Data Processing Agreement

Preamble

This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the Terms of Service between NutraPlanner (the "Processor") and any account holder who uses NutraPlanner to manage health, dietary, or other personal information about identifiable third parties (the "Controller"). For practitioner accounts in jurisdictions whose health-information legislation uses different terminology, "Processor" includes the roles of "information manager" (Alberta HIA, Ontario PHIPA), "service provider" (Quebec Act respecting health and social services information), and "agent" (PHIPA s. 2). "Controller" includes the roles of "custodian" (HIA, PHIPA) and "person carrying on an enterprise" (Quebec Law 25).

By using NutraPlanner to enter, store, modify, or otherwise process information about identifiable individuals other than yourself, you (the Controller) and NutraPlanner agree to the terms below.

Where this DPA conflicts with the general Terms of Service, this DPA prevails with respect to processing of Controller-provided personal information.

1. Definitions

In this DPA, the following terms have the meanings set out below. Capitalised terms not defined here have the meanings given in the Terms of Service or in applicable privacy legislation.

• "Personal Information" means information about an identifiable individual that the Controller submits to or generates within the service, including but not limited to client names, contact details, medical history, dietary preferences, allergens, nutritional deficiencies, body measurements, goals, clinical notes, appointments, and any data entered as free-text notes.
• "Processing" means any operation performed on Personal Information, including collection, recording, storage, retrieval, modification, transmission, deletion, and destruction.
• "Subprocessor" means any third party engaged by NutraPlanner to process Personal Information on its behalf in the course of providing the service.
• "Breach" means a breach of security safeguards, including any loss of, unauthorised access to, or unauthorised disclosure of Personal Information, that creates a real risk of significant harm to an affected individual under PIPEDA, or that meets the equivalent threshold under applicable provincial legislation.
• "Applicable Privacy Law" means PIPEDA, Quebec Law 25, and any provincial privacy or health-information legislation that applies to the Controller's processing of Personal Information through the service (including but not limited to Alberta's PIPA and HIA, Ontario's PHIPA, and British Columbia's PIPA).

2. Scope and Roles

The Controller determines the purposes and means of processing Personal Information entered into the service. NutraPlanner processes that Personal Information solely on behalf of and in accordance with the Controller's documented instructions, which consist of: (a) these Terms of Service and this DPA; (b) the configuration options chosen by the Controller within the service (e.g. permission scopes, calendar sync, billing settings); and (c) any further written instructions the Controller provides via sam@nutraplanner.com.

NutraPlanner shall not process Personal Information for any purpose other than providing, securing, maintaining, and improving the service for the Controller, except where required to do so by law. Where law requires processing beyond the Controller's instructions, NutraPlanner shall notify the Controller of that legal requirement before processing, unless the law prohibits such notice on important grounds of public interest.

Nothing in this DPA relieves the Controller of obligations the Controller owes directly to data subjects (clients) under Applicable Privacy Law, including obtaining consent, providing required notices, responding to access and correction requests, and reporting breaches to regulators where the Controller is the custodian or controller of record.

3. Personnel and Confidentiality

NutraPlanner shall ensure that any of its personnel authorised to process Personal Information are bound by a written confidentiality obligation and have received appropriate training on data protection.

Access by NutraPlanner personnel to Personal Information is limited to what is strictly necessary to operate, secure, support, and improve the service. Routine engineering and operational work uses production systems only through audited break-glass procedures; bulk export of Personal Information for analytics, research, or commercial purposes is prohibited.

