What's on this page

This page lists every sub-processor that handles personal data on behalf of Notabyte Limited in the course of providing Get Clarity. We update it whenever we add, change, or remove a sub-processor.

If you're a customer who needs us to notify you in advance of changes (e.g. for your own DPA compliance), email privacy@clarityuk.app to subscribe to sub-processor change notifications. We give at least 30 calendar days' notice for material changes.

How we pick sub-processors

We choose sub-processors that are appropriate for a UK financial-data SaaS:

Regulated where required — TrueLayer is FCA-authorised; Stripe is regulated.
Bound by written DPA — every sub-processor has signed an Article 28-compliant data-processing agreement with us.
Located in adequate jurisdictions — UK, EEA, or covered by adequacy regulations / UK IDTA.
Necessary — we don't add a sub-processor unless we genuinely need them.

The list

Infrastructure and hosting

| Sub-processor | Purpose | Location | DPA in place | |---------------|---------|----------|---| | Supabase Inc. | Primary database, authentication, file storage | EU region (Frankfurt) | Yes | | Vercel Inc. | Application hosting, edge compute, content delivery | United States, with global edge | Yes |

Financial services

| Sub-processor | Purpose | Location | DPA in place | |---------------|---------|----------|---| | TrueLayer Limited | FCA-authorised Open Banking provider — connects to your bank, returns transactions | United Kingdom and EEA | Yes | | Stripe Payments Europe Ltd | Subscription billing and payment processing | Ireland (EU) with some processing in the United States | Yes |

AI and machine learning

| Sub-processor | Purpose | Location | DPA in place | |---------------|---------|----------|---| | Anthropic PBC | Generative AI — powers Ask AI, Copilot, and AI-assisted categorisation. Does not train on your data. | United States | Yes |

Communications

| Sub-processor | Purpose | Location | DPA in place | |---------------|---------|----------|---| | Resend | Transactional and marketing email delivery (account verification, billing notices, AI insight summaries, recovery emails) | United States, with EU regional support | Yes | | ImprovMX | Inbound email forwarding for clarityuk.app addresses (e.g. privacy@, hello@, support@) | See provider documentation | Yes |

Identity providers (only if you use them)

| Sub-processor | Purpose | Location | DPA in place | |---------------|---------|----------|---| | Apple Inc. | Sign in with Apple — only when you sign in via Apple ID | Ireland and the United States | Per Apple's developer agreement | | Google LLC | Sign in with Google and Gmail OAuth — only when you sign in via Google or enable Gmail Autopilot | United States | Per Google Cloud Terms |

Statutory recipients (not sub-processors)

These are not sub-processors. We share data with them only when legally required, but we list them here for transparency:

HMRC — for MTD VAT submissions and any HMRC enquiries.
Companies House — for statutory filings (Notabyte's own; not customer data).
Information Commissioner's Office (ICO) — for our ICO registration and any breach notifications.
Law enforcement — only when compelled by valid legal process and only the minimum data required.

Notabyte's own service providers (not sub-processors of customer data)

These providers receive Notabyte's company data, not your personal data. We list them for transparency:

AudAcc — Notabyte's accountants. Receive Notabyte's company financial records, not customer accounts.
Companies House — Notabyte's statutory filings.
HSBC (or whichever bank Notabyte uses) — Notabyte's company banking.

Changes since the last update

This is the first version of this list, effective 5 May 2026. Future changes will be summarised here.

Questions

Email privacy@clarityuk.app. We aim to respond within one business day to sub-processor questions, faster if you're an active customer with a contractual notification requirement.