Sub-processor List
Last updated: March 2026
Disclaimer: This is a provisional document pending final legal review. For any questions, contact us at hello@spendable.pro.
The following third parties process personal data on our behalf as sub-processors under Art. 28 GDPR. Each entry shows the purpose, data categories involved, processing location, and the legal safeguards applied. We update this page whenever we add, remove, or materially change a sub-processor.
See also the Privacy Policy, the Cookie Policy, and our Security overview.
| Provider | Purpose | Data categories | Location | Safeguards |
|---|---|---|---|---|
| Salt Edge Limited | PSD2 open-banking connections (AISP, FCA ref. 822499, ISO 27001) | Bank account identifiers, balances, transactions (read-only) | United Kingdom / EEA | DPA, PSD2-authorized, ISO 27001, UK adequacy decision |
| Google LLC (Firebase) | Authentication, backend database, cloud functions | Email, auth tokens, user profile, application data | United States / EU | DPA, SCCs (2021/914/EU), EU-US DPF, SOC 2 / ISO 27001 |
| RevenueCat, Inc. | Subscription and in-app purchase management | App user ID, purchase metadata, entitlements | United States | DPA, SCCs, EU-US DPF |
| OneSignal, Inc. | Transactional and marketing email delivery | Email, first name, language, tags (paid/waitlist status) | United States | DPA, SCCs, EU-US DPF |
| OpenAI, L.L.C. | AI features (prompts via API, no model training on user data) | Prompt text, pseudonymized transaction descriptors | United States | DPA, SCCs, EU-US DPF, no-training commitment |
| Anthropic, PBC | AI features (prompts via API, no model training on user data) | Prompt text, pseudonymized transaction descriptors | United States | DPA, SCCs, no-training commitment |
| Vercel Inc. | Website hosting, serverless API routes, analytics, Speed Insights | IP address, browser metadata, pageviews, Core Web Vitals | United States / EU edge | DPA, SCCs, EU-US DPF, SOC 2 Type II, ISO 27001 |
| Cloudflare, Inc. | CDN, DDoS protection, bot management, TLS termination | IP address, HTTP headers, __cf_bm cookie | Global edge (EU routing preferred) | DPA, SCCs, EU-US DPF, ISO 27001 / SOC 2 |
| Google LLC (Analytics) | Website usage analytics (consent required) | IP (truncated), browser metadata, pageviews, _ga cookies | United States | DPA, SCCs, EU-US DPF, IP-anonymization enabled |
| Meta Platforms, Inc. | Meta Pixel, ad conversion measurement (consent required) | IP, _fbp cookie, hashed event data | United States | DPA, SCCs, EU-US DPF |
| LinkedIn Ireland Unlimited Co. | LinkedIn Insight Tag, ad conversion measurement (consent required) | IP, bcookie / lidc / UserMatchHistory cookies | Ireland / United States | DPA, SCCs (intra-group to US), EU-US DPF |
| Google LLC (Google Sheets) | Internal waitlist and purchase log (service account access) | Email, first name, last name, timestamp, Firebase UID, status | EU | DPA, SOC 2 / ISO 27001, access limited to service account |
Legal bases and transfer mechanisms
For transfers outside the European Economic Area we rely primarily on the Standard Contractual Clauses adopted by the European Commission on 4 June 2021 (Decision 2021/914/EU) and, where applicable, the EU-US Data Privacy Framework Adequacy Decision of 10 July 2023. Each sub-processor is bound by a written data-processing agreement consistent with Art. 28 GDPR.
Notifications of changes
We will update this page when a sub-processor is added, removed, or materially changed. Where required by law or contract, we will also notify affected users directly with reasonable advance notice, so they have the opportunity to exercise applicable rights.
Contact
Questions about this list or any of the sub-processors listed above can be directed to hello@spendable.pro.