Subprocessors
Who else sees your data
MyFina is a hosted service, and some tasks are delegated to vetted third-party processors. Here is the full list — no shortcuts, no SaaS promises.
Processor list
Each processor performs one specific job: hosting, billing, email delivery, AI, or PSD2 consent. We don't hand them "everything about the user" — only the minimum required for their function. Data Processing Agreements (DPA) are mandatory for any processor handling PII.
| Service | Purpose | Data | Region | Status |
|---|---|---|---|---|
| Hetzner | App hosting and PostgreSQL | All user data (encrypted at rest) | Germany (EU) | DPA signed |
| Stripe | Billing and payments (Pro subscription) | Email, name, billing address, payment history | Ireland (EU) | DPA signed |
| Resend | Transactional and marketing email | Email, body, delivery flags | USA (EU-aware sub-processing) | DPA signed |
| Anthropic (Claude API) | AI voice and receipt parsing | Voice phrase text or receipt OCR (no PII context) | USA | DRAFT — owner risk-accept for single-user prod |
| GoCardless (Bank Account Data) | PSD2 consent for European bank connections | Name, email, selected bank, IBAN, transactions (consented) | UK / EU | DPA signed |
| Monobank API | Sync for users with Monobank accounts | Banking API token (encrypted), transactions on request | Ukraine | Not a processor — public API |
| Firebase Cloud Messaging (FCM) | Push notifications to mobile devices | Device token + localized notification text | Global (Google) | Google standard DPA |
| Google Tag Manager + GA4 (site only) | Tag container and aggregate web analytics — visits, traffic sources, conversions | Anonymized IP, page, referrer, user-agent. Tag configuration is changed in tagmanager.google.com without code deploys | USA / EU (multi-region) | User opt-in only. GTM + GA4 configured with anonymize_ip=true, ads personalization off |
| Microsoft Clarity (site only) | Heatmaps and session recordings — UX improvements | Click/scroll heatmaps, masked DOM (input text masked) | USA (Microsoft Azure) | User opt-in only. PII masked by default + data-clarity-mask on forms |
Maintained by the product team. When a new processor is added we update this page before it goes live in production. Questions about a specific processor — email support@my-fina.com.
← Back to SecurityLast updated: 3 June 2026