Last updated: 2026-05-16
EU / UK Jurisdiction Annex
This document is a bolt-on annex to the main Gila Privacy Policy. It applies in addition to (not in place of) the main policy and gives EU/EEA and UK users the jurisdiction-specific disclosures required by the GDPR, the UK GDPR, the Data Protection Act 2018, and member-state supplementary legislation.
For Turkish-residing users see ./turkey.md (KVKK is the controller's domicile regime and applies in parallel). For Swiss-residing users see ./switzerland.md. For under-age questions see ../child-safety-notice.md.
1. Who is in charge of your data and how to reach us
1.1 The data controller
| Role | Identity |
|---|---|
| Data controller | Sezen Soykut, natural-person sole-trader registered in Turkiye (şahıs şirketi) |
| Trade name | Gila |
| Registered office address | Disclosed on request via dpo@gila.coach; on file with the Turkish tax authority |
| General contact | hello@gila.coach |
| Data Protection Officer | Sezen Soykut, designated internally. Mailbox: dpo@gila.coach. The DPO has been formally designated under GDPR Art 37(1)(c) because the core processing activities involve special-category health data on a regular and systematic basis. |
1.2 EU Representative (GDPR Art 27)
Because the controller is established outside the EU/EEA but offers services to EU residents through the App Store, Google Play, and the gila.coach website, the controller is in the process of appointing an EU representative under GDPR Art 27.
We are appointing an Article 27 EU representative. In the interim, contact our Data Protection Officer at dpo@gila.coach for any matter that would normally route through an EU representative. We will update this notice as soon as the representative is in place.
The EU representative, when appointed, will operate under a written mandate per Art 27(4) and act as a point of contact only; the substantive controller obligations remain with the controller. Choosing to contact the EU representative does not waive any right to contact the controller directly or any supervisory authority directly.
1.3 UK Representative (UK GDPR Art 27)
The Brexit transition has made the UK GDPR a separate regime. Because the controller is established outside the UK but offers services to UK residents, the controller is in the process of appointing a UK representative under UK GDPR Art 27.
We are appointing an Article 27 UK representative. In the interim, contact our Data Protection Officer at dpo@gila.coach for any matter that would normally route through a UK representative. We will update this notice as soon as the representative is in place.
2. What we process, why, and on what legal basis
The complete inventory of processing activities is documented internally in our Record of Processing Activities (RoPA) per GDPR Art 30, available on request to supervisory authorities. The summary below maps each processing activity to its Art 6 lawful basis and, where applicable, its Art 9 condition for processing special-category data.
| Processing activity | Categories of data | Art 6 lawful basis | Art 9 condition (special category) |
|---|---|---|---|
| Account creation and authentication | Email, name, OAuth identifier, password hash, device push token | Art 6(1)(b) — contract | n/a |
| Onboarding profile (medication, goals, lifestyle) | Health metrics, GLP-1 medication, dose, dietary preferences, mood baseline | Art 6(1)(b) contract + Art 6(1)(a) consent for optional fields | Art 9(2)(a) — explicit consent collected at the LegalConsentGate step |
| Weight, body-measurement, and HealthKit / Health Connect sync | Weight kg, steps, sleep, heart rate, active minutes | Art 6(1)(b) contract + Art 6(1)(a) consent for HealthKit / Health Connect read | Art 9(2)(a) explicit consent |
| Medication tracking (shots, doses, injection zones, side-effects) | Drug name, dose, injection site, pain level, side-effect description and severity | Art 6(1)(b) contract | Art 9(2)(a) explicit consent |
| Mood and journal entries | Mood label, free-text description, timestamps | Art 6(1)(b) contract | Art 9(2)(a) explicit consent |
