GDPR Compliance

GDPR Compliance – HealthyAmericanBites.com

Last Updated: May 23, 2025

Introduction

This GDPR Compliance Policy explains how HealthyAmericanBites.com (“we,” “our,” or “us”) complies with the European Union’s General Data Protection Regulation (GDPR) when processing the personal data of individuals in the European Economic Area (EEA), United Kingdom, and Switzerland.

This policy supplements our Privacy Policy and applies specifically to individuals located in these regions. We are committed to protecting your personal data and ensuring your rights under the GDPR.

Data Controller

For the purposes of the GDPR, HealthyAmericanBites.com is the data controller of your personal data, meaning we determine the purposes and means of processing your personal data. Our contact details are:

Email:[email protected]

Postal Address:
HealthyAmericanBites.com
123 Nutrition Avenue
Suite 456
Boston, MA 02108
United States

Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions regarding this GDPR Compliance Policy. If you have any questions about this policy or our data protection practices, please contact our DPO at:

Email:[email protected]

Legal Basis for Processing

Under the GDPR, we must have a legal basis for processing your personal data. We rely on the following legal bases:

Consent

We process certain personal data based on your explicit consent, such as when you:

  • Create an account
  • Complete the NutriMatch questionnaire
  • Subscribe to our newsletter
  • Agree to cookies that are not strictly necessary for the functioning of our website

You have the right to withdraw your consent at any time by contacting us or, in the case of marketing communications, by clicking the “unsubscribe” link in our emails.

Contractual Necessity

We process personal data when necessary to fulfill our contractual obligations to you, such as providing you with personalized recipe recommendations through NutriMatch.

Legitimate Interests

We process personal data based on our legitimate interests, provided these interests are not overridden by your rights and freedoms. Our legitimate interests include:

  • Improving and personalizing our services
  • Ensuring the security of our website
  • Analyzing how users interact with our services to enhance user experience
  • Marketing our services to existing users

Legal Obligation

We process personal data when necessary to comply with a legal obligation, such as tax laws or in response to a valid legal request.

Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

Right to Access

You have the right to request copies of your personal data. We may charge a reasonable fee when a request is manifestly unfounded, excessive, or repetitive.

Right to Rectification

You have the right to request that we correct any information you believe is inaccurate or complete information you believe is incomplete.

Right to Erasure (Right to be Forgotten)

You have the right to request that we erase your personal data, under certain conditions, such as when the data is no longer necessary for the purposes for which it was collected.

Right to Restrict Processing

You have the right to request that we restrict the processing of your personal data, under certain conditions, such as when you contest the accuracy of the data.

Right to Data Portability

You have the right to request that we transfer the data we have collected to another organization, or directly to you, under certain conditions.

Right to Object

You have the right to object to our processing of your personal data, under certain conditions, such as when the processing is based on legitimate interests.

Rights Related to Automated Decision Making and Profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

How to Exercise Your Rights

To exercise any of these rights, please contact us at [email protected] or through our postal address. We will respond to your request within one month. This period may be extended by two further months where necessary, taking into account the complexity and number of requests.

If we decline to take action on your request, we will inform you of the reasons for not taking action and of your right to lodge a complaint with a supervisory authority.

Data Protection Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data where appropriate
  • Regular testing and evaluation of the effectiveness of security measures
  • Procedures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems
  • Procedures to restore access to personal data in a timely manner in the event of a physical or technical incident
  • Staff training on data protection and security

International Data Transfers

As we are based in the United States, your personal data may be transferred to and processed in countries outside the EEA, UK, or Switzerland. These countries may not have data protection laws equivalent to those in your country of residence.

When we transfer your personal data outside these regions, we ensure a similar degree of protection is afforded to it by implementing appropriate safeguards, such as:

  • Standard Contractual Clauses approved by the European Commission
  • Binding Corporate Rules for transfers within our corporate group
  • Adequacy decisions by the European Commission for countries deemed to provide adequate protection

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of the breach.

If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly, unless:

  • We have implemented appropriate technical and organizational protection measures that render the personal data unintelligible (e.g., encryption)
  • We have taken subsequent measures to ensure that the high risk is no longer likely to materialize
  • It would involve disproportionate effort, in which case we will make a public communication

Data Protection Impact Assessment

We carry out Data Protection Impact Assessments (DPIAs) for processing operations that are likely to result in a high risk to your rights and freedoms, particularly when using new technologies. These assessments help us identify and minimize data protection risks.

Records of Processing Activities

We maintain records of our processing activities as required by Article 30 of the GDPR, including:

  • The purposes of processing
  • Categories of data subjects and personal data
  • Categories of recipients
  • International transfers and safeguards
  • Retention schedules
  • Security measures

Cookie Compliance

Our website uses cookies and similar technologies. In compliance with the GDPR and the ePrivacy Directive (Cookie Law), we:

  • Obtain your consent before placing non-essential cookies on your device
  • Provide clear and comprehensive information about the cookies we use
  • Make it as easy to withdraw consent as it is to give consent
  • Document and store consent

For more information about our use of cookies, please see our Cookie Policy.

Children’s Data

Our services are not directed to children under 16 years of age. If we become aware that we have collected personal data from a child under 16 without verification of parental consent, we will take steps to remove that information from our servers.

Changes to This GDPR Compliance Policy

We may update this GDPR Compliance Policy from time to time. The date at the top of this page indicates when this policy was last revised. If we make material changes, we will notify you through a notice on our website or by email. We encourage you to review this policy periodically.

Complaints

If you have a complaint about our handling of your personal data, please contact us first at [email protected]. We will investigate your complaint and respond within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority. If you are located in the EEA, you can find your national data protection authority on the European Data Protection Board website. If you are located in the UK, you can contact the Information Commissioner’s Office.

Contact Us

If you have any questions or concerns about this GDPR Compliance Policy or our data protection practices, please contact us at:

Email:[email protected]

Postal Address:
HealthyAmericanBites.com
123 Nutrition Avenue
Suite 456
Boston, MA 02108
United States

HealthyAmericanBites.com – Your Personal Recipe Companion