Legal

Data Processing Agreement

Last updated: May 2026

This Data Processing Agreement (“DPA”) supplements our Privacy Policy and describes in detail how Flura processes personal data, the sub-processors we engage, and the safeguards we apply. It is intended to satisfy the requirements of Article 28 of the GDPR.

1. Roles and Responsibilities

Under data protection law, “data controller” refers to the party that determines the purposes and means of processing personal data. “Data processor” refers to the party that processes data on behalf of the controller.

You (the User)

Data Controller for your personal health data. You decide what data to enter, how to use reports, and with whom to share them (e.g., your doctor). You have full rights over your data as described in our Privacy Policy.

Flura

Data Processor for your health data. We process your data only to provide the Service you have requested, strictly in accordance with your instructions and this DPA.

Where Flura processes data for its own legitimate business purposes (such as aggregate analytics and fraud prevention), Flura acts as an independent data controller for that limited processing.

2. Data Categories Processed

Flura processes the following categories of personal data on your behalf:

Health and symptom data

Symptom names, severity scores, duration, timing, and free-text notes you enter.

Special category (Article 9 GDPR)

Medication data

Medication names, dosages, schedules, and adherence logs.

Special category (Article 9 GDPR)

Wellness data

Sleep ratings, energy levels, mood scores, menstrual cycle data.

Special category (Article 9 GDPR)

Account data

Email address, display name, language preference, account settings.

Standard personal data

Device and technical data

Device type, OS version, app version, anonymous crash reports.

Standard personal data

Special category data (health data) is processed on the basis of your explicit consent (Article 9(2)(a) GDPR), which you provide when creating an account and agreeing to our Terms of Service.

3. Sub-Processors

We engage the following sub-processors to help deliver the Service. We have executed appropriate data processing agreements with each sub-processor and regularly review their security and compliance posture.

Supabase, Inc.

Privacy Policy

Location: European Union (AWS EU-West-1, Ireland)

Purpose: Database, authentication, and file storage

Data processed: Account data, health logs, symptom records, medication data

Anthropic, PBC

Privacy Policy

Location: United States (SCCs in place)

Purpose: AI-powered symptom pattern analysis

Data processed: Anonymized and pseudonymized health symptom data submitted for analysis

Amplitude, Inc.

Privacy Policy

Location: European Union (EU data residency enabled)

Purpose: Product analytics and feature usage tracking

Data processed: Pseudonymous usage events; no health data or directly identifiable information

RevenueCat, Inc.

Privacy Policy

Location: United States (SCCs in place)

Purpose: Subscription and in-app purchase management

Data processed: Account identifiers, subscription status, purchase receipts

Functional Software, Inc. (Sentry)

Privacy Policy

Location: European Union (Frankfurt, DE — EU data residency)

Purpose: Error monitoring and crash reporting

Data processed: User ID, email, crash reports, performance traces. Automatically deleted on account deletion via GDPR API.

UXCam, Inc.

Privacy Policy

Location: European Union (data processed in EU)

Purpose: Session replay and UX analytics

Data processed: Pseudonymous session recordings, user identity (UUID). Sensitive screens excluded. Automatically deleted on account deletion via GDPR API.

Google LLC (Firebase)

Privacy Policy

Location: European Union (hosting); United States (SCCs in place for other services)

Purpose: Push notification delivery and website hosting

Data processed: FCM tokens, anonymized crash reports; no health data

We will notify you at least 30 days in advance of any changes to this sub-processor list that may affect your data. You may object to a new sub-processor by contacting [email protected].

4. Security Measures

Flura implements the following technical and organizational measures (TOMs) to protect your data:

Encryption at rest

All data stored in Supabase is encrypted using AES-256.

Encryption in transit

All communications between the app and our servers use TLS 1.2 or higher.

Access controls

Row-level security in the database ensures users can only access their own data. Staff access is role-based and logged.

Audit logging

All access to production systems and sensitive data is logged and retained for 90 days.

Least privilege

Employees and systems are granted only the minimum permissions required for their function.

Security reviews

Regular security reviews and dependency audits are performed before each release.

5. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, Flura will:

  • Notify the relevant supervisory authority (lead data protection authority) within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR.
  • Notify affected users without undue delay when the breach is likely to result in a high risk to their rights, in accordance with Article 34 GDPR.
  • Maintain a record of all data breaches, including those that do not require notification, per Article 33(5) GDPR.

6. Cross-Border Data Transfers

We prioritize EU data residency. Your core data is stored in the European Union (Supabase EU-West-1, Ireland). Analytics data is processed in the EU (Amplitude EU data residency). Some sub-processors (Anthropic, RevenueCat) are based in the United States. Transfers to these providers are protected by:

  • Standard Contractual Clauses (SCCs) — European Commission-approved model clauses, updated to the 2021 version, are in place with all US-based sub-processors.
  • Transfer Impact Assessments — We have conducted TIAs for each US-based sub-processor to assess the risk of government access to data and confirm that SCCs provide adequate protection in practice.
  • Data minimization — Only pseudonymized or anonymized data is sent to US-based processors. No raw health data leaves the EU.

7. Data Retention and Deletion

We process your data for as long as your account is active. When a user requests account deletion, a 30-day grace period begins during which the account is deactivated but data is preserved. If the user signs back in within this window, the deletion is cancelled and the account is fully restored.

After 30 days, all personal data is permanently deleted from all our systems. GDPR deletion requests are automatically submitted to relevant sub-processors (including Amplitude) at the time deletion is scheduled. A cryptographic hash of the user's email address is retained in a suppression table for abuse prevention; this hash cannot be reversed to recover the original email.

You may request deletion of your data at any time via Profile › Delete Account in the app, or by emailing [email protected].

8. Contact

For questions about this DPA, data processing activities, or to exercise your rights as a data subject, please contact our data team at: [email protected]