4. Security Safeguards

NutraPlanner implements and maintains administrative, technical, and physical safeguards designed to protect Personal Information against unauthorised or unlawful processing, accidental loss, destruction, or damage. Current safeguards include (full details in Annex C):

• Encryption in transit (TLS 1.2+) for all client-server and inter-service communication.
• Encryption at rest for database storage and object storage (Cloudflare R2).
• Application-level encryption of designated sensitive fields (PHI) using authenticated symmetric encryption with rotated keys.
• Password hashing with bcrypt; no plaintext credentials are stored.
• Multi-tenant isolation via row-level scoping and role-based access control; audit logs on all data-modifying API calls.
• Separation of production user-account data from client health/nutrition data into two isolated database instances.
• Principle of least privilege for personnel access; multi-factor authentication required for all administrative access to production systems.
• Continuous security monitoring with Sentry (error telemetry, scrubbed of sensitive fields) and centralised audit logging.
• Encrypted backups with a 30-day rolling retention window for disaster recovery.
• Vulnerability monitoring and timely patching of dependencies; secrets stored in a dedicated secrets manager, never in source code.

NutraPlanner reviews its safeguards at least annually and updates them as warranted by changes in technology, threat landscape, or the sensitivity of the Personal Information processed.

5. Subprocessors

The Controller provides general authorisation for NutraPlanner to engage Subprocessors to process Personal Information, subject to the conditions in this section. The current list of Subprocessors is set out in Annex D and in section 5 of the Privacy Policy. NutraPlanner shall keep both lists current.

Before engaging any new Subprocessor that will process Personal Information, NutraPlanner shall: (a) conduct reasonable due diligence on the Subprocessor's data-protection practices; (b) impose contractual obligations on the Subprocessor that are no less protective than those in this DPA; and (c) update the Subprocessor list in the Privacy Policy and in Annex D below.

NutraPlanner shall provide at least 30 days' advance notice of any change to the Subprocessor list that materially affects the processing of Personal Information, by updating the Privacy Policy and notifying account holders by email. If the Controller has a reasonable basis to object to a new Subprocessor on data-protection grounds, the Controller may notify NutraPlanner in writing within 14 days of the notice; the parties shall attempt in good faith to resolve the objection; if not resolved, the Controller's exclusive remedy is to terminate the service in accordance with the Terms of Service and request export and deletion of Personal Information.

NutraPlanner remains responsible to the Controller for the acts and omissions of its Subprocessors with respect to Personal Information.

6. Data Subject Rights

The Controller is primarily responsible for responding to requests from data subjects (clients) to exercise rights under Applicable Privacy Law, including rights of access, rectification, erasure, restriction, portability, and withdrawal of consent.

NutraPlanner shall provide reasonable assistance to the Controller in responding to such requests, including by making available in-application tools to view, edit, export, and delete Personal Information about a given client. Where the in-application tools are insufficient, the Controller may request additional assistance from sam@nutraplanner.com; NutraPlanner shall respond within 10 business days and shall not charge for assistance that is reasonable in scope.

If NutraPlanner receives a request from a data subject directly, NutraPlanner shall not respond to the substance of the request and shall, without undue delay, forward the request to the Controller (where the requester is identifiable as a client of the Controller) or instruct the requester to contact the Controller.

7. Breach Notification

NutraPlanner shall notify the Controller of any Breach affecting the Controller's Personal Information without undue delay, and in any event within 72 hours of becoming aware of the Breach. Notice shall be provided by email to the address on file for the account holder.

The notice shall include, to the extent then known: (a) the nature of the Breach; (b) the categories and approximate number of data subjects and records concerned; (c) the likely consequences of the Breach; (d) the measures taken or proposed to mitigate the Breach; and (e) the name and contact details of NutraPlanner's Privacy Officer for further information.

Where the initial notice does not contain all required information, NutraPlanner shall provide updates as new information becomes available.

NutraPlanner shall co-operate with the Controller to take reasonable steps to mitigate the effects of the Breach and to allow the Controller to fulfil its own notification obligations to regulators and affected data subjects under Applicable Privacy Law. NutraPlanner shall maintain a record of every Breach involving Personal Information for at least 24 months.

8. International Transfers

NutraPlanner is established and primarily operates in Canada. As disclosed in section 5 of the Privacy Policy and Annex D below, certain Subprocessors are located outside Canada, which may result in cross-border transfers of Personal Information. The Controller acknowledges and consents to such transfers as a necessary part of the service.

