• info@nimapartners.com
  • technicalsupport@nimapartners.com
NIMA Partners, LLC. Privacy Policy
Effective: 02 September 2021 NIMA Partners, LLC. (“NIMA“) welcomes its users and respects their privacy. This Privacy Policy informs you of our policies and practices regarding the collection, use, access, storage and disclosure of any personal information you submit to us including by accessing our services via out website located at www.nimapartners.com or through a platform such as iTunes or Google, or one of our partners, or via our products or services.
  1. User Consent. By submitting personal information to us, you agree to the terms of this Privacy Policy. In addition, for certain products or services, we may further confirm your consent by asking you to expressly consent to the collection, processing, storage and use of your personal information according to this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please refrain from using our products or accessing our services.
  2. NIMA Products and Services. NIMA develops products to enable users to monitor their wellness (“Product(s)“). Products include online and off-line services and applications including via our software mobile, tablet, desktop, our sensor devices (“Application(s)“) and any other websites or platforms which link to this Privacy Policy and our Application(s) (collectively, the “Site“) and the online services that we provide to users of our Products and our Application(s) (“Services“). Because NIMA uses Google Maps API, you also agree to Google’s Privacy Policy.
  3. A Note About Children. We do not intentionally gather Personal Data from visitors who are under the age of 13. If a child under 13 submits Personal Data to NIMA and we learn that the Personal Data is the information of a child under 13, we will attempt to delete the information as soon as possible. If you believe that we might have any Personal Data from a child under 13, please contact us at info@nimapartners.com A Note to Users Outside of the United States. If you are a non U.S. user of the Site, by visiting the Site or using our Services and providing us with data, you acknowledge and agree that your Personal Data may be processed for the purposes identified in the Privacy Policy. In addition, your Personal Data may be processed in the country in which it was collected and in other countries, including the United States, where laws regarding processing of Personal Data may be less or more stringent than the laws in your country. By providing your data, you consent to such transfer.
All information provided will be encrypted or anonymized to align with data privacy regulations between such countries, and the service provider must agree to the GDPR requirements set forth herein if any personal data will be originating from or processed in the EU.
European Union (“EU”) General Data Protection Regulation (“GDPR”).
NIMA may at times be subject to GDPR, which is the European Union’s General Data Protection Refgulation, as a controller or processor of personal data as described below:
  1. The GDPR considers data protection as a fundamental human right of an individual, which includes a “right to the protection” of their personal data. Anyone based in the EU, or anyone handling or targeting the personal data of an EU-based individual must have processes, technology, and automation to effectively protect such personal data.
  2. The GDPR applies to a controller or a processor who is based or established in the EU, or to a company not based in the EU but who offers goods or services from outside the EU borders in the EU or who monitors the behavior of personal data in the EU.
  3. To avoid fragmentation and ambiguity, GDPR has set a baseline for data protection by requiring anyone processing the personal data of an individual that is in the EU to follow the requirements set forth in the GDPR.
In compliance with GDPR, NIMA data has implemented data security processes to ensure the following are properly identified and processed:
  • Data Subject: A person who can be identified directly or indirectly by means of an identifier. For example, an identifier can be a national identifier, a credit card number, a username, or a web cookie.
  • Personal Data: Any personal information, including sensitive personal information, relating to a Data Subject. For example, address, date of birth, name, location and nationality.
  • Controller: A natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. For example, a controller can be an organization that works with NIMA and determines the processing of personal data provided to NIMA. NIMA is a controller for its third-party partners when NIMA determines the processing of personal data provided to the third-party.
  • Processor: A natural or legal person, agency or any other body which processes Personal Data on behalf of the Controller. For example, a developer, a tester, or an analyst. A Processor can also be a cloud service provider or an outsourcing company.
  • Recipient: A natural or legal person, agency or any other body to whom the personal data is disclosed. For example, an individual, a tax consultant, an insurance agent, or an agency.
  • Enterprise: Any natural or legal person engaged in an economic activity. This essentially includes all organizations whether in the public or private sector, whether in the EU or outside of the EU.
  • Third party: Any natural or legal person, agency or any other body other than the Data Subject, the Controller, the Processor and the persons who, under the direct authority of the Controller or the Processor, are authorized to process the data. For example, partners or subcontractors.
  • Supervisory Authority: An independent public authority established by a Member State (known as the National Data Protection Authority under the current EU Data Protection Directive), or auditing agency.

