Legal
Sub-processors
Last updated: May 2026
These are the vendors we use to operate Finatha. We update this page when we change vendors and give you 30 days' notice before adding a new sub-processor.
| Vendor | Purpose | Data | Location | Transfer mechanism |
|---|---|---|---|---|
| Supabase | Managed database, authentication, and file storage. | Account, profile, and financial planning data. | United States and European Union. | Standard Contractual Clauses, EU-US Data Privacy Framework where applicable. |
| Vercel | Web application hosting, edge runtime, and CDN. | Request metadata, IP, performance metrics. | United States and European Union. | Standard Contractual Clauses, EU-US Data Privacy Framework. |
| Sentry | Error monitoring and performance observability. | Error stack traces, request context, redacted user identifiers. | United States. | Standard Contractual Clauses, EU-US Data Privacy Framework. |
| PostHog | Product analytics. Loaded only with your consent. | Anonymous events, page views, feature usage. | European Union or United States, depending on instance. | Standard Contractual Clauses where applicable. |
| Resend | Transactional email delivery (sign-in, notifications). | Email address, message content. | United States. | Standard Contractual Clauses. |
| Upstash | Rate limiting, abuse protection, ephemeral cache. | Truncated IP, request counts, short-lived tokens. | United States and European Union. | Standard Contractual Clauses where applicable. |
| OpenAI | Generative AI for AI-powered features. Used only when you invoke an AI feature. | Prompt and a narrow context window of relevant inputs. | United States. | Standard Contractual Clauses, zero-retention API mode, no training on inputs or outputs. |
| Lemon Squeezy | Payment processing as Merchant of Record. Lemon Squeezy is the seller of record for paid subscriptions and is a separate controller for billing data. | Payment data (we receive subscription metadata only, no full card details). | United States. | Standard Contractual Clauses, separate controller for billing. |
| Identity provider for Sign in with Google. Only used if you choose this option. | Google account ID, email, name (where you allow it). | United States. | Standard Contractual Clauses, EU-US Data Privacy Framework. | |
| Apple | Identity provider for Sign in with Apple. Only used if you choose this option. | Apple account identifier, relay email. | United States. | Standard Contractual Clauses. |
How this works
We use these sub-processors under written data processing agreements. We review the safeguards regularly.
Before adding or replacing a sub-processor that processes personal data, we will publish the change here at least 30 days before it takes effect.
To object to a new sub-processor, write to privacy@finatha.app. If the change is material, you have the right to terminate your subscription.