This record uses provider role labels only. Named vendors appear in Sub Processor List.
1. Controller identity
| Field |
Value |
| Controller |
[PENDING: LEGAL_ENTITY_NAME] |
| Trading as |
Being Optimal, Site Nutrition |
| Registered address |
[PENDING: REGISTERED_ADDRESS] |
| Incorporation |
[PENDING: INCORPORATION_JURISDICTION] |
| Privacy contact |
[email protected] |
| DPO / privacy lead |
[PENDING: DPO_CONTACT] |
| EU representative |
[PENDING: EU_REP] |
| UK representative |
[PENDING: UK_REP] |
Role model: Being Optimal is Controller for B2C account, health, nutrition, AI, community (as platform operator), and product-analytics processing described below. Infrastructure vendors are Processors / sub-processors. There is no general B2B “clinic processor” offering in the current product model (no customer DPA for clinics unless separately contracted).
2. Processing activities (Article 30(1) style)
2.1 Core product & account
| Ref |
Activity |
Purposes |
Lawful basis (indicative) |
Data subjects |
Categories of personal data |
Recipients (roles) |
Transfers |
Retention |
| C-1 |
Account registration & authentication |
Provide Services; secure access |
Contract; legitimate interests (security) |
Users |
Email, name/profile metadata, auth subject id, session tokens |
Authentication Provider; Hosting Provider; CDN / Edge Network Provider; Database Provider |
Primarily United States; global edge delivery; SCCs/IDTA as needed |
Account life; sessions shorter |
| C-2 |
Environment & nutrition planner |
Meal planning; nutrient tracking; Day Score / grades |
Contract; Art. 9 explicit consent (health) |
Users |
Meal logs, combos/templates, ingredient quantities, scores |
Database Provider; Cloud Infrastructure Provider (compute) |
As above |
Active account lifetime; deletion on account close subject to Privacy Policy caveats |
| C-3 |
Health profile & gestational context |
Personalize targets; pregnancy-phase nutrition context |
Contract; Art. 9 explicit consent |
Users |
LMP/EDD, DOB, weight, ethnicity (if collected), trimester-related fields |
Database Provider |
As above |
Account life; deleted on close subject to caveats |
| C-4 |
Blood markers & symptoms journal |
Informational comparison to targets; user record-keeping |
Contract; Art. 9 explicit consent |
Users |
Lab values entered by user; symptoms notes |
Database Provider |
As above |
Account life |
| C-5 |
Custom ingredients & user content |
User-authored food entries |
Contract |
Users |
Custom nutrient entries; labels |
Database Provider |
As above |
Soft-delete then cascade; see DSAR |
| C-6 |
Preferences, entitlements, UI state |
Product configuration; tier features |
Contract; legitimate interests |
Users |
Preference flags, tier/entitlement metadata |
Database Provider; Hosting Provider |
As above |
Account life |
2.2 AI assistant
| Ref |
Activity |
Purposes |
Lawful basis (indicative) |
Data subjects |
Categories |
Recipients (roles) |
Transfers |
Retention |
| C-7 |
AI assistant (“Borg”) conversations |
Answer questions; planning help; propose-only edits |
Contract; Art. 9 explicit consent for health context in prompts; consent/ToS acceptance as implemented |
Users |
Message bodies; optional health-context snippets; safety filter signals |
Database Provider; AI Model Providers; Cloud Infrastructure Provider |
US / provider regions; SCCs/IDTA as needed |
While account active unless deleted; external Model Provider copies per provider DPA; external model copies per provider DPA (no provider delete API called today) |
| C-8 |
AI run metadata |
Reliability, rate limiting, debugging |
Legitimate interests; contract |
Users |
Run metadata (not necessarily full prompt/response bodies in metadata tables) |
Database Provider; Cloud Infrastructure Provider |
As above |
Operational period |
2.3 Communications & notifications
| Ref |
Activity |
Purposes |
Lawful basis (indicative) |
Data subjects |
Categories |
Recipients (roles) |
Transfers |
Retention |
| C-9 |
Transactional email |
Account, security, service notices |
Contract; legitimate interests |
Users |
Email, message content |
Email Delivery Provider; Email Design Provider (templates, operator-side) |
Configurable |
Provider log retention + operational need |
| C-10 |
Web Push |
Optional notifications |
Consent (push permission) |
Users |
Push endpoint, keys, payloads |
Database Provider; browser Push Delivery (VAPID/Web Push — no push SaaS) |
Device/endpoint |
Until unsubscribe / account close (orphan caveat) |
| C-11 |
In-app notification log / prefs |
Deliver and respect preferences |
Contract; legitimate interests |
Users |
Prefs, notification events |
Database Provider |
As above |
Operational; orphan caveat on delete |
| Ref |
Activity |
Purposes |
Lawful basis (indicative) |
Data subjects |
Categories |
Recipients (roles) |
Transfers |
Retention |
| C-12 |
Community forum SSO & UGC |
Peer discussion; support |
Contract; legitimate interests; consent where required for cookies |
Users who join community |
Identity for SSO; posts; uploads |
Community Platform Provider; Cloud Infrastructure Provider (uploads where used) |
Forum host region |
Posts may remain anonymized after account close — not hard-deleted by default |
2.5 Location, content, analytics, commercial
| Ref |
Activity |
Purposes |
Lawful basis (indicative) |
Data subjects |
Categories |
Recipients (roles) |
Transfers |
Retention |
| C-13 |
Reverse geocoding |
Country/region for localization or profile |
Legitimate interests; consent where required |
Users who invoke feature |
Raw lat/lng (transient); derived country/region |
