Sub-processors
This page lists the third-party services Finisit uses to process user data. We disclose them per GDPR Article 28(2) (sub-processor transparency) and as part of our customer due-diligence promise.
We notify users of new sub-processors via the canonical changelog at our public commit history and via this page's Last Updated stamp. Material changes (new processor categories, new regions) trigger a Privacy Policy update notification.
Active sub-processors
| Vendor | Service | Data shared | Purpose | Region |
|---|---|---|---|---|
| Vercel | Hosting + edge network | All app data in transit | Web hosting + serverless functions | US (primary) |
| Neon | Managed Postgres | Application data at rest | Primary database | US-East |
| Stripe | Payment processing | Name, email, billing address, last4 | Subscription + one-off payments | US, EU |
| Printful | Print-on-demand | Shipping name + address | Physical merch fulfillment | US, EU |
| Resend | Transactional email | Recipient email + message body | Welcome / verify / drip / receipts | US |
| Sentry | Error tracking | Stack traces, request IDs, user IDs (no PII payloads) | Observability | US, EU |
| Plausible Analytics | Web analytics | Page URL, referrer, anonymized IP | Privacy-friendly traffic analytics | EU |
Conditional sub-processors
Activated only when the corresponding feature is enabled in your account or globally:
| Vendor | Activation | Data shared |
|---|---|---|
| OneSignal / Firebase Cloud Messaging | When push notifications enabled | Device push tokens |
| Cloudflare or Bunny CDN | When IMAGE_CDN_PROVIDER is set | Public product image URLs |
| Twitch / YouTube | Live streaming pages | Embedded video; no user data shared with these platforms by us |
Data residency
Application data is stored in the US (Neon US-East). Payments are processed via Stripe's global network with EU-region selectable for European customers. Email is delivered via Resend (US) — for EU residents, contact privacy@finisit.app if you require EU-only email routing.
Standard contractual clauses
For EU/UK data subjects, transfers to US-based sub-processors rely on Standard Contractual Clauses (SCCs) per the EU Commission's 2021 model clauses. Each vendor above either operates EU regions (Sentry, Plausible) or has executed SCCs with us.
Notification of changes
We commit to:
- Update this page within 7 days of any sub-processor change
- Provide 30 days notice for material changes to enterprise customers with a signed Data Processing Agreement (DPA)
- Allow such customers to object to the change (and exit if material)
Contact
Questions about this list, our DPA, or our sub-processor practices → privacy@finisit.app.
See also: Privacy Policy · Terms of Service · Security · security.txt