For Personal Information of Quebec residents, NutraPlanner shall ensure that any cross-border transfer to a Subprocessor is preceded by an assessment of the legal framework applicable in the destination jurisdiction, in accordance with Quebec Law 25, s. 17. NutraPlanner makes a summary of this assessment available on written request to sam@nutraplanner.com.

Where Personal Information is transferred to a Subprocessor in a jurisdiction without an equivalent level of protection, NutraPlanner imposes contractual safeguards (including data-processing terms, security commitments, and breach-notification obligations) on the Subprocessor that are no less protective than those in this DPA.

9. Audit and Information Rights

On reasonable written request (no more than once per twelve-month period, except following a Breach), NutraPlanner shall make available to the Controller information reasonably necessary to demonstrate compliance with this DPA, including: a current Subprocessor list (Annex D); the current security-measures summary (Annex C); and, where applicable, summaries of third-party audit reports or attestations NutraPlanner holds.

Where the Controller is a custodian under Alberta HIA or Ontario PHIPA and the information NutraPlanner provides under section 9.1 is insufficient to meet the Controller's audit obligations to its provincial commissioner, the Controller may request additional audit cooperation in writing. NutraPlanner shall negotiate in good faith the scope, format, timing, and cost-recovery terms of such cooperation.

Information obtained by the Controller under this section 9 is confidential and may be shared only with the Controller's regulator, professional college, or legal advisor, in each case on a need-to-know basis.

10. Return and Deletion at Termination

On termination of the Controller's account or on written request from the Controller, NutraPlanner shall: (a) make Personal Information available for export by the Controller using in-application export tools or, where requested, by way of a portable structured-data file (CSV or JSON); and (b) delete Personal Information from production systems within 30 days of the export request or account closure, whichever is later.

Personal Information in encrypted backups is retained on the rolling 30-day backup window and is overwritten in the ordinary course; NutraPlanner shall not perform additional processing on backup-resident Personal Information except as needed for disaster recovery.

NutraPlanner may retain anonymised, aggregated, or de-identified data derived from Personal Information for service-improvement purposes, provided that such data cannot reasonably be re-identified.

Billing records and other records required to be retained by law (Income Tax Act, etc.) are retained for the periods set out in section 7 of the Privacy Policy, even after deletion of other Personal Information.

11. Term and Effect

This DPA takes effect when the Controller first uses the service to process Personal Information about an identifiable third party, and continues for as long as NutraPlanner processes any Personal Information on behalf of the Controller.

Sections 3 (confidentiality), 7 (breach notification — for breaches involving Personal Information retained in backups), 10 (return and deletion), and 13 (liability) survive termination of this DPA to the extent necessary to give effect to their terms.

12. Changes to This DPA

NutraPlanner may update this DPA from time to time. Material changes (including changes that reduce the Controller's protections or expand the scope of processing) shall be notified to account holders by email at least 30 days before they take effect. Non-material changes (clarifications, formatting, corrections) may be made by posting an updated version and updating the effective date.

13. Liability

Each party's liability arising out of or related to this DPA is subject to, and forms part of, the limitations of liability set out in the Terms of Service. Nothing in this DPA excludes or limits liability that cannot be excluded or limited under Applicable Privacy Law (for example, statutory liability for non-compliance with PIPEDA or Quebec Law 25).

14. Governing Law

This DPA is governed by the laws of Alberta and the federal laws of Canada applicable therein, consistent with section 13 of the Terms of Service. Where Applicable Privacy Law of another Canadian province imposes higher protections on Personal Information of residents of that province, those protections prevail to the extent of any inconsistency.

15. Contact

Privacy Officer — sam@nutraplanner.com. The Privacy Officer is the designated point of contact for all matters arising under this DPA, including breach notifications, audit requests, and Subprocessor objections.