| Habit tracking and community habit submissions | Habit title, description, completion logs, optional progress photos | Art 6(1)(b) contract; Art 6(1)(a) consent for community submission | Art 9(2)(a) explicit consent if a submission incidentally contains health data |
| AI food vision (Google Gemini primary; Anthropic Claude + OpenAI A/B opt-in; FatSecret + Perplexity research) | Meal photo, food name, calorie and macro estimates | Art 6(1)(b) contract + Art 6(1)(a) consent for AI features | Art 9(2)(a) explicit consent |
| AI coaching + Habit Lab (suggestions, narratives, weekly briefing, onboarding "wow moment", health analysis, journal embeddings, community-submission review, Habit Lab playground) — Google Gemini (primary, 12+ features); Anthropic Claude (Habit Lab user-facing + QA judge); Perplexity (source grounding for habit-signal agent) | Curated context snapshot of profile, recent activity, mood, weight, medication adherence | Art 6(1)(a) consent for AI features (provider-agnostic) | Art 9(2)(a) explicit consent |
| Push notifications (Firebase FCM) | Device push token, locale, OS platform | Art 6(1)(a) consent | n/a |
| Transactional email (welcome, deletion verification, password reset, milestone) | Email address, name, template variables | Art 6(1)(b) contract + Art 6(1)(c) legal obligation (deletion verification) | n/a |
| Marketing email and newsletter (Resend marketing + Beehiiv) | Email, first name, signup source, UTM | Art 6(1)(a) consent — explicit opt-in with one-click unsubscribe in every send | n/a |
| Product analytics (PostHog, mobile app only — not loaded on the landing site) | Pseudonymous user ID, screen names, event names, feature-flag exposure | Art 6(1)(a) consent in EEA / UK / CH; Art 6(1)(f) legitimate interest elsewhere | n/a (Art 9 fields denylisted at the SDK boundary) |
| Error tracking (Sentry) | Pseudonymous user ID, stack trace, breadcrumbs (PII-scrubbed) | Art 6(1)(f) legitimate interest — Legitimate Interests Assessment on file | n/a |
| Web analytics (GA4 + Vercel Analytics) | Pseudonymous client ID, page views, referrers, anonymised IP-derived country | Art 6(1)(a) consent in EEA; Art 6(1)(f) elsewhere | n/a |
| Bot protection (Cloudflare Turnstile) on public forms | Browser challenge token, transient request signals | Art 6(1)(f) legitimate interest | n/a |
| Subscription management (RevenueCat — active when paywall is enabled) | Hashed app_user_id, subscription state, store transaction IDs | Art 6(1)(b) contract + Art 6(1)(c) legal obligation for tax-record retention | n/a |
| Account deletion and DSAR fulfilment | Email, identity-verification result, request metadata | Art 6(1)(c) legal obligation (Arts 15-22) + Art 6(1)(b) contract | Art 9(2)(f) for retention of audit log proving rights were honoured |
| Backups and disaster recovery | All Tier 1-6 fields at snapshot time | Art 6(1)(f) legitimate interest + Art 6(1)(c) legal obligation under Art 32 | Art 9(2)(a) flow-through from source activity |
Where the lawful basis for a processing activity is legitimate interests (Art 6(1)(f)), we have performed a Legitimate Interests Assessment (LIA) balancing the controller's interest against the data subject's rights and freedoms. The LIAs are available on request to the data subject; they cover, in summary: purpose, necessity, balancing test, and the mitigations (pseudonymisation, scrubbing, retention limits, opt-out availability) that bring the balance in the controller's favour.
Where the basis is consent (Art 6(1)(a)), the consent meets the Art 4(11) standard — freely given, specific, informed, unambiguous, by clear affirmative action. We never use pre-ticked checkboxes, silence, or inactivity as consent. Consent is collected through the LegalConsentGate onboarding step (for in-app features) and through the cookie banner and signup forms (for the website). A consent receipt is persisted in public.consent_log with the policy version, accepted categories, timestamp, locale, and source. You may withdraw consent at any time as easily as you gave it — through the in-app Settings, the website Preference Center, or by emailing dpo@gila.coach. Withdrawal does not affect the lawfulness of processing carried out before withdrawal (Art 7(3)).
