At a Glance
Quick summary. Read the full policy below for the complete terms.
- What this is
- The current set of third-party vendors that may process Clarity user data on our behalf as sub-processors under GDPR Art. 28.
- Change-notice cadence
- We update this page when we add, remove, or substitute a sub-processor. To receive email notifications of changes, contact legal@raintree.technology.
- Companion documents
- Our Data Processing Addendum lives at /legal/dpa; our Privacy Policy at /legal/privacy.
1. Current Sub-processors
| Sub-processor | Purpose | Location | Data categories |
|---|---|---|---|
| Plaid, Inc. | Bank, brokerage, and liability data connectivity | United States | Tokenized account access, balances, transactions, holdings, employment data where authorized |
| Alchemy Insights, Inc. | Blockchain data, wallet balance + token indexing | United States | Public wallet addresses, on-chain transactions, token balances |
| Stripe, Inc. | Subscription billing and payment processing | United States | Payment-method tokens, billing email, plan, invoice history |
| Vercel Inc. | Application hosting, edge runtime, serverless | United States | All application data in transit; request logs |
| PlanetScale, Inc. | Managed Postgres database | United States | All user and transaction data at rest |
| Cloudflare, Inc. | CDN, edge compute (Workers), object storage (R2), DDoS mitigation, and Turnstile anti-bot challenge verification | United States (with global edge presence) | Request metadata, static assets, edge-cached pages; visitor IP and challenge token for Turnstile bot verification on public forms |
| Upstash, Inc. | Managed Redis cache, rate-limiting, ephemeral coordination | United States | Short-lived session and rate-limit state; no permanent storage of user data |
| Resend, Inc. | Transactional and marketing email delivery | United States | Email address, name, message body for emails Clarity sends |
| Brandfetch | Brand and institution logo lookup | United States | Merchant/institution domain or name; end-user IP address (via image request) |
| PostHog, Inc. | Product analytics for the authenticated app (consent-gated on marketing site) | United States | Clarity user ID, email, page/event metadata. Does not receive account balances, transaction lists, or holdings. |
| Google LLC | Google OAuth identity verification at sign-in; Google Analytics 4 + Google Search Console for marketing-page analytics (consent-gated) | United States | OAuth identity profile (name, email); marketing-page usage metrics after consent. Not used for the authenticated app's product analytics. |
| Meta Platforms, Inc. | Meta Pixel + Conversions API (CAPI) for marketing-site advertising attribution (consent-gated; off by default) | United States | Pixel events (after advertising consent); CAPI hashed email + click identifiers on signup and first paid invoice |
| Vercel, Inc. (AI Gateway) | Unified routing layer over upstream LLM providers (Anthropic, OpenAI) with automatic failover and observability | United States | Ask Clarity prompts and tool results pass through the gateway en route to the upstream model. Zero data retention at the gateway layer; upstream provider retention governed by Anthropic / OpenAI ZDR terms. |
| Anthropic, PBC | Primary LLM provider for Ask Clarity (Claude Haiku 4.5 / Sonnet 4.6) via the Vercel AI Gateway | United States | Ask Clarity prompts (containing per-request context the model needs to answer) and assistant outputs. Zero data retention configured. No training on Clarity data. |
| OpenAI OpCo, LLC | Additional LLM provider for Ask Clarity, reached via the Vercel AI Gateway | United States | User prompt + relevant financial context per query. Not used to train OpenAI's general-purpose models under the OpenAI Business Terms. |
2. International Data Transfers
All sub-processors above are located in the United States. For EU/UK users, transfers are executed under the European Commission Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (IDTA), supplemented by each vendor's technical and organizational measures (TOMs). Copies of the executed SCCs/IDTA for any sub-processor are available on request to legal@raintree.technology.
3. Change Process
We update this page when we add, remove, or substitute a sub-processor. Material changes (addition of a new sub-processor that receives identifiable customer data, or a change to the data categories sent to an existing sub-processor) are announced before they take effect. To subscribe to change notifications, emaillegal@raintree.technologywith "Subprocessor notifications" in the subject line.
This list was last updated on the date shown below.