Last Updated: April 30, 2026
This is the complete list of third-party subprocessors that may receive TendTo data in the course of providing the Service. Each is contractually bound to use the data only for the purposes described and to apply security measures consistent with our Privacy Policy. We will update this page and notify users at least 30 days before any new subprocessor begins processing data for us.
| Subprocessor | Purpose | Data received | Location | DPA |
|---|---|---|---|---|
| Supabase | Primary database (Postgres), authentication, file storage, realtime sync | All user-entered data, FHIR-imported data (encrypted), authentication credentials (hashed), uploaded documents | United States | View → |
| Vercel | Application hosting, serverless functions, edge network | In-flight request payloads. No persistent storage of user data | United States | View → |
| Anthropic | AI care assistant (Claude) and document analysis | Prompts containing user-selected health information, document content. Anthropic does not train on this data | United States | View → |
| AI document processing and embeddings (Gemini) | Prompts and documents you select for processing. Google does not train on this data | United States | View → | |
| OpenAI | Optional: blog hero image generation (DALL-E 3). No PHI sent | Image prompts only. No user health data | United States | View → |
| Stripe | Payment processing for paid plans | Name, email, billing address, payment card details (handled by Stripe) | United States | View → |
| Resend | Transactional email (notifications, digests, password reset) | Email address, message content | United States | View → |
| Cloudflare | Bot-protection challenge during sign-up (Turnstile), CDN | IP address, user-agent. No health data sent | Global edge network; data processing primarily in the United States | View → |
What subprocessors are not on this list? No advertising networks, no data brokers, no analytics resellers. We do not engage subprocessors that monetize user data.
Can I object to a new subprocessor?Yes. If we add a new subprocessor you object to, you may close your account before it begins processing. We will not apply the new subprocessor’s terms to your data once your account is closed.
Questions: [email protected].