Record of Processing Activities - GDPR Article 30
Last updated: February 2026
Controller name: Somana
Contact email: info@somanaapp.com
Website: somanaapp.com
Jurisdiction: Ireland / European Union
Nature of service: Therapy-adjacent mental wellness application (not a medical device, not clinical decision-support software)
The following documents each processing activity as required by GDPR Article 30(1).
Purpose: Create and maintain user accounts; authenticate users; manage preferences
Lawful Basis: Article 6(1)(b) - processing necessary for performance of the service
Data Subjects: Standard users, healthcare professionals
Categories of Personal Data: Name, email address, hashed password, account type, MFA secrets (encrypted)
Recipients: Neon (database hosting)
International Transfers: EU (Neon configured to EU region)
Retention Period: While account is active; permanently deleted on account deletion
Security Measures: bcrypt password hashing, httpOnly JWT cookies, CSRF protection, encrypted MFA secrets
Purpose: Track mood, meditation sessions, breathing exercises, and daily wellness summaries to support mental fitness
Lawful Basis: Article 6(1)(b) - contract performance; Article 9(2)(a) - explicit consent for special category health data
Data Subjects: Standard users
Categories of Personal Data: Mood values, meditation duration/type, breathing exercise records, daily summary scores (special category health data under GDPR Article 9)
Recipients: Neon (database hosting); healthcare professional (if linked by user)
International Transfers: EU (Neon configured to EU region)
Retention Period: While account is active; permanently deleted on account deletion
Security Measures: TLS encryption in transit, access logging, provider access requires explicit user consent via 16-digit linking code
Purpose: Administer validated clinical instruments (PHQ-9, GAD-7, WHO-5) to provide baseline and monthly wellness scores
Lawful Basis: Article 6(1)(b) - contract performance; Article 9(2)(a) - explicit consent for special category health data
Data Subjects: Standard users
Categories of Personal Data: Assessment responses, composite scores, assessment dates (special category health data under GDPR Article 9)
Recipients: Neon (database hosting); healthcare professional (if linked by user)
International Transfers: EU (Neon configured to EU region)
Retention Period: While account is active; permanently deleted on account deletion
Security Measures: TLS encryption, access logging, scores shared with providers only with explicit consent
Purpose: Enable healthcare professionals to view patient wellness metadata to supplement clinical care
Lawful Basis: Article 6(1)(b) - contract performance; Article 9(2)(a) - explicit consent via 16-digit linking code
Data Subjects: Standard users (as patients), healthcare professionals
Categories of Personal Data: Aggregated wellness metadata, mood trends, assessment scores, meditation statistics, early warning alerts; never journal content
Recipients: Healthcare professional (independent data controller)
International Transfers: EU (Neon configured to EU region)
Retention Period: While provider link is active; deleted when user removes link or deletes account
Security Measures: 16-digit linking code consent mechanism, MFA required for healthcare accounts, PHI encryption for clinical notes, structured audit trail designed with reference to HIPAA security standards, permission levels (basic/full)
Purpose: Process subscription payments for premium features
Lawful Basis: Article 6(1)(b) - processing necessary for performance of the service
Data Subjects: Subscribing users
Categories of Personal Data: Payment card details, billing address, transaction history (handled entirely by Stripe - Somana does not store card numbers)
Recipients: Stripe (data processor)
International Transfers: EU/US (subject to Stripe's DPA, DPF certification, and Standard Contractual Clauses)
Retention Period: Per Stripe's retention policy; Somana stores only subscription status and Stripe customer ID
Security Measures: PCI DSS Level 1 compliance (Stripe), no card data touches Somana servers
Purpose: Send password reset links and account-related notifications
Lawful Basis: Article 6(1)(b) - processing necessary for performance of the service
Data Subjects: All users
Categories of Personal Data: Email address, email subject/content (password reset tokens only - no health data)
Recipients: Resend (data processor)
International Transfers: United States (subject to Standard Contractual Clauses)
Retention Period: Per Resend's retention policy; Somana does not store sent email content
Security Measures: TLS encryption, time-limited password reset tokens, no health data transmitted
Purpose: Detect and resolve application errors; monitor performance to ensure service reliability
Lawful Basis: Article 6(1)(f) - legitimate interest in maintaining service reliability and security
Data Subjects: All users (anonymised where possible)
Categories of Personal Data: Error stack traces, browser/device metadata, performance metrics; sensitive fields (passwords, tokens, mood data, journal content) are automatically stripped before transmission
Recipients: Sentry (data processor)
International Transfers: EU (Sentry configured to EU data centre; subject to Standard Contractual Clauses)
Retention Period: 90 days (auto-deleted by Sentry)
Security Measures: Automatic PII redaction, sensitive field stripping, no health data transmitted
Purpose: Protect user accounts and ensure authorised access; maintain audit trail for regulatory compliance
Lawful Basis: Article 6(1)(b) - contract performance; Article 6(1)(f) - legitimate interest in security
Data Subjects: All users
Categories of Personal Data: Login timestamps, IP addresses (truncated and pseudonymised), session tokens, MFA verification records, data access audit logs
Recipients: Neon (database hosting)
International Transfers: EU (Neon configured to EU region)
Retention Period: Session data: while active. Audit logs: 7 years for regulatory compliance
Security Measures: JWT with httpOnly cookies, SameSite cookie policy, CSRF double-submit pattern, TOTP-based MFA, bcrypt hashing, encrypted credentials
Journal content and voice recordings are stored exclusively on the user's device using browser localStorage. This data is never transmitted to Somana's servers, never stored in any database, and is not subject to any of the processing activities listed above. This is enforced architecturally - no server-side database table exists that could store this content.
| Processor | Role | Data Region | Transfer Safeguard |
|---|---|---|---|
| Neon | Database hosting | EU (configured) | EU region; SCCs available |
| Stripe | Payment processing | EU/US | DPF certified; SCCs |
| Replit | Application hosting | United States | SCCs |
| Resend | Email delivery | United States | SCCs |
| Sentry | Error monitoring | EU (configured) | EU region; SCCs available |