Legal

Privacy Policy

Last updated: April 13, 2026 · Effective immediately

1. Who We Are

MyNutriCart is operated by MyNutriCart LLC, a North Carolina limited liability company ("we," "our," or "the Company"). The Service is a physician-designed nutrition planning tool available at mynutricart.com. MyNutriCart LLC is not a healthcare provider, hospital, or covered entity under HIPAA. Information you provide is used solely to generate personalized meal plans and grocery lists.

2. Information We Collect

We collect information you provide directly:

  • Account information: email address, name, password (hashed — never stored in plain text)
  • Health profile: age, height, weight, medical conditions, medications, food allergies, activity level, grocery preferences
  • Lab values (optional): A1C, lipid panel, blood pressure, eGFR, liver enzymes — for personal trend tracking only
  • Weight entries (optional): self-reported weight over time for personal trend tracking
  • Deviation logs (Pro tier): off-plan meals you choose to log for analysis
  • Device and session data: IP address, browser user agent, session identifiers — for security and one-account-per-device enforcement

We do not collect payment card data. Payment processing is handled by Stripe and governed by Stripe's privacy policy. For cookie and tracking details, see our Cookie Policy.

If you verify military status via ID.me, we receive only a verification token confirming military affiliation. We do not receive or store your ID.me identity file, military branch, or service dates. This token is used solely to apply your discount.

3. How We Use Your Information

  • To generate your personalized weekly meal plans and grocery lists
  • To maintain your account and authenticate you securely
  • To enforce our one-account-per-device policy and detect automated abuse
  • To send transactional emails (account creation, billing receipts, plan summaries) — no marketing email without your explicit opt-in
  • To improve the service through aggregated, anonymized usage analytics
  • Research (with consent only): Anonymized, de-identified aggregate data may be used for nutritional research or quality improvement. This is disclosed at signup and requires your affirmative consent. No individual data is ever shared.

4. We Do Not Sell Your Data

We do not sell, rent, trade, or otherwise transfer your personal information or health data to any third party for commercial purposes. Period.

5. Third-Party Services

We use a limited number of third-party services to operate the platform:

  • xAI (Grok): AI model provider used to generate meal plans and analyze deviations. Inputs are sent to xAI's API. xAI's data use policy applies.
  • Stripe: Payment processing. We do not store card data. Stripe's privacy policy governs payment data.
  • Turso / libSQL: Database hosting for your account and health profile data. Data is stored on infrastructure in the United States.
  • Vercel: Application hosting. Server logs may include IP addresses for operational purposes.
  • Instacart (Maplebear Inc.): Grocery cart integration. When you choose to shop via Instacart, your grocery list is sent to Instacart's API. Instacart's privacy policy governs that data. We participate in the Instacart affiliate program (Impact.com); affiliate tracking parameters (UTM) are appended to Instacart links.
  • Resend.com: Transactional email delivery (account confirmation, billing receipts). Your email address is transmitted to Resend to deliver system emails. Resend's privacy policy governs that data.

We do not share your data with advertising networks, data brokers, or analytics platforms.

For cookie and tracking details, see our Cookie Policy.

6. Data Retention

Your account data is retained for as long as your account is active. You may request deletion of your account and associated data at any time by contacting us. Upon deletion, personal data is removed within 30 days. Aggregated, anonymized analytics data may be retained indefinitely.

7. Security

Passwords are hashed using bcrypt and never stored in recoverable form. Data in transit is protected by TLS. Access to production databases is restricted to authorized personnel. Device and IP logging is used to detect unauthorized access attempts.

No security system is perfect. We cannot guarantee absolute security, and we encourage you not to share your password.

8. Data Breach Notification

In the event of a data breach that compromises your personal information, we will notify you and applicable regulatory authorities as required by North Carolina law (N.C. Gen. Stat. § 75-65) and any other applicable state or federal law. Notification will be made in the most expedient time possible and without unreasonable delay. We will describe the nature of the breach, the categories of information affected, and the steps we are taking to address it.

9. Your Rights

  • Access: You can view all profile data in your dashboard at any time
  • Correction: You can update any profile field at any time
  • Deletion: You can request full account deletion — email us at the address below
  • Data portability: You may request a copy of your data in a machine-readable format
  • Opt-out of research use: You may withdraw research consent at any time in your profile settings

California Residents (CCPA): If you are a California resident, you have the right under the California Consumer Privacy Act (CCPA) to: (i) request information about our collection, use, and disclosure of your personal information over the past 12 months; (ii) request deletion of your personal information; (iii) opt out of the sale of your personal information (we do not sell your data); and (iv) non-discrimination for exercising these rights. Submit requests to support@mynutricart.com with "CCPA Request" in the subject line. We may require verification of your identity.

EEA and UK Residents (GDPR/UK GDPR): If you are located in the European Economic Area or the United Kingdom, you have rights under applicable data protection law, including the right to access, rectify, and erase your personal data; to restrict or object to its processing; and to data portability. Our lawful bases for processing are consent (for research use) and performance of a contract (for providing the Service). You may withdraw consent at any time. To exercise your rights, contact us at support@mynutricart.com with "GDPR Request" in the subject line. You also have the right to lodge a complaint with your local data protection supervisory authority.

10. Children

MyNutriCart is not directed to individuals under 18. We do not knowingly collect information from minors. If we become aware that a minor has created an account, we will delete it.

11. Changes to This Policy

We may update this policy periodically. Material changes will be communicated via email or in-app notice at least 14 days before taking effect. Continued use after the effective date constitutes acceptance.

12. Contact

Questions about this policy or requests regarding your data: support@mynutricart.com

Terms of Service·Cookie Policy