Sub-processors
Tactr uses the third-party service providers below to deliver the product. Each is bound by a Data Processing Agreement (DPA) with Standard Contractual Clauses (SCCs) for any cross-border transfer of personal data from the EU/UK to other regions.
We update this page whenever we add or remove a sub-processor. If you've subscribed to receive notice of changes, email [email protected] with "subscribe sub-processor changes" in the subject and we'll add you to the notification list.
Active sub-processors
| Sub-processor | Purpose | Data processed | Location | Transfer mechanism |
|---|---|---|---|---|
| Supabase, Inc. privacy policy · DPA |
Postgres database, authentication, file storage, Edge Functions | Account data, virtual cards, captured contacts, email templates, send records, bookings, encrypted email/calendar credentials | USA (us-east-1) | SCCs (Module 2 — controller to processor) |
| Anthropic, PBC privacy policy · trust center |
AI follow-up email body generation (Claude API) | Your industry, contact's industry, capture notes. Contact PII (email/phone) is NOT sent as prompt input. Per Anthropic's commercial terms, inputs/outputs are not used to train models. | USA | SCCs via Anthropic's commercial DPA |
| RevenueCat, Inc. privacy policy · DPA |
Subscription / IAP state mirror, billing-event webhooks | Anonymized user ID, subscription product ID, purchase + expiration timestamps. No payment card data. | USA | SCCs (Module 2) |
| Apple Inc. privacy policy |
App Store distribution, Apple IAP billing, Sign in with Apple | Apple account email (relayed if you use Sign in with Apple), App Store purchase receipts. | Global (Apple data centers) | Apple's standard SCCs / adequacy decisions per region |
| Google LLC privacy policy |
Google Play distribution, Google Play Billing, Sign in with Google (if used), Google Calendar / Gmail OAuth (if connected) | Google account email (relayed if you use Sign in with Google), Play Store purchase receipts, OAuth tokens for any Google services you connect. We never receive your Google password. | Global (Google data centers) | Google's standard SCCs / adequacy decisions per region |
| Cloudflare, Inc. privacy policy · DPA |
DNS, CDN, edge hosting for this website + the tactr.app deletion / unsubscribe pages | Request IPs, user-agent strings, request timestamps for the web properties. No app-content data routes through Cloudflare. | Global (Cloudflare edge network) | SCCs via Cloudflare's customer DPA |
| Your email provider Gmail · Outlook · your SMTP host |
Sending the follow-up emails YOU draft, via your own account | The email body + recipient address + headers — provided directly by you connecting the account. Tactr never sees your inbox. | Per provider | Governed by your terms with the provider; Tactr is not the controller of these sends. |
What's NOT a sub-processor
- OCR. Captured-card OCR runs entirely on your device using Apple Vision (iOS) or Google ML Kit (Android). The card image and its OCR text are never sent to a Tactr server or third party for OCR.
- No analytics or tracking SDKs. No Segment, no Mixpanel, no Firebase Analytics, no Google Analytics in the app. We rely on App Store / Play Store dashboards for high-level metrics.
- No advertising SDKs. No IDFA reads, no ATT prompt, no ad-network SDKs.
Change log
- 2026-05-27 — Initial publication.
Contact
Privacy questions, DPA requests, or sub-processor notification subscriptions: [email protected]
Hawk Eye AI · New York, NY