3. International transfers
The Gila production database is hosted by Supabase Inc. in the AWS us-east-2 region (Ohio, United States). Several other processors — Google (Gemini, Firebase, GA4), Anthropic (Claude), OpenAI (conditional, food-vision A/B opt-in only), Perplexity, FatSecret, Resend, Beehiiv, PostHog, Sentry, RevenueCat, Vercel, Cloudflare — are also US-domiciled or process data through US infrastructure. This means that personal data of EU/EEA and UK users is transferred to the United States.
3.1 Transfer mechanisms
For each US-bound transfer we rely on one or more of the following GDPR Chapter V mechanisms:
- Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914, Module 2 (Controller to Processor) for every processor relationship. The UK equivalent is the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, depending on the processor's preferred form.
- EU-US Data Privacy Framework (DPF) — where the processor is DPF-certified, the DPF acts as a defence-in-depth layer alongside the SCCs. DPF-certified Gila processors include Google LLC (Firebase, Gemini, GA4), Anthropic PBC (Claude), Cloudflare Inc., and Vercel Inc. [VARIABLE — verify certification at https://www.dataprivacyframework.gov/list before each publish cycle]. Where certification is no longer in force, we fall back to SCCs.
- Supplementary measures — we apply technical and organisational measures described in our Transfer Impact Assessment (TIA) at
tia-supabase-us.md. These include: TLS 1.3 in transit; AES-256 encryption at rest (AWS RDS managed); row-level security in PostgreSQL scoped toauth.uid(); data-minimisation in every AI prompt (curated context snapshot, never the full user record); "no training" contractual flag on Google Gemini; FatSecret OAuth1 requests carrying no user identifier; Perplexity queries stripped of user identifier; sole-operator access governed by documented red-lines. - Article 49 derogations — we do not rely on Art 49 as a primary basis for routine transfers. We may invoke Art 49(1)(a) (explicit consent of the data subject) as a backup for specific narrow flows if both SCCs and DPF become unavailable for a particular processor.
3.2 What we did to assess the US transfer risk
In line with the Court of Justice of the EU's judgment in Schrems II (C-311/18, 16 July 2020) and the EDPB Recommendations 01/2020 (six-step methodology), we have performed a Transfer Impact Assessment that evaluates the US legal regime against the four European Essential Guarantees (EDPB Recommendations 02/2020). The TIA covers FISA § 702, Executive Order 12333, the CLOUD Act, and National Security Letters; assesses each individual processor's risk profile; and concludes that with the supplementary measures we have in place, the present transfers are acceptable. A copy of the TIA is available to data subjects on request and to supervisory authorities as Art 30 evidence.
3.3 Cross-border concerns and your rights
Even with these safeguards, you should be aware that:
- US authorities may, in principle, compel a US-domiciled processor to disclose personal data under FISA § 702 or the CLOUD Act, including under a gag order that prevents the processor from notifying the controller.
- The EU-US Data Privacy Framework remains subject to legal challenge (the Schrems III case before the CJEU's General Court).
- You may exercise your right to object to the transfer under Art 21 GDPR, in which case we will discuss with you whether the service can be provided without the transfer; in most cases this would mean we cannot continue to offer the service since US-domiciled processors are integral to the architecture.
