Record of Processing Activities (RoPA)
Maintained under GDPR Art. 30. This is the public-facing summary; the full controller-side register is available to regulators on request from dpo@onwardsupwards.app. Last reviewed: 23 May 2026.
| Activity | Purpose | Lawful basis | Data subjects | Categories | Recipients | Transfers | Retention |
|---|---|---|---|---|---|---|---|
| Account creation & authentication | Provide the service; secure sign-in; password reset; MFA | Contract (Art. 6(1)(b)); legal obligation for security logs | Registered users | Email, display name, password hash, year of birth, IP, device, session tokens, MFA factors | Supabase (hosting & auth) | EU; SCCs/UK IDTA where any sub-processor is outside EU/UK | Lifetime of account; 30 days in prod, 90 days in encrypted backups after deletion |
| Journaling (Shadow / Reflection / Intentions) | Store the user's own reflections so they can review them | Contract (Art. 6(1)(b)) + Explicit consent for special-category data (Art. 9(2)(a)) | Registered users | Free-text journal entries, tags, intensity ratings — may reveal mental-health information | Supabase (storage). End-to-end envelope-encrypted (AES-256-GCM) at rest. | EU | Lifetime of account; self-serve permanent deletion |
| Insights aggregation | Show the user patterns across their own entries | Consent (Art. 6(1)(a)) — opt-out at any time in Settings | Registered users | Derived counts and averages from the user's own journal | None (computed in-browser) | None | Re-computed on demand; no separate store |
| Transactional & reminder email | Deliver reminders, verification, password reset, unsubscribe | Contract (Art. 6(1)(b)); user-set preference for reminders | Registered users | Email address, reminder preferences, unsubscribe tokens, suppression list | Resend (email delivery) | US — SCCs in place | Send log: 12 months; suppression list: indefinite to honour opt-out |
| Security & abuse logs | Detect & investigate security incidents, rate-limit abuse | Legitimate interest (Art. 6(1)(f)) — securing the service | All visitors | IP address, user agent, request metadata, audit events | Supabase, Cloudflare | EU/US — SCCs | Up to 12 months |
| Marketing communications (optional) | Send product updates only to users who opted in | Consent (Art. 6(1)(a)) — withdrawable in Settings / unsubscribe link | Opted-in users | Email, opt-in timestamp, opt-out timestamp | Resend | US — SCCs | Until withdrawn; opt-out records kept to honour suppression |