Subprocessors
Effective 2026-06-03
The list below names every third-party service that processes personal data on AltaClario’s behalf. Each one operates under a written data-processing agreement with us and, for transfers out of the European Economic Area, under Standard Contractual Clauses. See our Privacy Policy for the legal-basis and rights framework.
| Service | Role | Country | Categories of data |
|---|---|---|---|
| Supabase | Authentication, primary database | United States | Account email, password hash, user metadata, all workspace data |
| Vercel | Application hosting, edge network | United States | Request metadata (IP, user agent), session cookies, log lines |
| Stripe | Payments, billing, tax compliance | United States | Billing email, payment method (handled by Stripe directly — we never see card numbers), invoice history |
| Anthropic (via the configured endpoint) | AI features when an organization opts in (sprint summaries, retro synthesis, NL queries) | United States | Sanitised prompt text — metadata + KPI numbers; we never send work-item bodies unless the workspace explicitly enables that |
| Google Analytics | Usage analytics (loads only after the visitor accepts the cookie banner) | United States | Truncated IP, page paths (with share-link and auth tokens stripped), device/browser metadata, and a pseudonymous client-id cookie. No user ID is attached. |
| Mail provider (Resend, Postmark, or SendGrid — operator-configured) | Transactional email: confirmation links, password reset, alert digests, abuse-report forwarding | United States | Recipient email and the body of the message |
Authentication, primary database
Country: United States
Data: Account email, password hash, user metadata, all workspace data
Application hosting, edge network
Country: United States
Data: Request metadata (IP, user agent), session cookies, log lines
Payments, billing, tax compliance
Country: United States
Data: Billing email, payment method (handled by Stripe directly — we never see card numbers), invoice history
Anthropic (via the configured endpoint)
AI features when an organization opts in (sprint summaries, retro synthesis, NL queries)
Country: United States
Data: Sanitised prompt text — metadata + KPI numbers; we never send work-item bodies unless the workspace explicitly enables that
Usage analytics (loads only after the visitor accepts the cookie banner)
Country: United States
Data: Truncated IP, page paths (with share-link and auth tokens stripped), device/browser metadata, and a pseudonymous client-id cookie. No user ID is attached.
Mail provider (Resend, Postmark, or SendGrid — operator-configured)
Transactional email: confirmation links, password reset, alert digests, abuse-report forwarding
Country: United States
Data: Recipient email and the body of the message
Changes to this list
We will update this page before a new subprocessor begins processing personal data on our behalf, and we will note material removals in the page’s revision history. For account-level objections to a specific subprocessor, please contact us and choose “Other safety concern.”