4. Your rights
If you are resident in the EU/EEA or the UK, you have the following rights under the GDPR / UK GDPR. To exercise any of them, use the self-service form at gila.coach/dsar, email dpo@gila.coach, or contact the EU/UK representative listed in § 1. We will respond within one month of receipt (Art 12(3) and (4)), extendable by two further months for complex or numerous requests, in which case we will inform you of the extension and the reasons within the first month.
| Right (Article) | What it means in plain English |
|---|---|
| Art 13-14 — Information | Be informed about how we process your data — this notice and the main Privacy Policy fulfil that right. |
| Art 15 — Access | Obtain a copy of the personal data we hold about you, along with the supplementary information required by Art 15. The export bundle is delivered as a signed URL valid for 24 hours. |
| Art 16 — Rectification | Have inaccurate data corrected and incomplete data completed. Most fields can be self-edited in the app Settings or website Preference Center; for fields that cannot, email dpo@gila.coach. |
| Art 17 — Erasure (right to be forgotten) | Have your data deleted in the cases listed in Art 17. The in-app and web Delete-Account flow is the operational implementation of this right. Deletion cascades to downstream processors (Beehiiv, Firebase, RevenueCat); backups roll off within 30 days. |
| Art 18 — Restriction | Restrict processing in the cases listed in Art 18 (accuracy contested, processing unlawful, no longer needed but you require it for legal claims, objection pending). |
| Art 19 — Notification of rectification, erasure, or restriction | We notify each recipient of the data unless this is impossible or involves disproportionate effort. |
| Art 20 — Portability | Receive the data you provided to us in a structured, commonly used, machine-readable format (JSON), and transmit it to another controller. Our Art 15 export bundle satisfies this right in JSON form. |
| Art 21 — Objection | Object to processing based on legitimate interests or for direct marketing. For direct marketing the objection is absolute — we honour it immediately and add your email to a permanent suppression list (the suppression list itself is retained under Art 6(1)(c) legal obligation to prove we honoured your opt-out). |
| Art 22 — Automated decision-making | Not be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. See § 6 below for our position on Art 22. |
| Art 7(3) — Withdraw consent | Withdraw any consent at any time, as easily as you gave it. |
| Art 77 — Lodge a complaint | Lodge a complaint with your member-state Data Protection Authority. See § 4.2 below for contacts. |
4.1 What we will ask before fulfilling a rights request
To prevent fraudulent requests, we may ask you to verify your identity. Our default method is a verification email sent to the address on the account, combined with a Cloudflare Turnstile challenge on the intake form. If we cannot verify your identity with reasonable certainty, we may ask for additional proof; if even with reasonable verification we cannot identify you, we may refuse to act on the request and tell you why (Art 11 and Art 12(6)).
4.2 Supervisory authority contacts
You may lodge a complaint with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement. The supervisory authority for the controller's EU representative will be the supervisory authority of the EU representative's member state of establishment, which acts as the lead supervisory authority for cross-border processing under the "one-stop-shop" mechanism of Art 56 GDPR. We will [VARIABLE — confirm lead supervisory authority once EU representative is appointed].
Common EU/EEA and UK supervisory authorities for Gila's user base:
| Authority | Country | Website |
|---|---|---|
| Agencia Espanola de Proteccion de Datos (AEPD) | Spain | aepd.es |
| Commission Nationale de l'Informatique et des Libertes (CNIL) | France | cnil.fr |
| Bundesbeauftragte fur den Datenschutz und die Informationsfreiheit (BfDI) | Germany — federal | bfdi.bund.de |
| Data Protection Commission (DPC) | Ireland | dataprotection.ie |
| Garante per la protezione dei dati personali | Italy | garanteprivacy.it |
| Autoriteit Persoonsgegevens (AP) | Netherlands | autoriteitpersoonsgegevens.nl |
| Datatilsynet | Norway | datatilsynet.no |
| Datainspektionen / IMY | Sweden | imy.se |
| Comissao Nacional de Protecao de Dados (CNPD) | Portugal | cnpd.pt |
| Information Commissioner's Office (ICO) | United Kingdom | ico.org.uk |
| Gibraltar Regulatory Authority | Gibraltar | gra.gi |
5. Children — EU/EEA and UK
Gila is for adults aged 16 and over. We do not knowingly process the personal data of users below the local digital-consent age (which ranges from 13 to 16 across EU/EEA member states; see ../child-safety-notice.md § 5 for the per-member-state table).