Reverse-Geocoding Provider; Database Provider (labels only) |
Global API |
GPS not stored; labels per account prefs |
| C-14 |
Help / Learning Center delivery |
Education; documentation |
Legitimate interests; contract |
Visitors & users |
IP/request logs; local search is client-side where Pagefind is used |
Hosting Provider; CDN / Edge Network Provider |
Edge global |
Log retention per host |
| C-15 |
First-party catalog / product analytics |
Improve catalog UX |
Consent where gated; legitimate interests for essential ops metrics |
Users / visitors as configured |
Pseudonymous choice events; no third-party analytics SaaS |
Database Provider; Cloud Infrastructure Provider |
Primarily United States; global edge delivery |
As needed for product improvement (first-party, pseudonymous) |
| C-16 |
Outbound partner / affiliate clicks |
Measure partner links |
Legitimate interests; disclosure in Advertising policy |
Visitors |
Pseudonymous click records (designed without stored user id; IP transient for rate limit) |
Database Provider; Hosting Provider |
As above |
Operational analytics period |
| C-17 |
Subscription billing (when live) |
Collect fees; manage plans |
Contract |
Paying users |
Billing email, subscription status, payment references — not full PAN |
Billing Provider; Database Provider (status) |
TBD when live |
[PENDING: BILLING_RECORD_RETENTION] |
| C-18 |
Security, fraud prevention, abuse |
Protect Services and users |
Legitimate interests; legal obligation |
Users & abusers |
IP, logs, rate-limit hits, abuse reports |
CDN / Edge Network Provider; Hosting Provider; Cloud Infrastructure Provider; Database Provider |
As above |
Security retention period |
| C-19 |
Legal compliance & DSAR handling |
Respond to rights; comply with law |
Legal obligation; legitimate interests |
Users; requesters |
Request correspondence; verification data |
Internal; counsel; regulators as required |
As needed |
Per legal hold / statutory periods |
| C-20 |
Automated informational scoring |
Day Score, nutrient flags, optimizer suggestions, Knowledge Score, blood-marker displays |
Contract; Art. 9 for health inputs |
Users |
Derived scores/flags from C-2–C-4 |
Primarily on-platform (Database / Cloud Infrastructure); see Automated Decisions |
Primarily United States; global edge delivery |
With source data |
3. Special category (Art. 9) data
| Categories |
Processing refs |
Art. 9 condition (indicative) |
Notes |
| Pregnancy timing, reproductive health context |
C-2, C-3, C-7, C-20 |
Explicit consent |
Core product purpose; disclosed in Privacy Policy |
| Health metrics, labs, symptoms |
C-3, C-4, C-7, C-20 |
Explicit consent |
User-entered; not clinical ingestion from labs |
| Health context in AI prompts |
C-7 |
Explicit consent + contract for service delivery |
International transfer to AI Model Providers |
Withdrawal of consent: stop using AI / close account; see DSAR. Prior processing remains lawful where applicable.
4. Categories of recipients
| Recipient role |
Typical processing |
| Authentication Provider |
Identity, sessions, lifecycle webhooks |
| Webhook Transport |
Delivery of auth lifecycle events |
| Database Provider |
Primary datastore + RLS |
| Hosting Provider |
Application hosting |
| CDN / Edge Network Provider |
DNS, edge, gateway |
| Cloud Infrastructure Provider |
Privileged APIs, heavy compute, object storage |
| Email Delivery Provider |
Transactional email |
| AI Model Providers |
Generative inference on prompts |
| Community Platform Provider |
Forum |
| Reverse-Geocoding Provider |
Lat/lng → place labels |
| Billing Provider |
Payments when live |
| Email Design Provider |
Operator template tooling |
| Push Delivery |
Browser Web Push (no third-party push SaaS) |
| Regulators / law enforcement |
Only under legal process |
| Professional advisors |
Counsel, auditors under confidentiality |
Not recipients of Personal Data: Nutrient Data Source (public food composition catalog only).
5. International transfers
| Mechanism (indicative) |
Use |
| Provider DPAs |
Sub-processors |
| Standard Contractual Clauses / UK IDTA (as applicable) |
Transfers outside EEA/UK |
| Technical measures |
TLS; RLS; least privilege |
| Organizational measures |
Access control; IR; vendor review |
Primary hosting posture: Primarily United States; global edge delivery.
6. Technical and organizational measures (summary)
See Security And Compliance. Highlights:
- TLS in transit; provider encryption at rest
- RLS with user JWT on application data
- No service role in Next.js frontend host; service role only on privileged backend
- Secrets kept server-side
- Privacy-forward absence of third-party ads/analytics/session-replay SaaS
Honest limitations: erasure is automated but not fully atomic; community content anonymized not deleted; external AI/email copies not purged via provider APIs — see Data Subject Request Procedure.
7. Processor record (Article 30(2))
Not generally applicable to the current B2C model: Being Optimal does not offer a multi-tenant “clinic processor” product in which customers are Controllers and Being Optimal is Processor for patient panels. If a B2B/clinic offering is launched, a separate Art. 30(2) schedule and DPA will be added.
8. Maintenance
| Item |
Practice |
| Owner |
[PENDING: DPO_CONTACT] (or privacy lead) |
| Review cadence |
At least annually, and on material processing change (new AI provider, new health data type, billing live, etc.) |
| Cross-checks |
Sub Processor List, Legal Manifest, PREFLIGHT DECISIONS, deletion code paths |
| Legal hold |
Legal hold suspends deletion where required by law |