Chartless Nutrition

Privacy Policy

Effective Date: April 1, 2026

Last Updated: April 24, 2026

This Privacy Policy applies to the Chartless Nutrition web application at chartlessnutrition.com and to the Chartless EMR Connect browser extension for Chrome. Where this policy refers to "the Service," it includes both products except where a section specifically calls out one or the other. Extension-specific disclosures are in Appendix A at the end of this document.

The Short Version

The full policy follows.

Chartless Nutrition, LLC ("Chartless," "we," "us," or "our") operates the Chartless Nutrition platform at chartlessnutrition.com (the "Service"). This Privacy Policy explains what information we collect, how we use it, how we share it, and your rights regarding that information.

This policy applies to all users of the Service, whether you are an individual nutrition professional or signing up on behalf of a practice.

By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy.

1. Our Role — Data Processor, Not Data Controller

You (or your Practice) decide what client data to enter, how it is used in your practice, and what communications to send. Chartless processes your client data solely on your behalf and at your direction to provide the Service. Where applicable data protection law distinguishes between data controllers and data processors (such as GDPR), you are the data controller and Chartless is the data processor.

If you are a HIPAA Covered Entity, our handling of Protected Health Information ("PHI") is governed by the Business Associate Agreement ("BAA") between us, which supplements this Privacy Policy. In the event of a conflict between this Privacy Policy and the BAA regarding PHI, the BAA controls.

2. Information We Collect

Account Information

When you create an account, we collect:

Client and Patient Data (Processed on Your Behalf)

When you use the Service to manage your clients, we process the following data on your behalf as your data processor:

If you are a HIPAA Covered Entity, this data may constitute Protected Health Information ("PHI"). You are responsible for determining whether HIPAA applies to your use of the Service and for executing a BAA with us before transmitting any PHI.

Usage Data

We automatically collect:

Cookies

The Service uses cookies that are necessary for the Service to function, including session authentication, workspace identification, and session persistence. We may update the specific cookies used as the Service evolves.

We do not use cookies for advertising or for tracking you across third-party websites. If we introduce analytics or non-essential cookies in the future, we will update this policy and, where required by applicable law, obtain your consent.

3. How We Use Your Information

We use your information to:

We do not use your client data or PHI for marketing, advertising, AI model training, or any purpose unrelated to providing the Service.

4. How We Share Your Information

We share information only in the following limited circumstances:

Service Providers (Sub-Processors)

We use service providers to operate the Service. Each is bound by contractual obligations requiring them to protect your data and use it only for the purposes we specify:

Public Data Sources

Third-Party Connectors (User-Initiated Only)

If you choose to connect third-party services through the Service, data is shared only as you authorize:

These connections are optional, initiated entirely by you, and governed by those third parties' own terms and privacy policies.

Legal Requirements

We may disclose information if required by law, regulation, legal process, or enforceable government request, or if disclosure is necessary to protect our rights, safety, or property, or the safety of others.

Business Transfers

In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will provide notice before your information becomes subject to a different privacy policy.

What We Will Never Do

5. Data Security

We implement the following safeguards to protect your information:

No system is perfectly secure. While we use commercially reasonable safeguards, we cannot guarantee absolute security. You are responsible for maintaining the security of your account credentials and for any activity that occurs under your account.

6. Data Retention and Deletion

7. Your Rights

All Users

You have the following rights regarding your data:

GDPR Rights (EU/EEA Users)

If you are located in the EU/EEA, you additionally have the right to: restrict processing, object to processing, and lodge a complaint with your local data protection authority.

CCPA Rights (California Users)

If you are a California resident: (a) you have the right to know what personal information we collect and how we use it; (b) you have the right to request deletion; (c) we do not sell personal information and never will; (d) we will not discriminate against you for exercising your rights.

PIPEDA Rights (Canadian Users)

If you are located in Canada, you have the right to: (a) access your personal information held by us; (b) challenge the accuracy and completeness of your information and have it amended; (c) withdraw consent to our processing (subject to legal or contractual restrictions); and (d) file a complaint with the Office of the Privacy Commissioner of Canada or your provincial privacy commissioner.

Exercising Your Rights

Contact privacy@chartlessnutrition.com to exercise any privacy rights. We will respond to verified requests within the timeframes required by applicable law (generally within 30 days, extendable by an additional 60 days for complex requests with notice to you).

Complaints

If you believe your privacy rights have been violated, you may contact us at the address below. You may also file a complaint with:

8. HIPAA Compliance

Chartless is a Business Associate under HIPAA when processing PHI on behalf of Covered Entity users. We handle PHI in accordance with:

Our obligations regarding PHI are detailed in the BAA. If there is a conflict between this Privacy Policy and the BAA regarding the handling of PHI, the BAA controls.

9. Children's Privacy

The Service is designed for use by nutrition and dietetics professionals, not children. We do not knowingly collect personal information from individuals under 18 as users of the Service. If we learn that we have collected personal information from a child under 18 as a Service user, we will promptly delete that account.

Note: In the course of your professional practice, you may enter information about minor clients into the Service. You are responsible for ensuring that you have all necessary consents and authorizations to do so under applicable law.

10. Data Residency and International Transfers

The Service is operated from the United States. All data, including client health information, is stored and processed on servers located in the United States. We do not currently offer data residency in other countries.

If you access the Service from outside the United States, your information will be transferred to and stored in the United States. By using the Service, you consent to this transfer. You are responsible for determining whether transferring data to the United States complies with your local laws, including any data residency requirements that may apply in your jurisdiction.

We rely on standard contractual clauses and other lawful transfer mechanisms where required by applicable law (such as GDPR).

Canadian Users

If you are located in Canada, please note that your data will be stored and processed in the United States, not in Canada. Certain Canadian provinces (including British Columbia and Nova Scotia) may impose restrictions on the storage of health information outside of Canada. You are responsible for determining whether your use of the Service complies with PIPEDA and applicable provincial health information legislation.

11. Dispute Resolution

Any disputes arising from this Privacy Policy are subject to the dispute resolution provisions in our Terms of Service, including the binding arbitration clause and class action waiver.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service at least 30 days before the changes take effect and update the "Last Updated" date. Your continued use of the Service after the effective date constitutes your acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise any of your rights, contact us at:

Chartless Nutrition, LLC
Email: privacy@chartlessnutrition.com
Address: 2300 Holcomb Bridge Road, Suite 103-423, Roswell, GA 30076

For HIPAA-related complaints, you may also contact:

U.S. Department of Health and Human Services
Office for Civil Rights
https://www.hhs.gov/ocr/complaints

Appendix A — Chartless EMR Connect (Browser Extension)

Chartless EMR Connect is a Google Chrome browser extension that complements the Chartless Nutrition web application. It allows Registered Dietitians to move clinical notes and client information between Chartless and a supported Electronic Medical Record ("EMR") platform. Where the preceding sections refer to "the Service," they apply to Chartless EMR Connect as well, except where this Appendix says otherwise.

Supported EMR Platforms

How the Extension Accesses Data

What the Extension Stores Locally in Your Browser

The following data is stored in Chrome's per-profile extension storage area (chrome.storage.local). This storage is isolated to your browser profile on your device and is not transmitted to Chartless except as described below.

What the Extension Transmits

Chrome Permissions Requested by the Extension

Clearing Extension Data

You can clear all locally cached Chartless data at any time by one of the following methods: