Love at first Figma file: how we built documentation for perfect client
This case study tells the story of AskBefore, a startup that proved “Privacy by Design” is more than a line in a policy document. With unusually thorough preparation on the client side, a complex compliance engagement turned into a genuinely enjoyable partnership and delivered top-tier documentation on a startup budget.
The request
Most of the privacy decisions had already been made during product development. Our role was to produce a complete set of required privacy documents with a limited budget.
What we did
We brought in graduates of our Privacy Lab internship, produced everything the project needed, and quickly grew attached to a product where privacy is a core value, not just a buzzword.
Lead consultant
Nastassia Parkhimovich, CIPP/E, Senior Consultant.
How the project started
AskBefore is a small startup founded by Natalia, a remarkably conscientious CEO. The product operates in one of the most sensitive spaces: intimate health. The service helps people find and choose clinics and test locations for STI screening based on the criteria that matter most to them, such as price, location, and collection methods. It also enables people to share results with a partner in an ethical way, while protecting sensitive health-related personal data.
Natalia’s request was clear and highly professional. As a founder with a strong technical background, Natalia had mapped the product’s mechanics down to the smallest detail. What the company lacked was documentation. Natalia understood that the legal side was not their area of expertise, so they needed experienced consultants to translate existing processes into formal, regulator-ready documents.
“I studied the rules around digital health products, looked at how others do it, and gathered every source I could find. Still, I felt I was missing something. I knew there could be risks in such a medical product, especially one dealing with sensitive personal data, that I might overlook simply because I didn’t have the experience. This wasn’t my first product. Before that, I launched an education platform, which is a completely different level of personal data processing. Before launch, when the product was already built, I needed someone with relevant experience to review it and validate it. I wanted to cover blind spots, get answers to the questions I still had, and produce documentation, both internal and external, so I could be confident about whether we were truly ready.”
The budget, however, was strictly capped by startup limits, which is extremely tight for a full compliance project in such a complex domain as medical data. Even so, the founder’s thoughtful approach to product design, along with our own enthusiasm for challenging work, made it possible.
Why this was a consultant’s dream project
The challenge, and the beauty, of this project was the type of data involved. Medical test results are not just personal data; they are sensitive information. In privacy consulting, we usually see two kinds of clients. Some come with a blank slate and, mid-project, additional systems and hidden processes suddenly surface. Others are advanced teams with an internal DPO who is overloaded, so they outsource a specific deliverable like a DPIA. AskBefore was a rare third case.
At the very first meeting, our consultant, Nastassia Parkhimovich, and our project manager, Anton Poddubitsky, were genuinely stunned. Instead of giving high-level explanations, Natalia opened a Figma file. It was not a design mockup. It was a detailed data-flow map of the entire product: every screen, every user action, and arrows leading to the relevant databases. It showed exactly which data went where, what infrastructure was used, and where those databases were located. Step by step, Natalia had built in safeguards and made Privacy by Design real at a deep, technical level long before a lawyer joined the project.
“We’re just launching. You can call us a startup. Our goal wasn’t simply to ship, but to ensure privacy by design from day one. Not ‘build first, retrofit compliance later,’ but the opposite: build with the requirements in mind. We needed to start working with clinics and labs, form our first partnerships, and earn trust that we wouldn’t let brands or users down.”
That level of preparation made our team’s eyes light up.
“This was the only time in my practice when a client came in that prepared,” says Nastassia.
Why does it matter?
In many projects, building a processing inventory starts as a puzzle of scattered fragments. Teams may have multiple versions of the same document (“Updated,” “Revised,” “Final”), and they don’t always match. The consultant’s job becomes part detective work: reconcile inconsistencies, confirm details, and turn chaos into a coherent system so the project can move forward predictably.
AskBefore, by contrast, brought in exceptionally clean inputs from the start.
That meant we were able to deliver value in the first call, which helped Natalia see the advantage of working with our team:
“It wasn’t just a meet-and-greet. We immediately got questions about the product architecture, data flows, and how different roles interact. I wasn’t alone on that call; my team was there too, including developers. Afterward, they said something I loved: ‘These people know what to ask.’ Trust formed right away, both for me and for the team.”