The UK Information Commissioner's Office Age-Appropriate Design Code applies to "online services likely to be accessed by children" for users under 18. Although Gila is not directed at children, if our signals indicate a UK user may be under 18 we apply default-high-privacy settings (analytics off, marketing suppressed, AI features disabled) until the situation is resolved — see ../child-safety-notice.md § 6.
For the procedure that applies when an under-age user is discovered, see ../child-safety-notice.md § 3 (suspend within one business day, delete within seven days, notify the email on file, refund any active subscription as a goodwill measure).
6. Automated decision-making and profiling (Art 22)
GDPR Art 22(1) gives you the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significant effects on you.
Gila uses automated processing — Google Gemini (primary provider) for food vision, coaching, narrative reports, habit suggestions, activity-goal AI, nutrition-goal AI, weekly briefing, health analysis, journal embeddings, community-submission safety review; Anthropic Claude for the Habit Lab playground and an A/B opt-in path inside food vision; OpenAI as an opt-in A/B path in food vision (default off); Perplexity for grounded research; PostHog for feature-flag exposure — but no Art-22-solely-automated decision is made about you. AI outputs are presented as suggestions that you can accept, ignore, or override. You always remain in the loop: a recommended habit is a suggestion you decide whether to adopt; a recommended calorie estimate is editable in the food-logging UI; a narrative report is information to read, not a verdict to comply with; the Habit Lab is a conversational playground that suggests, never imposes.
We therefore consider Gila's AI processing to be AI suggestions you can accept, edit, or ignore rather than Art-22 solely-automated decision-making. We nevertheless give the following safeguards which Art 22(3) would require if the analysis changed:
- We tell you upfront that you are interacting with AI (transparency, EU AI Act Art 50).
- We name the underlying providers (Google Gemini as primary; Anthropic Claude for Habit Lab + QA evaluation + food-vision A/B opt-in; OpenAI for food-vision A/B opt-in only; Perplexity for source-grounded research).
- We collect explicit consent for AI features as a granular category in the
LegalConsentGate. The consent is provider-agnostic — a single AI-features toggle covers all four providers. - You can withdraw AI-features consent at any time; doing so disables the AI-coaching activities prospectively without breaking core service.
- You can request human review by emailing
dpo@gila.coach, although note that "human review" in a sole-operator company means review by the controller; we will perform that review honestly and document the outcome.
For users under 18 in the UK, we additionally honour the Age-Appropriate Design Code's expectation that profiling should be off by default. See ../child-safety-notice.md § 6.
7. EU AI Act Art 50 transparency
The EU AI Act (Regulation (EU) 2024/1689) imposes transparency obligations on providers and deployers of certain AI systems. Although Gila is a deployer (not a provider) of the underlying Gemini, Claude, OpenAI, and Perplexity models, we voluntarily extend Art 50 transparency to all of our AI features:
- You are informed that you are interacting with an AI system wherever an AI feature surfaces an output. The food-vision result screen, the AI-coaching response card, the Habit Lab playground, the onboarding "AI moment" screen, and the narrative-report screen all carry an AI-disclosure micro-copy and the provider name.
- Synthetic content generated by AI (e.g., a narrative report text, an AI-suggested habit description, a Habit Lab refinement) is identified as such in the UI.
- Multi-provider routing is disclosed: where Gila has more than one production provider for a feature (food vision; Habit Lab), the responsible provider is named in the UI panel, and the per-feature mapping is published in the Subprocessor List.
- Emotion-recognition systems are not used (we collect mood as self-reported data, not by AI inference).
- Biometric categorisation systems are not used for inferring sensitive characteristics.
Where the underlying model providers update their own Art 50 disclosures, we will mirror the update at the point of UI surfacing.
