Last Updated: April 19, 2026
This page lists the third-party Sub-processors Twellie, Inc. uses to provide the Service. It supplements the Privacy Policy and the Data Processing Addendum.
Enterprise customers with executed DPAs will receive notice of new Sub-processors at least fifteen (15) days before they begin Processing Personal Data. Consumer users are notified by an update to this page and, where feasible, by email.
| Provider | Purpose | Data Handled | Location | Certifications |
|---|---|---|---|---|
| Supabase, Inc. | Authentication (Supabase Auth), relational database (Postgres), file/object storage, realtime, row-level security | Account credentials (hashed), profile data, Reports, usage counters, subscription metadata, uploaded files | United States (primary), with regional replicas where elected | SOC 2 Type II (Supabase parent), underlying AWS infrastructure |
| Stripe, Inc. | Payment processing, invoicing, tax calculation (Stripe Tax), fraud screening (Radar), subscription management, Billing Portal, Checkout | Cardholder data (processed by Stripe; we see only last 4 + brand), billing name/address, subscription status, transaction history | United States, EU | PCI-DSS Level 1, SOC 1/2/3, ISO 27001 |
| Google LLC — Gemini API | AI model provider for vision (photo analysis) and LLM (report synthesis, scoring) | Property addresses, photos (base64), listing text, buyer-profile inputs. Business-API data is not used to train foundation models per Google's commitments. | United States (global for model inference) | SOC 2 Type II, ISO 27001/27017/27018, FedRAMP High |
| Anthropic, PBC | LLM fallback provider (Claude) for synthesis when Gemini is unavailable | Same categories as Google above. Business-API data commitments mirror Google's. | United States | SOC 2 Type II |
| Resend Inc. | Transactional email (welcome, report-ready, deletion confirmation, win-back) | Email address, subject, body; bounce/complaint metadata | United States | SOC 2 Type II (in progress), GDPR-aligned DPA |
| Sentry | Error monitoring, performance tracing, release-health tracking | Stack traces, request metadata (URL, method, status), user ID tag, sanitised event payloads (credentials and PII scrubbed client-side before transmission) | United States | SOC 2 Type II, ISO 27001 |
| Meta Platforms, Inc. — Pixel + App Events + Conversions API | Ad attribution, conversion measurement, remarketing | Hashed email and phone (where user identified), event names, timestamps; subject to user opt-in / GPC / ATT | United States | ISO 27001 (underlying infra) |
| Google LLC — Analytics 4 + Google Ads | Product analytics, attribution, conversion tracking | Pseudonymous device identifier, IP (truncated), page path, event parameters | United States / EU region where selected | ISO 27001, SOC 2 |
| Cloudflare, Inc. | DNS, CDN, DDoS protection, TLS termination at the edge (if/when enabled) | Request metadata (IP, user-agent, request path, response status) | United States with global edge PoPs | SOC 2 Type II, ISO 27001 |
| Shorebird | Over-the-air Flutter updates for the mobile apps | App version metadata, device identifier (Shorebird-generated, not the OS ad ID), optional crash metadata | United States | Standard commercial contract, no PII shared |
| Apple Inc. | iOS app distribution, in-app purchase where used, push-notification service (APNs) | Account email (for iCloud Family Sharing if enabled), purchase receipts (when IAP used), device token for push | United States, EU | Apple published privacy commitments |
| Google LLC — Play Services | Android app distribution, optional in-app billing, Firebase Cloud Messaging for push | Account email (Play account), purchase receipts, FCM device token | United States, EU | SOC 2, ISO 27001 |
| FEMA (federal agency) | Flood-zone data (public records) | Property latitude/longitude (not Personal Data about users) | United States | Not applicable (federal agency) |
| U.S. Census Bureau, FRED (Federal Reserve), USGS, EPA | Public demographic, macro-financial, seismic, environmental data | None (user data is not transmitted to these sources) | United States | Not applicable |
| Property-data licensees (ATTOM, Precisely, CoreLogic, Zillow Bridge — as licensed from time to time) | Listing data, tax records, comparable sales, permits | Property addresses submitted by users | United States | Commercial DPAs; each vendor listed as added |
| Provider | Relationship Ended | Notes |
|---|---|---|
| (none yet — list will be kept for at least 12 months after termination) |
| Provider | Purpose | Earliest Date | Status |
|---|---|---|---|
| (announcements will be listed here at least 15 days before activation, giving DPA'd customers time to object) |
To object to a new Sub-processor (customers with an executed DPA): legal@twellie.com with subject line "Sub-processor objection — [vendor]".
General questions: privacy@twellie.com.
© 2026 Twellie, Inc.