Privacy Policy

Privacy Policy

Last updated: July 2026

1. Controller Identity

The controller responsible for your personal data under applicable data protection law (including the General Data Protection Regulation, GDPR) is:

BHI Biohealth International GmbH
Heinrich-Wirth-Straße 13
95213 Münchberg
Germany
Email: contact@nutri-leaf.com
Commercial Register: Registered in Germany

2. What Data We Collect

When you browse, place an order, or contact us on the Nutri-Leaf store, we collect the following categories of personal data:

  • Identity Data: name, billing and shipping address, email address, phone number.
  • Order Data: products purchased, order history, payment confirmation details, order number.
  • Payment Data: payment method, credit card or other payment instrument information. All payment processing is handled by Shopify Payments and its third-party payment partners. We do not store full payment card numbers on our own systems.
  • Technical Data: IP address, browser type and version, time zone setting, browser plug-in types, operating system and platform, device type.
  • Usage Data: information about how you use our website, products and services, pages viewed, and referring URL.
  • Communication Data: correspondence when you contact customer support, including emails and chat messages.

3. Purpose and Legal Basis for Processing

We process your personal data only for specific, explicit, and legitimate purposes:

Purpose Legal Basis (GDPR)
Order fulfilment, processing payments, and delivering products Article 6(1)(b) — contract performance
Managing your customer account and order history Article 6(1)(b) — contract performance
Customer service and support inquiries Article 6(1)(b) — contract performance; Article 6(1)(f) — legitimate interest
Complying with legal obligations (tax, accounting, regulatory) Article 6(1)(c) — legal obligation
Marketing communications (with your consent) Article 6(1)(a) — consent
Website analytics and improvement Article 6(1)(f) — legitimate interest
Fraud prevention and website security Article 6(1)(f) — legitimate interest

4. Data Sharing

We share your personal data only with trusted third parties who help us operate our store and serve you. These include:

  • Shopify Inc. — our e-commerce platform provider and data processor (hosting, payment processing infrastructure).
  • Shipping carriers — DHL, Deutsche Post, and other delivery services for order fulfilment.
  • Payment processors — Shopify Payments and its acquiring banks, PayPal (where offered).
  • IT service providers — email hosting, CRM, analytics tools (configured in a privacy-compliant manner).

We never sell your personal data to third parties. All third-party processors are contractually bound to process your data only on our documented instructions and to maintain appropriate security measures.

5. Data Retention

We retain your personal data only as long as necessary to fulfil the purposes for which it was collected:

  • Order data: retained for the duration of the statutory retention period under German commercial and tax law (currently 6 to 10 years).
  • Customer account data: retained until you delete your account, plus a reasonable period thereafter for legitimate business purposes.
  • Marketing consent records: retained until you withdraw consent.
  • Website usage data: retained for up to 26 months.

After the retention period expires, your data is securely deleted or anonymised.

6. Your Rights

Under the GDPR, you have the following rights concerning your personal data:

  • Right of access (Article 15): obtain confirmation of whether we process your data and receive a copy.
  • Right to rectification (Article 16): request correction of inaccurate or incomplete data.
  • Right to erasure (Article 17): request deletion of your data under certain conditions ("right to be forgotten").
  • Right to restriction (Article 18): request restriction of processing under certain conditions.
  • Right to data portability (Article 20): receive your data in a structured, commonly used, machine-readable format.
  • Right to object (Article 21): object to processing based on legitimate interest or for direct marketing.
  • Right to withdraw consent: withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact us at contact@nutri-leaf.com. We will respond within the statutory timeframe (usually one month).

7. Right to Lodge a Complaint

If you believe we have processed your personal data in violation of data protection law, you have the right to lodge a complaint with the competent supervisory authority:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 27
91522 Ansbach
Germany

8. Cookies

Our Shopify store uses the following categories of cookies:

  • Essential cookies: required for the store to function (shopping cart, checkout, user authentication). These cannot be disabled.
  • Functional cookies: remember your preferences and region.
  • Analytics cookies: help us understand how visitors use our site (Shopify Analytics, anonymised).

You can manage cookie preferences through your browser settings at any time. Essential cookies are set based on our legitimate interest in operating the store; all other cookies require your consent.

9. Contact for Privacy Matters

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact our privacy team:

Email: contact@nutri-leaf.com
Write to: BHI Biohealth International GmbH, Heinrich-Wirth-Straße 13, 95213 Münchberg, Germany
Subject: Data Privacy

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes through the website or by email. The date of the latest revision is indicated at the top of this page.