"By using our website, you (the visitor) agree to allow third parties to process your IP address, in order to determine your location for the purpose of currency conversion. You also agree to have that currency stored in a session cookie in your browser (a temporary cookie which gets automatically removed when you close your browser). We do this in order for the selected currency to remain selected and consistent when browsing our website so that the prices can convert to your (the visitor) local currency."

NIMA's key GDPR data security requirements can be broadly classified into three categories:
  • Assessment,
  • Prevention, and
  • Monitoring/Detection.
The GDPR also requires compliance with the data protection principles to enhance the quality and rigor of protection of the data. This section summarizes key data security requirements discussed in the GDPR and adopted by NIMA.
Assess Security Risks: Data protection impact assessments lay a foundation for preventing breaches by evaluating the gaps and risks. The GDPR mandates that Controllers perform Data Protection Impact Assessments when certain types of processing of Personal Data are likely to present a “high risk” to the data subject. NIMA's assessment includes a systematic and extensive evaluation of processes, profiles, and how these tools safeguard the Personal Data, and when applicable a data processing agreement with Controllers and Processors.
“… The controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks …” — Article 35 of GDPR
Prevent Attacks: At various places in the regulation, the GDPR reiterates the importance of preventing security breaches. The GDPR recommends several techniques to prevent an attack from succeeding:
  • Encryption: The GDPR considers encryption as one of the core techniques to render the data unintelligible to any person who is not authorized to access the personal data. When applicable, NIMA encrypts personal data it collects to render it unintelligible if accessed without authorization, and as applicable when processing or transferring the data to a Processor.
“… the controller, and the processor shall implement appropriate technical and organizational measures, to ensure a level of security appropriate to the risk, including inter alia, as appropriate: (a) The pseudonymisation and encryption of personal data;” — Article 32 of GDPR
The GDPR provides that in the event of a data breach, the Controller does “not” need to notify data subjects if data is encrypted and rendered unintelligible to any person accessing it, thereby removing notification costs to the organizations.
“The communication to the data subject … shall not be required if… data affected by the personal data breach, in particular those that render the data unintelligible to any person who is not authorised to access it, such as encryption …” — Article 34 of GDPR
  • Anonymization and Pseudonymization: Data anonymization is the technique of completely scrambling or obfuscating the data, and pseudonymization refers to reducing the linkability of a data set with the original identity of a data subject. The GDPR states that anonymization and pseudonymization techniques can reduce the risk of accidental or intentional data disclosure by making the information un-identifiable to an individual or entity. Where applicable, NIMA anonymizes and pseudonyms the personal data it processes. This includes aggregating the data to be personally unidentifiable, such that the Personal Data is rendered anonymous and unlinkable to the original identity of a data subject.
  • “… The application of pseudonymisation to personal data can reduce the risks for the data subjects concerned and help controllers and processors meet their data protection obligations …” — Recital 28 of GDPR
  • “… The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.” — Recital 26 of GDPR
  • Privileged User Access Control: The GDPR implies controlling privileged users who have access to the Personal Data to prevent attacks from insiders and compromised user accounts. NIMA limits access to Personal Data to specific individuals within the organizations, and with instructions as to the sensitivity of the Personal Data to prevent attacks and compromises of the Personal Data.
  • Fine-grained Access Control: In addition to privileged user control, the GDPR recommends adopting a fine-grained access control methodology to ensure that the Personal Data is accessed selectively and only for a defined purpose. This kind of fine-grained access control can help organizations minimize unauthorized access to Personal Data. NIMA selectively uses Personal Data for the specific purpose for which it is required.
“… Controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.” — Article 25 of GDPR
  • Data Minimization: The GDPR recommends minimizing the collection and retention of Personal Data as much as possible to reduce the compliance boundary. While collecting, processing, or sharing Person Data, Controllers and Processors must be frugal and limit the amount of information to the necessities of a specific activity. NIMA minimizes the Personal Data it collects by considering what is adequate and relevant to what is necessary in relation to the purposes for which they are processed.