For the client, this level of readiness translated into major savings. In a typical engagement, we budget hours for multiple interviews across marketing, engineering, HR, and product just to collect baseline information. With AskBefore, we needed one clarification call instead of the usual five. Response time was just as impressive: answers arrived the same day or the next morning. As a result, we wrapped the project in under two months.
For us, this project was a labour of love. Because the founder’s privacy values aligned so closely with ours, we invested far beyond the initial budget. Working with a client like this isn’t about polishing something rough; it’s about building complex legal constructs on top of a well-designed foundation. The shared energy created a warm, supportive working atmosphere, which Natalia also noted:
“It felt like the consultant was part of the team. The understanding wasn’t surface-level; it went straight to the core. It didn’t feel like ‘here are your docs, project closed.’ It felt like a person we could keep working with. The involvement was genuine and human, and it was comfortable to communicate with someone whose intentions were clearly good.”
Don’t have a perfect Figma file with every data flow mapped out yet?
If you’re ready for a professional audit of your privacy program or want to build compliance from scratch, we can help. Perfect order is nice, but it’s not a prerequisite. We’re good at turning messy inputs into a system that makes sense.
How we packaged all that beauty
To deliver premium-level documentation on a startup budget, we ran an experiment: we involved participants from our Privacy Lab program. It was a win-win: the startup got a highly motivated research team, and the Lab participants gained experience on a real, deeply thought-through case under senior supervision.
Nastassia Parkhimovich acted as the supervisor, ensuring the final deliverables met our highest quality standards.
The project included participants who later became consultants with us: Sarika Malhorta, Natalia Bale, Nanda Min Htin, Harshini Naidu.
We managed the work in a dedicated Notion space, with meeting notes, tasks, and deadlines all in one place.
In the end, we delivered a full documentation package, and some of the internal documents came as a pleasant surprise to the CEO:
“I’m especially happy about the internal documentation. I didn’t even know some of it should exist. With external policies, you can look at other products and understand what a privacy policy is and how it’s used. But internal documents like RoPA and LIA (Register of Processing Activities; Legitimate Interest Assessment) were completely new to me. That’s probably one of the biggest insights and most valuable artifacts, because I wouldn’t have created those documents on my own, and I wouldn’t have known how to use them going forward.”
One of the project’s centrepieces was the DPIA (Data Protection Impact Assessment): a substantial analytical document, often 15+ pages, that lays out privacy risks in detail and defines mitigation measures. For a product processing health data, a DPIA is both critical and, in many contexts, mandatory.
We also translated that perfect Figma diagram into the language of legal obligations. In other words, we documented the processes in a way the company can confidently show to any regulator as evidence of good-faith compliance.
Privacy Lab participants delivered outstanding work throughout. Their persistence made the final results something both the client and our team were proud of.
As the lead consultant, Nastassia also helped Natalia’s team refine how personal data was handled inside the product:
“I liked the way Nastassia watched how we collected data. They suggested options for collecting less, while still meeting user needs and supporting business processes. Those insights helped us identify places where we could reduce data collection without losing quality. We took that on board and improved the product as we went.”
Outcome
AskBefore’s story shows how a founder’s responsibility and structured thinking can translate into real financial value. By embedding Privacy by Design during development and arriving with a clear visual map of data flows, the project ran smoothly and quickly. We were able to mobilise Privacy Lab resources, deliver expert-level documentation, and lay a solid foundation for future scaling.
Tips if you want the same result:
1) Map your data flows early. Use Figma, Miro, or pen and paper. What matters is understanding where data comes from, where it lives (cloud or on-prem), and where it goes.
2) Get version control under control. Fewer contradictions means less wasted time and money.
3) Don’t shy away from sensitive domains. If your product handles sensitive data, strong compliance is both your best competitive advantage and your best insurance policy.
We can help you build the same kind of privacy foundation
Book a free consultation with our consultant to assess your current privacy program and get a clear, actionable list of next steps.
