Data Processing Register

Public summary per GDPR Article 30 — Last updated: March 25, 2026

This page provides a public summary of how Nala processes personal data, in accordance with Article 30 of the General Data Protection Regulation (EU 2016/679).

Data Controller

Name: Mathias Robin (sole proprietor)
Contact: privacy@nala-meditation.com
Supervisory authority: CNIL (France)

Processing Activities

Processing	Purpose	Legal basis	Data categories	Recipients	Retention	Transfer
User authentication	Account management	Contract (Art. 6(1)(b))	Email, name, Firebase UID	Firebase (Google)	Account lifetime	US (SCCs)
AI wellness chat	Conversational wellness guidance	Explicit consent (Art. 6(1)(a) & 9(2)(a))	Chat messages, first name, mood, wellness context	Anthropic (Claude API)	90 days (messages), then summary only	US (SCCs)
Wellness tracking	Display wellness scores & progress	Contract (Art. 6(1)(b))	Numerical scores, mood, actions	Supabase	Account lifetime	EU (no transfer)
Journal	Personal journaling feature	Contract (Art. 6(1)(b))	Free-text entries, mood	Supabase	Account lifetime	EU (no transfer)
Analytics	App improvement	Consent (Art. 6(1)(a))	Anonymized usage events, session ID	Supabase	1 year	EU (no transfer)
Push notifications	Meditation & wellness reminders	Consent (Art. 6(1)(a))	FCM push token	Firebase (Google)	Account lifetime	US (SCCs)
Subscriptions	Premium access management	Contract (Art. 6(1)(b))	Subscription status, product ID, expiry date	Google Play	Account lifetime	US (DPF)
Crash reporting	App stability & bug fixes	Legitimate interest (Art. 6(1)(f))	Device type, app version, crash stack traces	Firebase Crashlytics	90 days	US (SCCs)
Website analytics	Website improvement	Legitimate interest (Art. 6(1)(f))	Page views, clicks (no personal identifiers, no cookies)	Supabase	1 year	EU (no transfer)

Security Measures (Article 32)

• Encryption at rest (AES-256) and in transit (TLS 1.3)
• Row-Level Security (RLS) on all database tables
• JWT authentication with short-lived tokens (30s cache TTL)
• Rate limiting on all API endpoints
• Content Security Policy (CSP) and HSTS headers
• Graceful shutdown and unhandled rejection handlers
• No storage of IP addresses beyond request processing
• Audit logging for GDPR operations (export, delete, profile update)

Data Subject Rights

All rights under GDPR Articles 15–22 are implemented:

• Access & Portability: JSON export via Settings > Export my data
• Erasure: Complete account deletion via Settings > Delete my account
• Rectification: Profile editing in the app
• Withdraw consent: Analytics & notification toggles in Settings
• Complaint: CNIL — www.cnil.fr/plaintes

Breach Notification Procedure

In the event of a personal data breach:

1. Detection via monitoring (Crashlytics, server logs, Supabase dashboard)
2. Assessment of risk within 24 hours
3. Notification to CNIL within 72 hours (if risk to rights & freedoms)
4. Notification to affected users without undue delay (if high risk)
5. Entry in breach register with corrective actions taken

Contact: privacy@nala-meditation.com