Pre-launch
Sub-processors
Last updated: 29 May 2026
Stackup relies on the third-party providers below to operate the service. Each is bound by a written data-processing agreement and listed here in line with UK GDPR Art. 28(2). We notify customers at least 30 days before adding a new sub-processor that handles personal data.
| Provider | Purpose | Region | Data |
|---|---|---|---|
| Supabase Inc. | Authentication & PostgreSQL hosting | EU (Frankfurt) | Account, transactions, money-leak records |
| Vercel Inc. | Web hosting, edge cache | EU + global edge | Request metadata only; no PII bodies cached |
| TrueLayer Ltd. | Open Banking AISP | UK | Bank tokens, transactions |
| Anthropic, PBC | AI categorisation (Claude API, no training) | EU endpoint | Merchant-level transaction summaries, no PII |
| Stripe Payments UK Ltd. | Payments & subscriptions | UK / EU | Billing email, payment metadata; card data tokenised |
| Resend, Inc. | Transactional email | EU | Email address, message content |
| PostHog Inc. (EU Cloud) | Product analytics | EU (Frankfurt) | Pseudonymous user id, page/event metadata |
| Functional Software, Inc. (Sentry) | Error tracking | EU | Stack traces; PII scrubbed before send |
| Upstash, Inc. | Rate-limiting & ephemeral cache | EU | IP hashes, request counts |
To object to a particular sub-processor, email privacy@stackup.app within 30 days of the notice. Where we can’t accommodate the objection, you have a right to terminate without penalty.