  • “Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’).” — Article 5 of GDPR
Monitor to Detect Breaches: While preventive security measures help NIMA minimize the risk of attack, they cannot eliminate the possibility that a data breach may occur. Thereby NIMA monitors and alerts to detect such breaches through recording or auditing of the activities on the Personal Data and maintaining it so that processors and third-parties must not be able to tamper or destroy the audit records. In the case of a Personal Data breach, NIMA shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the supervisory authority of any Personal Data breach.
“Each controller …. shall maintain a record of processing activities under its responsibility.” — Article 30 of GDPR
“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority …” — Article 33 of GDPR
The three broad categories of security guidelines (assessment, prevention, and detection) help NIMA address threats from multiple angles and secure the data from unauthorized access.
In addition NIMA mandates making data protection a core part of the system. Considering security during the initial design phase of our features in the technology life cycle increases the security worthiness of NIMA's system and ensures that technical security controls will perform as expected. As part of this, NIMA has implemented centralized administration when dealing with security of multiple applications and systems as they help take immediate actions in case of a breach. Centralized controls also enforce uniformity across multiple targets, reduce the chances of errors on individual targets, and leverage the best practices across the enterprise. Since threats and attacks can come from multiple sources NIMA, works to be prepared from all directions, and mandates protection of Personal Data in all stages of the data lifecycle such as data at-rest and in-transit.
“… The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.” — Article 25 of GDPR
“The main establishment of a controller in the EU should be the place of its central administration in the EU …and should imply the effective and real exercise of management activities determining the main decisions as to the purposes and means of processing…” — Recital 36 of GDPR
“In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.” — Article 32 of GDPR
  1. Types of Data We Collect. “Personal Data” means (a) data that allows someone to identify or contact you, including, for example, your name, address, telephone number, e-mail address, as well as any other non-public information about you that is associated with or linked to any of the foregoing data, and (b) Test Results that are automatically collected when you use our Products and Application(s), and any additional information (such as the name of the restaurant and the food item tested, ratings of the restaurant, etc.) that the user may add to the Test Results, to the extent that such data is associated with or linked to data that allows someone to identify or contact you (“Food Data“). “Anonymous Data” means data that can not publicly be linked or associated with your Personal Data; Anonymous Data does not, by itself, permit the identification of individual persons. We collect Personal Data, including but not limited to Food Data, and Anonymous Data, as described below.
(a) Information You Provide to Us.
  • We may collect Personal Data from you, such as your first name, last name, e-mail, city, state, password, and food preference related information (e.g., foods you avoid and your food identity) when you create an account to log in to our network (“Account“).
  • We will also ask you to create a public profile which will be used in public areas of our Services to identify the Food Data that you collect and any postings that you may upload to the Services (“Profile“). The name you use in your Profile can be your real name or a pseudonym. You can also decide whether or not to include additional personal information that may include but is not limited to your gender, age, food identity and foods you avoid in your Profile. Any information you include in your Profile will be available for public viewing by our other users. Once displayed on publicly viewable web pages and in the Application(s), that information can be used and collected by others. We cannot control who reads your postings or what other users may do with information that you voluntarily post or include in your Profile. Once you have posted information publicly, while you will be able to request that NIMA modify or delete such information pursuant to Section 9(e) below, you will not be able to modify or delete such information to the extent it has been cached, collected, and stored elsewhere by others (e.g. search engines).
