SUBPROCESSORS
LAST UPDATED: APRIL 18, 2026
The processors below are engaged under a Data Processing Agreement (DPA) that mirrors GDPR Articles 28 and 46. Where data crosses borders we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. You will be notified by email of any new subprocessor at least 30 days before it goes live, giving you time to object per Art. 28(2).
| PROCESSOR | ROLE | DATA PROCESSED | LOCATION |
|---|---|---|---|
| Supabase | Primary database, authentication, Edge Functions | All user data (profile, tasks, scoring, sessions) | EU (Frankfurt, Germany) |
| Cloudflare | CDN, DNS, Pages hosting, Turnstile CAPTCHA | Static assets, IP at request edge (not stored) | Global edge network |
| Stripe | Payments + subscription billing | Email, billing address, payment method (tokenized) | USA (SCCs in place) |
| Deepgram | Real-time voice transcription | Audio stream (not persisted by Kadence) | USA (SCCs in place) |
| Anthropic | AI task extraction via Claude | Transcript text (API logs retained max 7 days) | USA (SCCs in place) |
| PostHog | Product analytics (opt-in via cookie consent) | Pseudonymous event stream, page paths, distinct_id | EU (eu.i.posthog.com) |
| Sentry | Error + crash telemetry (opt-in via cookie consent) | Stack traces, user-agent, breadcrumbs (no form values) | USA / EU (SCCs in place) |
| Firebase Cloud Messaging | Push notifications (mobile + web) | Device tokens only | USA / EU |
| Resend | Transactional email (auth, receipts, lifecycle) | Email address, message content | USA (SCCs in place) |
Detail on international transfers, retention, and the legal basis per data category lives in the Privacy Policy. Questions: [email protected].