Azure US Data Zone for AI inference in an EU app
Hi all,
I'm a solo developer building a small calorie/nutrition tracking app for the EU, and I'm trying to figure out my setup from a GDPR perspective.
User data would live in Supabase, hosted in Ireland. That includes things like:
name and account info
age
weight
food logs
nutrition goals
eating habits and preferences
chat messages
meal photos
For the AI chat feature, I'm planning to use Microsoft Azure AI Foundry, with the model deployed in East US under Data Zone Standard. So the flow would look roughly like this:
App -> Supabase Ireland -> Azure Foundry US Data Zone -> Supabase Ireland -> App
A few questions I'm hoping someone can help with:
Is this kind of setup generally OK under GDPR for EU users?
Is Azure US Data Zone plus Microsoft's DPA/DPF enough to cover the transfer?
Should I be treating this data as health data and asking for explicit consent?
Any red flags to this?
I know this isn't legal advice. I just want to sanity-check whether the architecture is reasonable, or whether I'm misunderstanding GDPR entirely.
Thanks!