  • If you tell us where you are (e.g., by allowing your mobile device to send us your location), we may store and use that information to tag the location where you tested your food and provide you with location-based information and advertising. If you want to deactivate this feature, you can deactivate GPS on your mobile device or remove permissions for the Application(s) to have access to your location.
  • Our Application(s) let you store your Application preferences. We may associate these choices with your Account or the mobile device, and you can edit these preferences at any time in our Application(s).
  • When you order our Products or Services on our Site, we, or our payment processors, will collect all information necessary to complete the transaction, including your name, phone number, credit card information, billing information and shipping information. This information may be shared with third parties who help process and fulfill your purchases.
  • If you provide us feedback or contact us via e-mail, we will collect your name and e-mail address, as well as any other content included in the e-mail, in order to send you a reply.
  • When you use our Product and upload the Sensor test results to our Application(s), we will ask you to provide information about the test (e.g., the restaurant where you tested your food, the food item tested, and a rating of the restaurant). This information, together with any information that you include in your Profile, will be made available to all users of the Application(s) in a public area of our Services.
  • When you post content (i.e., text, images, photographs, messages, reviews, ratings, tips, comments or any other kind of content), the information contained in your posting will be stored in our servers. If the information is posted in a public area of the Services, other users will be able to see it, along with any other information that you include in your Profile. The information that you provide in the content you post in public areas of our Site and Application(s), and your Profile, will be visible to others, including anonymous visitors to the Site and Application(s).
  • We retain information on your behalf, such as files and messages that you store using your Account.
  • When you post tips and comments within the Application(s) or on our Site the information contained in your posting will be stored on our servers, and other users will be able to see it.
  • When you participate in one of our surveys, we may collect additional profile information.
  • If you participate in a sweepstakes, contest or giveaway on our Site or in our Application(s), we may ask you for your e-mail address and/or home number (to notify you if you win or not). We may also ask for first and last names, and sometimes post office addresses to verify your identity. In some situations we may need additional information as a part of the entry process, such as a prize selection choice. These sweepstakes and contests are voluntary. We recommend that you read the rules for each sweepstakes and contest that you enter.
  • We may also collect Personal Data at other points in our Site or Application(s) that state that Personal Data is being collected.
(b) Information Collected via Technology.
    • Information Collected by Our Products. If you use our Products, our Products will collect Food Data. When you sync our Sensor with our Application(s), (i) the Product will upload Food Data to our Application(s) and (ii) our Application(s) will note that you used a Capsule to test for the Food Data.
    • Information Collected by Our Servers. To make our Site and Services more useful to you, our servers (which may be hosted by a third party service provider) collect information from you, including your browser type, operating system, Internet Protocol (“IP“) address (a number that is automatically assigned to your computer when you use the Internet, which may vary from session to session), domain name, and/or a date/time stamp for your visit.
    • Information About Your Mobile Device. If you use our Services on your mobile device, including through our Application(s), we may collect your Sensor’s battery level, the version of iOS used by your device, the serial number and firmware version of your Sensor, the signal strength of your mobile device, notifications regarding errors related to your Sensor or mobile device, your Test Results, and other relevant diagnostics that come from syncing the Sensor with your mobile device, such as temperature and time of readings.
    • Log Files. As is true of most websites and applications, we gather certain information automatically and store it in log files. This information includes IP addresses, browser type, Internet service provider (“ISP“), referring/exit pages, operating system, date/time stamp
What Does it Take to Live Healthier?

Find out how NIMA Partners can help.


Gluten Sensor

Testing Strategies

Erika Schlick, NIMA Partners Educational Advisor, shares helpful tips on testing strategies for dining out.


Testing Take-Out

No Gluten Gabby uses NIMA Partners Gluten Detection Sensor to test her take out food.