Sub-processors
Effective Date: [set at publish] | Last Updated: 2026-06-17
These are the third parties that help us run Cirdia. Each one processes data on our behalf, under a contract that requires them to protect it. We keep this list current — our other policies (App Privacy, Website & Cookies, Business & Contact) link here so there's one place to check who touches what.
We do not share your data with data brokers, resellers, or advertisers beyond the limited ad-performance measurement described in the Website & Cookies Policy. And none of these providers ever receives your health or wellness data — that stays on your device.
| Provider | What they do | Data involved | Where | Used for |
|---|---|---|---|---|
| Apple App Store | Payments and subscription processing on iOS | Purchase/transaction identifiers, storefront country | United States | Apps |
| Google Play | Payments and subscription processing on Android | Purchase tokens, subscription state | United States | Apps |
| Postmark | Sends sign-in links and service/marketing emails | Email address, message content | United States | Apps, Website, Business |
| MillionVerifier | Checks that an email address is reachable | Email address | EU | Apps |
| Plausible Analytics | Cookieless, aggregate website analytics | Anonymous, aggregate data only | EU | Websites (cirdia.com, cirdia.co) |
| Meta | Ad-performance measurement on our marketing landing pages only, and only with your consent | Page-view events, device/browser data | United States | Website (landing pages) |
| Anthropic | Internal business AI, e.g. prioritizing sales/contact outreach | Business-contact details and notes | United States | Business |
| Hetzner | Server hosting | Account and business data | EU (Germany) | |
| RunPod | The short-lived environment where weekly insights are generated, then torn down | Wellness data — processed ephemerally, never stored | United States | Apps |
| Cloudflare | DNS, CDN, and edge security | Web request data; IP addresses (transient, not stored by us) | EU points of presence | |
| Impossible Cloud | Encrypted off-site database backups | An encrypted copy of the database (account/business data) | EU | |
| Google Drive | Internal document collaboration | Internal business documents (no personal data) | United States | |
| Nextcloud (self-hosted) | Primary internal business storage and tools | Internal business data (no customer data) | EU (self-hosted) | |
| Mattermost | Internal operational notifications | Minimal — a first name and an internal account id | EU (self-hosted) | |
| WhatsApp (Meta) | Opt-in tester-community group | Phone number and messages within the group (only if you join) | United States |
Where a provider operates outside the EU, we put appropriate safeguards in place as the GDPR requires, including standard contractual clauses.