Moj NutriPlan
← Back to home

Privacy Policy

Last updated: 19 May 2026

1. Who we are

This Privacy Policy describes how Moj NutriPlan (the "Service"), operated by Nenad Jokić, based in the Republic of Serbia, collects, uses, and protects personal data. The Operator is the data controller for personal data collected through the Service. For privacy-related questions, contact [email protected].

2. Scope

This policy applies to nutritionists, administrators, and clients who use the Service, and to visitors of our marketing pages. It does not cover third-party websites we link to.

3. Data we collect

We collect only the data necessary to operate the Service.

  • Account data: email address, name, role (admin / nutritionist / client), hashed password, optional two-factor authentication secret, optional avatar.
  • Profile data: data that nutritionists or clients voluntarily add (date of birth, height, weight, dietary notes, phone number).
  • Service content: meal plans, recipes, shopping lists, appointment records, chat messages, meal photographs, and weight entries that you create in the Service.
  • Subscription data: the tier you are on, your trial / paid status, a Lemon Squeezy customer reference. We do not store full payment-card details; all card data is handled directly by Lemon Squeezy.
  • Technical data: IP address, browser user-agent, cookies (see section 9), CSRF tokens, audit-log entries for destructive actions, and basic request logs for security and debugging.
  • Push subscription data: if you enable browser notifications, we store the push subscription endpoint and keys necessary to deliver notifications.

4. How we use your data

  • To provide and operate the Service (rendering plans, sending chat messages, generating shopping lists, etc.).
  • To process subscriptions, billing, and tax through Lemon Squeezy.
  • To send transactional emails (welcome, trial expiry warnings, password reset, chat alerts, payment receipts).
  • To prevent abuse, detect fraud, enforce rate limits, and protect the Service.
  • To respond to support requests.
  • To improve the Service through aggregated, non-identifying usage information.

5. Legal basis (GDPR)

  • Contract: processing necessary to provide the Service you subscribed to.
  • Consent: optional features such as push notifications or calendar subscriptions.
  • Legitimate interests: security, fraud prevention, basic analytics, audit logging.
  • Legal obligation: retention of billing records as required by tax law.

6. Sharing with third parties

We do not sell personal data. We share data only with sub-processors that help us operate the Service:

  • Lemon Squeezy (Ireland) - payment processing and Merchant of Record. Receives billing and customer data.
  • Brevo (France) - transactional email delivery. Receives recipient email address and message content.
  • Cloudflare (USA / EU edge) - content delivery, tunnel, and DDoS protection. Receives IP address and request metadata.
  • Sentry (USA / EU region, optional) - error monitoring. Receives error stack traces and limited request context, scrubbed of sensitive fields.
  • Hosting infrastructure - the application and database run on infrastructure operated by us in Serbia.

We may also disclose data when required by law, court order, or to protect our rights, users, or the public.

7. International transfers

Personal data is processed primarily within the EU/EEA. Some sub-processors may process data in the United States; in such cases we rely on Standard Contractual Clauses or equivalent safeguards.

8. Retention

  • Active accounts: data is retained for the duration of your subscription.
  • Cancelled or expired accounts: data is retained for 30 days, then permanently deleted by an automated purge job.
  • Billing and tax records: retained for the period required by Serbian tax law (currently up to 10 years).
  • Security and audit logs: retained for up to 12 months.
  • Backups: rotated regularly; data deleted from production may persist in backups for up to 30 days.

9. Cookies

We use only strictly necessary cookies: a session cookie (mojnutriplan-session) for authentication, a CSRF protection cookie, and a theme preference cookie. We do not currently use third-party analytics or advertising cookies.

10. Your rights (GDPR)

You have the right to:

  • access the personal data we hold about you;
  • request correction of inaccurate data;
  • request erasure of your account and associated data;
  • request a portable export of your data;
  • restrict or object to certain processing;
  • withdraw consent for optional processing at any time;
  • lodge a complaint with the Serbian Commissioner for Information of Public Importance and Personal Data Protection, or with the supervisory authority in your EU country of residence.

You can self-serve the most common requests directly from the Service: export your data from your profile page (/profil), change your password, and request account deletion. For anything else, email [email protected] and we will respond within 30 days.

11. Controller / processor relationships

Where a nutritionist enters data about their clients into the Service, the nutritionist is the data controllerfor that client's data and we act as the data processor. Nutritionists are responsible for obtaining the necessary consents from their clients and for maintaining their own privacy notices.

12. Security

We protect your data using industry-standard measures, including: passwords hashed with bcrypt, JWT sessions stored in HttpOnly cookies, CSRF protection, TLS encryption in transit, an audit log of destructive actions, rate limiting on sensitive endpoints, and optional two-factor authentication (TOTP). No method of transmission or storage is 100% secure, but we work to keep risks low.

13. Children

The Service is intended for nutrition professionals and their adult clients. We do not knowingly collect data from children under 16. If you believe a child has provided us data, please contact [email protected] and we will delete it.

14. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified by email at least 14 days before they take effect. The "Last updated" date at the top of this page shows when the policy was most recently revised.

15. Contact

Operator: Nenad Jokić, Republic of Serbia.
Privacy contact: [email protected]
General support: [email protected]