trophē processes nutrition and lifestyle data — special-category data under GDPR Article 9. We treat that as an engineering requirement, not a legal footnote. This page describes exactly how, in plain language.
Your nutrition practice (or clinic) is the data controller for client data; trophē is the processor acting on your documented instructions. A draft Article 28 Data Processing Agreement is available on request and is being finalised with counsel — email dpo@trophe.app.
Primary data is stored in Supabase (PostgreSQL), currently hosted on AWS in the United States (us-east-2); migration to an EU region is planned. Because this is a transfer outside the EEA, we rely on the EU Standard Contractual Clauses offered in our processors' data-processing agreements (Supabase, AWS); our own transfer-impact assessment and executed DPAs are in progress. Row-level security is enabled on every database table, so tenant access is enforced at the database layer, not only in application code — comprehensive cross-tenant policy tests are on our hardening roadmap. Automated backups and point-in-time recovery are being provisioned as part of our in-progress move to Supabase Pro, and are not yet enabled.
TLS 1.2+ in transit everywhere; AES-256 encryption at rest (provided by our hosting platforms). Sessions are kept in cookies rather than browser localStorage; service credentials are never present in client code.
Our text AI runs on DeepSeek, which processes inputs on infrastructure in China. For coaching features we send client-provided and coach-visible text — food logs, intake answers, coach notes, conversations and a profile snapshot — which can include names, contact details and health-adjacent information. DeepSeek's terms permit it to use inputs to improve its services, so the transfer and data-use basis is unresolved. Search and memory features also generate embeddings via Voyage (US) over that same text. Meal-photo vision runs on Anthropic (US), whose API terms do not train on submitted inputs. We are actively minimising what each provider receives and building automated egress controls; we never send uploaded medical documents, because we don't accept them.
We deliberately do NOT accept uploads of blood panels or medical documents yet. Until our counsel finalises retention obligations for health records, the intake collects lifestyle answers only — the most privacy-preserving default.
Active account data is retained while the account exists. You can request deletion of your account and data via dpo@trophe.app; a fully-automated, audited erasure workflow (including backup handling) is in active development, and until it ships we process deletion requests manually and confirm scope and timing with you. AI run telemetry is pseudonymous; an automated retention/pruning policy for it is in development.
As processor, trophē notifies affected controllers of confirmed personal-data breaches without undue delay and provides the information they need to meet their own regulatory obligations (such as the 72-hour deadline a controller faces under GDPR Article 33). We maintain a documented incident runbook.
Our current draft DPA proposes notifying controllers of sub-processor changes in advance, with the right to object.
Exercise any right by emailing dpo@trophe.app. Automated rights-fulfilment with SLA tracking is in development; for now requests are handled manually.
Data sources & licensing
Nutrition values are compiled from public food-composition databases: Open Food Facts (© its contributors, used under the Open Database License (ODbL)), USDA FoodData Central, CIQUAL (France), CoFID (UK), BEDCA (Spain) and CREA (Italy). Open Food Facts product data remains © its contributors; crowdsourced entries are treated as estimates, not lab-verified values.
Last updated 2026-06-14 · trophē — Precision Nutrition Coaching