Annex A — Subject Matter, Duration, and Nature of Processing

• Subject matter: Provision of the NutraPlanner nutrition-planning service to the Controller, including secure storage, retrieval, and processing of Personal Information entered by the Controller in the course of providing nutritional, dietary, and related professional services to clients.
• Duration: For the term of the Controller's account, until terminated in accordance with the Terms of Service, plus the deletion and retention periods set out in section 10 of this DPA and section 7 of the Privacy Policy.
• Nature and purpose: Storage, retrieval, modification, deletion, indexing, filtering, scheduling, synchronisation with calendar services (when enabled by the Controller), billing-related processing (through Stripe), transactional email (through Resend), object storage of uploaded content (through Cloudflare R2), error and reliability telemetry (through Sentry), and recipe-image generation (through OpenAI, where enabled).

Annex B — Categories of Data Subjects and Personal Information

• Categories of data subjects: Clients (including minors) of the Controller who receive nutritional, dietary, or related professional services from the Controller; and where applicable the Controller's own staff or representatives invited into a team workspace.
• Categories of Personal Information: Identifying information (name, date of birth, contact details); health information (medical history, allergens, dietary restrictions, nutritional deficiencies, body measurements, goals); appointment and scheduling information; clinical notes (free-text, may contain additional categories at the Controller's discretion); user-uploaded files (recipe images, optionally other documents). NutraPlanner does not collect special categories of data (e.g. biometric, genetic, sexual-orientation data) beyond what the Controller elects to enter into free-text fields.

Annex C — Security Measures Summary

This annex summarises NutraPlanner's current security measures. Specific implementation details may evolve; the summary is updated in step with material changes.

• Encryption: TLS 1.2+ in transit. AES-256-GCM at rest for database storage; equivalent encryption at rest for object storage. Application-level authenticated encryption for designated PHI fields, with key rotation.
• Access controls: Role-based access control; row-level multi-tenant isolation; least-privilege defaults; multi-factor authentication required for production-system administrative access; audit logging on all data-modifying API calls.
• Database separation: User-account data and client health/nutrition data are stored in separate database instances with no cross-database foreign keys.
• Credential storage: Passwords hashed with bcrypt; no plaintext credentials stored anywhere; secrets managed in a dedicated secrets store, never committed to source code.
• Backups: Encrypted backups retained on a 30-day rolling window for disaster recovery; backup restore procedure tested at least annually.
• Monitoring: Continuous error and reliability telemetry via Sentry (configured to scrub form fields and sensitive headers); centralised audit logging; security-event alerting.
• Secure development: Mandatory code review on all production changes; automated dependency-vulnerability scanning; timely patching of identified vulnerabilities; principle-of-least-privilege deployment access.

Annex D — Subprocessors

As of the effective date above, NutraPlanner uses the following Subprocessors to process Personal Information. The current list is also reflected in section 5 of the Privacy Policy.

• Google LLC (United States) — Google OAuth: authentication of users who sign in with Google. Receives the authentication request only.
• Google LLC (United States) — Google Calendar: calendar synchronisation when explicitly enabled by the Controller. Receives appointment titles, times, and OAuth tokens.
• Stripe, Inc. (United States) — payment processing: subscription billing. Receives billing contact details and payment-card data entered directly into Stripe's hosted form.
• Resend, Inc. (United States) — transactional email: verification, password-reset, and billing-receipt emails. Receives recipient email and email body.
• Cloudflare, Inc. (global; Canadian region preferred) — object storage: stores user-uploaded files (recipe images). Receives the file contents and access-control metadata.
• OpenAI, OpCo, LLC (United States) — recipe-image generation: where enabled. Receives recipe title and ingredient list only. Contractually prohibited from training on API data.
• Functional Software, Inc. d/b/a Sentry (United States or EU) — error monitoring: application error and reliability telemetry. Receives stack traces, browser type, page URL, anonymous error-grouping identifiers, and interaction breadcrumbs (scrubbed of form fields and headers).