Atala PRISM GDPR compliance and data storage

I’m in the planning phase of a startup idea that would use Atala PRISM on Cardano, but there’s something I can’t quite figure out about it. Any clarification on this would be greatly appreciated:

On the Atala PRISM website, it says Atala PRISM is GDPR compliant and all the data associated with the DID is stored securely on the individual’s phone. Yet, later on it says that if the person loses the phone they can restore their DID and all of its data using their Seed Phrase. That seems to imply that the data is stored somewhere else than just the phone, which in turn seems to imply the data must be on the Cardano public blockchain… which of course can’t comply with GDPR/RtbF because it’s immutable.

There must be something I’m missing here?

It’s my understanding that Atala PRISM can be used with any blockchain; both public and private/DLTs. The PRISM account is GDPR/RtbF compliant and separate from cardano. I’m thinking of it as a wallet almost, Daedelus/Yoroi(ish), and stored on the device. There’s something with the DPKI and possibly a second layer of privacy/verification that enables Atala to stand by the GDPR compliant statement. I’m going to go set up my PRISM account and pull the ToS and can get back to you on what I find.

Awesome thanks

Any info on this yet?