

• Payment processors (Stripe, PayPal) \u2014 to process transactions on your behalf
• Cloud infrastructure providers (AWS, GCP) \u2014 to host and deliver our services
• Analytics providers \u2014 using aggregated and anonymized data only
• Legal authorities \u2014 when required by law, regulation, or valid legal process
• Business transfers \u2014 in connection with a merger, acquisition, reorganization, or sale of assets

We do NOT sell personal data. We do NOT share end customer data with third parties for their marketing purposes.

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law:

• Account data: retained while your account is active, plus 30 days following cancellation
• Transaction records: retained for 7 years to satisfy fiscal and regulatory obligations
• Log data: retained for 12 months
• Marketing data: retained until you opt out of communications
• End customer data: retained in accordance with the merchant's instructions, subject to minimum legal retention periods

We implement industry-leading technical and organizational measures to protect your personal data:

• AES-256 encryption for all data at rest
• TLS 1.3 encryption for all data in transit
• PCI DSS Level 1 compliance — the highest level of payment security certification
• SOC 2 Type II certified — controls tested over a minimum 6-month period
• Regular penetration testing and security audits conducted by independent third parties
• Role-based access controls with the principle of least privilege
• Multi-factor authentication (MFA) required for all employee and administrative access
• Documented incident response procedures with regular testing

For more information about our security practices, please visit our Security page.

a) Rights Available to All Users

• Access: request a copy of the personal data we hold about you
• Correction: request that we correct any inaccurate or incomplete data
• Deletion: request that we delete your personal data, subject to legal retention obligations
• Portability: request a machine-readable copy of your data
• Withdrawal of consent: withdraw previously provided consent at any time

b) GDPR-Specific Rights (EEA/UK Residents)

• Right to object to processing based on legitimate interests
• Right to restrict processing in certain circumstances
• Right to lodge a complaint with a supervisory authority (Irish DPC for EEA; UK ICO for the United Kingdom)
• Contact our Data Protection Officer: dpo@nutracheckout.com

c) CCPA/CPRA-Specific Rights (California Residents)

• Right to know what personal information is collected, used, and disclosed
• Right to delete personal information held by us and our service providers
• Right to opt out of the sale or sharing of personal information
• Right to non-discrimination for exercising your privacy rights

NutraCheckout does NOT sell personal information as defined under the CCPA. To exercise your rights, please contact us at privacy@nutracheckout.com. Identity verification is required. An authorized agent may exercise rights on your behalf with a valid power of attorney.

d) LGPD-Specific Rights (Brazil Residents)

Residents of Brazil may exercise their rights under the Lei Geral de Proteção de Dados (LGPD). NutraCheckout, Inc. acts as the data controller. To exercise your rights, contact us at privacy@nutracheckout.com.

Your personal data may be transferred to and processed in the United States of America. NutraCheckout ensures that international data transfers are conducted in compliance with applicable law:

• EEA/UK transfers: we rely on Standard Contractual Clauses (SCCs) approved by the European Commission
• We participate in the EU-US Data Privacy Framework
• We implement appropriate technical and organizational safeguards for all international transfers

We use cookies and similar tracking technologies to operate and improve our platform. Our use of cookies is categorized as: strictly necessary, analytics, functional, and marketing. You can manage your cookie preferences through our consent banner at any time.

For full details, please see our Cookie Policy.

Our platform may contain links to third-party websites and services. NutraCheckout is not responsible for the privacy practices or content of those third parties. We encourage you to review the privacy policies of any third-party service you interact with.

• Stripe Privacy Policy: stripe.com/privacy
• Payment processing through Stripe is subject to Stripe’s own privacy policy and terms of service

The NutraCheckout platform is not directed to individuals under the age of eighteen (18). We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected personal data from a minor, we will take prompt steps to delete such data from our records.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you via email and/or through a prominent banner on our website and dashboard. Your continued use of the platform after the effective date of any updated policy constitutes your acceptance of the changes.

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

NutraCheckout utilizes Stripe, Inc. as its primary payment processing infrastructure. In connection with this integration, the following disclosures apply:

• Stripe may collect behavioral data for fraud detection purposes (Stripe Radar), including device information, typing patterns, and browsing behavior on checkout pages
• All payment card data is tokenized by Stripe and is NEVER stored on NutraCheckout servers
• For complete information about Stripe's data practices, please visit: stripe.com/privacy
• Stripe acts as a sub-processor under our Data Processing Agreement