8. Direct marketing — your absolute right to object
GDPR Art 21(2) and (3) give you an absolute right to object to direct marketing — including profiling done for direct marketing purposes. You do not need to give a reason. You can object:
- By clicking the one-click unsubscribe link in any marketing email we send you;
- By toggling the marketing-emails switch in the app Settings or the website Preference Center;
- By emailing
dpo@gila.coachwith subject "stop marketing".
We honour the objection immediately. Within one business day we suppress your address from all marketing channels (Resend marketing, Beehiiv) and add the address to a permanent suppression list. The suppression list is retained under Art 6(1)(c) legal obligation to prove we honoured your opt-out; the suppression list itself is not used for any marketing.
We have committed in our internal decision log (decision #12) to flip the default value of the marketing_emails flag from true to false for the EU/EEA/UK/CH cohort, so that no EU/EEA/UK/CH user is ever opted-in by default; only explicit affirmative action enables marketing email. The backfill migration is part of Phase 4c of our v1 privacy rollout.
We do not engage in third-party data sales or "sharing" for behavioural advertising under the meaning of the California Consumer Privacy Act; the right to object to marketing is therefore the operative right in your case.
9. Cookies and similar technologies (web)
The gila.coach landing site uses a small set of cookies and similar technologies. We operate our own consent banner (built in-house in Tailwind v4 — see decision-log #7) which honours the ePrivacy Directive Art 5(3) requirement that non-essential storage requires consent.
| Category | Examples | Lawful basis | Default state in EEA / UK / CH |
|---|---|---|---|
| Essential | Session cookies, CSRF tokens, consent state | Art 6(1)(f) legitimate interest + ePrivacy Art 5(3) exemption for strictly necessary | Always on |
| Analytics | PostHog (web), GA4 (if confirmed live), Vercel Analytics (if confirmed live) | Art 6(1)(a) consent | OFF by default; loaded only after consent |
| Marketing | None at present | Art 6(1)(a) consent | OFF by default |
We honour Global Privacy Control (GPC) signals where transmitted by your browser. We treat GPC as a withdrawal of consent for analytics and marketing categories.
For the mobile app, no cookies are used; equivalent first-party identifiers are governed by the in-app consent collected at the LegalConsentGate.
10. Retention
| Category | Retention | Trigger |
|---|---|---|
| Active-account personal and health data | Indefinite while account active | Account deletion request fulfilled within 30 days; cascade deletes child rows; backups roll off within 30 days |
Email delivery logs (auth_email_events) |
12 months | Rolling |
| Account-deletion request tokens | 1 hour TTL | Token issuance |
| Consent log records | Indefinite (audit evidence under Art 7(1)) | Never auto-deleted; FK to user nullified on user deletion |
| Anonymised aggregate analytics | Indefinite | No re-identification risk |
| Transactional email content on Resend | ~90 days | Resend defaults |
| PostHog event data | 12 months | PostHog defaults |
| Sentry error events | 90 days | Sentry defaults |
| Newsletter subscriber data on Beehiiv | Until unsubscribe + 30-day audit | Unsubscribe → suppression list (retained for Art 6(1)(c)) |
| Backups | 30 days | Rolling — includes deleted user data within the 30-day tail |
11. Changes to this annex
We will revise this annex when applicable law changes (e.g., a new EU AI Act enforcement step, an ECJ Schrems III ruling, a UK GDPR divergence) or when our processing materially changes. Material changes are notified by email to all account-holders at least 30 days before they take effect, accompanied by an in-app banner and a website-banner notice. The version number, effective date, and changelog are recorded in the YAML frontmatter at the top of this document.
12. Contact
| Channel | Address |
|---|---|
| Data Protection Officer | dpo@gila.coach |
| General support | support@gila.coach |
| Self-service rights request | https://gila.coach/[locale]/dsar |
| EU Representative (Art 27) | Being appointed — in the interim, contact dpo@gila.coach |
| UK Representative (Art 27) | Being appointed — in the interim, contact dpo@gila.coach |
| Postal mail | Available on request from the DPO |