Data Processing Register
Public summary per GDPR Article 30 - Last updated: March 25, 2026
This page provides a public summary of how Nala processes personal data, in accordance with Article 30 of the General Data Protection Regulation (EU 2016/679).
Data Controller
Name: Mathias Robin (sole proprietor)
Contact: privacy@nala-meditation.com
Supervisory authority: CNIL (France)
Processing Activities
| Processing | Purpose | Legal basis | Data categories | Recipients | Retention | Transfer |
|---|---|---|---|---|---|---|
| User authentication | Account management | Contract (Art. 6(1)(b)) | Email, name, Firebase UID | Firebase (Google) | Account lifetime | US (SCCs) |
| AI wellness chat | Conversational wellness guidance | Explicit consent (Art. 6(1)(a) & 9(2)(a)) | Chat messages, first name, mood, wellness context | Anthropic (Claude API) | 90 days (messages), then summary only | US (SCCs) |
| Wellness tracking | Display wellness scores & progress | Contract (Art. 6(1)(b)) | Numerical scores, mood, actions | Supabase | Account lifetime | EU (no transfer) |
| Journal | Personal journaling feature | Contract (Art. 6(1)(b)) | Free-text entries, mood | Supabase | Account lifetime | EU (no transfer) |
| Analytics | App improvement | Consent (Art. 6(1)(a)) | Anonymized usage events, session ID | Supabase | 1 year | EU (no transfer) |
| Push notifications | Meditation & wellness reminders | Consent (Art. 6(1)(a)) | FCM push token | Firebase (Google) | Account lifetime | US (SCCs) |
| Subscriptions | Premium access management | Contract (Art. 6(1)(b)) | Subscription status, product ID, expiry date | Google Play | Account lifetime | US (DPF) |
| Localization | Display app in user’s language | Legitimate interest (Art. 6(1)(f)) | Language code (2 letters), country code (2 letters) | Supabase | Account lifetime | EU (no transfer) |
| Crash reporting | App stability & bug fixes | Legitimate interest (Art. 6(1)(f)) | Device type, app version, crash stack traces | Firebase Crashlytics | 90 days | US (SCCs) |
| Website analytics | Website improvement | Legitimate interest (Art. 6(1)(f)) | Page views, clicks (no personal identifiers, no cookies) | Supabase | 1 year | EU (no transfer) |
Security Measures (Article 32)
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- Row-Level Security (RLS) on all database tables
- JWT authentication with short-lived tokens (30s cache TTL)
- Rate limiting on all API endpoints
- Content Security Policy (CSP) and HSTS headers
- Graceful shutdown and unhandled rejection handlers
- No storage of IP addresses beyond request processing
- Audit logging for GDPR operations (export, delete, profile update)
Data Subject Rights
All rights under GDPR Articles 15-22 are implemented:
- Access & Portability: JSON export via Settings > Export my data
- Erasure: Complete account deletion via Settings > Delete my account
- Rectification: Profile editing in the app
- Withdraw consent: Analytics & notification toggles in Settings
- Complaint: CNIL - www.cnil.fr/plaintes
Breach Notification Procedure
In the event of a personal data breach:
- Detection via monitoring (Crashlytics, server logs, Supabase dashboard)
- Assessment of risk within 24 hours
- Notification to CNIL within 72 hours (if risk to rights & freedoms)
- Notification to affected users without undue delay (if high risk)
- Entry in breach register with corrective actions taken
Contact: privacy@nala-meditation.com