"This wasn’t a box-ticking exercise or a formal handover of documents. It was genuine involvement and a deep understanding of what was happening under the hood."
This case study tells the story of AskBefore, a startup that proved “Privacy by Design” is more than a line in a policy document. With unusually thorough preparation on the client side, a complex compliance engagement turned into a genuinely enjoyable partnership and delivered top-tier documentation on a startup budget.
Natalia, CEO of AskBefore
Company: AskBefore
I’m the founder of AskBefore, a service that makes intimate-health care more accessible. We help people find and choose the best locations for STI testing based on factors such as price, convenience, and collection methods. Our product also enables people to share results with partners in a thoughtful and secure way, while providing strong protection for highly sensitive health data.
Choosing to work with professional data protection consultants was a deliberate decision. At first, I tried to figure everything out on my own: I studied the regulatory landscape for digital health, looked at how other market players approach compliance, and gathered information from every source I could find. Still, I couldn’t shake the feeling that it wasn’t enough. In a product as delicate as ours, the stakes are high, and without specialised experience, it’s easy to miss critical details. I had previously built an education platform, but working with health data is a completely different level of responsibility. Before launch, it was essential to have an expert validate the product. I needed to close blind spots, get answers to the questions I still had, and prepare a full set of internal and external documentation so I could go into release with complete confidence.
My choice of DPO Europe was based on a recommendation. I reviewed their case studies carefully, but the deciding factor was our first call. It wasn’t a typical intro meeting. We immediately went deep into the product architecture, data flows, and how roles interact within the system. My engineering team joined the call, and their reaction was the best confirmation I could have asked for. They said, “These people know what they’re talking about.” Trust was established instantly, both for me and for the technical team.
Because we’re an early-stage startup, our goal was not simply to launch, but to implement Privacy by Design. We didn’t want to build first and retrofit compliance later. We wanted privacy built in from the start. Earning trust with clinics and laboratories is critical for us, and we need to demonstrate that we won’t put their brands or users at risk.
Over the course of the project, our consultant, Nastassia Parkhimovich, effectively became part of our team. Their questions pushed me to understand our product at an even deeper level. To give precise answers, I had to dig into the code. I used specialized AI tools to help me navigate the codebase faster and pinpoint the right areas, without creating unnecessary back-and-forth with the developers over every technical detail. As a result, I created a Blueprint Map: a transparent, end-to-end view of every data-processing activity in the product. That became the foundation for our collaboration and the basis for all documentation.
At this stage, the project has met my expectations for 9 out of 10 — and it’s only not a ten because our collaboration isn’t finished yet, so I’ll only be able to form a complete impression once it’s concluded.
One of the biggest insights was data minimisation. Nastassia suggested ways to collect less information while still maintaining high-quality business processes. That improved the product. I also gained confidence that any necessary processing can be legitimised by identifying the appropriate legal basis, but we still prioritised minimisation wherever possible.
Project organisation was excellent. This wasn’t a box-ticking exercise or a formal handover of documents. It was genuine involvement and a deep understanding of what was happening under the hood. The entire team felt a consistently positive, human approach and good-faith intent from the consultants. I would absolutely recommend this kind of collaboration to other startups that want privacy principles built into the foundation of their business.
The process was smooth from start to finish. Deadlines were consistently met, and every next step was crystal clear. Even when questions were complex, they were explained in plain language. It was obvious I was working with high-level professionals, both in communication and in the quality of deliverables.
The internal documentation, in particular, is incredibly valuable to me. I had no idea documents like a RoPA or an LIA even existed. You can somewhat understand an external privacy policy by looking at other services, but these internal artifacts are the kind of expert work I could never have produced on my own. That’s probably the single most important outcome of this engagement.
We’re now continuing to work together on ongoing support around privacy and AI. We’re researching the possibility of implementation of AI to improve the customer experience, for example, customizing certificates and their exchange process, without touching medical data. Given the strict data protection requirements in Europe, and especially in Germany, it’s essential for us to do this safely. We’ve already worked through the legal aspects of these features. I now clearly understand when and how we need to obtain user consent. We also have ready-to-go text inserts for our documentation that we will activate if we will be ready to launch. This forward-looking approach, aligned with our future needs, gives us the flexibility and confidence we need.
Case Studies
Implement responsible practices into business
Fill in the form and get a free consultation.
- Implementation of 7+ legal frameworks.
- Individual and corporate trainings on GDPR, EU AI Act and international standards.
- Development of personal data protection and responsible AI systems within organizations.
- Custom services upon request.
