DPIA
Data Protection Impact Assessment
PRYSM processes special category health data, performs international data transfers, and uses automated decision-making (AI plan adaptation). This DPIA documents the risks identified and the technical and organizational measures implemented to mitigate them, in accordance with GDPR Article 35.
Publication status
Last updated: March 24, 2026
This page is part of PRYSM's public legal documentation and should be read together with the related legal pages linked in the footer.
Legal obligation
This DPIA is mandatory under GDPR Article 35 because PRYSM processes health data at scale, transfers data internationally, and uses automated profiling to adapt training plans. It is published here in the interest of transparency.
Data controller
Zian Collombier EI — Sole Proprietorship (Micro-Entrepreneur), France. Full legal details. Privacy contact: privacy@prysm.digital.
1. Description of processing
What data is processed?
- Fitness and health data: training sessions, heart rate, pace, perceived effort (RPE), VDOT aerobic capacity estimate, training load (ACWR), fatigue indicators
- Personal data: name, email address, training goals
- Coach interactions: conversation messages, training preferences, injury flags
- Connected platform data: activities imported from Garmin, Strava, COROS, Polar (optional, user-initiated)
Why is it processed?
- To generate personalized adaptive training plans
- To provide AI coaching and adapt plans based on performance, fatigue, and compliance
- To calculate fitness metrics (VDOT, ACWR, compliance score, training load)
Who processes it?
| Role | Entity | Location |
|---|---|---|
| Data controller | Zian Collombier EI (Prysm) | France (EU) |
| Data processor — AI | OpenAI | US (DPA + SCCs in place) |
| Data processor — database | Supabase (AWS eu-central-1) | EU (Frankfurt) |
| Data processor — payments | Stripe | US (DPA built-in) |
| Data processor — hosting | Vercel | EU + US Edge (DPA signed) |
2. Necessity and proportionality
Legal basis
- Explicit consent (Art. 9(2)(a)): for all health data processing — collected at account creation
- Contract execution (Art. 6(1)(b)): for account management and subscription features
Data minimization
- Only fitness-relevant data is collected — no medical records, no clinical data
- Data sent to OpenAI is minimized: aggregated metrics only, no raw GPS, no email, no full name
- Conversation history is truncated to the most recent exchanges before being sent to OpenAI
- Connected platform data is imported only if the user explicitly enables the integration
Storage limitation
- Active accounts: data retained while the account is active
- Deleted accounts: all data immediately deleted via CASCADE database operations — no soft-delete retention
- OpenAI: API data retained maximum 30 days for abuse monitoring, not used for model training
- Billing data: retained as required by French and EU accounting regulations (up to 10 years)
3. Risk assessment
| Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|
| Unauthorized access to health data | Low | High | Supabase Row Level Security (RLS) on 100% of tables; OAuth tokens encrypted with AES-256-GCM; strict access controls |
| AI hallucination (incorrect training advice) | Medium | Medium | Deterministic engine validates all AI outputs; Safety Guard with Zod schemas; restricted output fields; health disclaimer in Terms |
| Data breach at sub-processor | Low | High | DPAs with all sub-processors; data minimization; encryption in transit (TLS 1.3); no sensitive PII sent to AI |
| International transfer to US (OpenAI, Stripe, Vercel) | — | — | Standard Contractual Clauses (SCCs) in DPAs; data minimization; anonymized identifiers for OpenAI |
| Prompt injection (malicious user input to AI) | Low | Medium | Input sanitization; rate limiting (5 req/min on AI endpoints); guardrails in system prompts; output validation |
| Over-reliance on AI for training decisions | Medium | Medium | Health disclaimer in Terms of Service; no medical advice policy; deterministic engine as safety net; user retains final decision |
4. Measures to mitigate risks
Technical measures
- Row Level Security (RLS) enforced on 100% of database tables — users can only access their own data
- OAuth tokens encrypted at rest with AES-256-GCM
- Rate limiting on AI-powered endpoints (5 requests per minute per user)
- Input sanitization against prompt injection attacks
- Deterministic engine validates all AI-proposed plan adaptations before applying them
- Safety Guard (Zod schema validation) on all LLM outputs — invalid or unsafe outputs are rejected
- Error tracking with Sentry — health data is excluded from error reports
- All data in transit protected by TLS 1.3
Organizational measures
- Privacy Policy publicly available at prysm.digital/privacy
- Explicit consent collected at signup for health data processing
- Account deletion available at any time from Profile settings
- Data Processing Agreements (DPAs) signed with all sub-processors
- Support contact for data subject requests:
privacy@prysm.digital - This DPIA published publicly in the interest of transparency
5. Consultation
Data subjects
Users are informed of data processing through the Privacy Policy and explicit consent collected at signup. Users can contact privacy@prysm.digital for any data protection query, to exercise their rights, or to request account deletion.
Supervisory authority
CNIL (Commission Nationale de l'Informatique et des Libertés)
3 Place de Fontenoy, TSA 80715
75334 PARIS CEDEX 07
www.cnil.fr
This DPIA has not required prior consultation with the CNIL, as the residual risks identified are assessed as acceptable given the technical and organizational measures in place.
6. Decision
Based on this assessment, the residual risks are acceptable given the technical and organizational measures documented above. The processing may proceed under the conditions described in this DPIA.
This DPIA will be reviewed whenever there is a significant change to the processing activities, the technologies used, or the risk landscape (e.g., addition of a new AI model, new data category, new sub-processor, or new international transfer).
Data controller: Zian Collombier EI
Last reviewed: March 24, 2026