Avaplicity Subprocessors

Hosting & CDN for marketing site

IP address, HTTP headers, page requests, error logs

Website visitors

Global edge; primarily U.S.

Operational logs retained per provider standards

Cloud infrastructure (EKS, ECR, ALB, Route53, ACM, CloudWatch, CloudTrail, KMS, Secrets Manager, STS)

IPs, service logs/metrics, network telemetry; encrypted app data at rest

Website visitors & App users (infra/diagnostics)

U.S. (us-east-2) and global AWS edge as applicable

KMS encryption; OIDC/IRSA; zero-trust network policies

In-memory cache (performance)

Ephemeral session/context metadata

App users

U.S. (within our AWS VPC)

No third-party managed cache; part of our own infra

Primary database

Account/profile data, conversation transcripts, device/push tokens, reminder schedules

App users

U.S. region

Encryption at rest; role-based access

Mobile app datastore (iOS)

Profile fields, app state/metadata as configured (no payment cards)

App users

U.S.

Used by iOS app per current architecture; may be reduced as backend consolidates

Observability: logs, metrics, traces, SLOs

Service logs/metadata (may include IPs, device/app IDs, error payloads)

Website visitors & App users (diagnostics)

U.S./EU

Used for reliability, security, performance monitoring

Feature flags & kill-switch

Flag keys/variations, pseudonymous SDK identifiers

App users

U.S.

Used for gradual rollout and safety gates

Product & website analytics

Event metadata, device/usage data, IP (per provider defaults); no conversation transcripts

Website visitors & App users

U.S. or EU (per workspace data residency settings)

We disable ad-tech sharing; session replay off unless explicitly enabled

User authentication

Email, name (if provided), auth tokens, auth logs

App users who choose Firebase auth

U.S./Global

Used to authenticate iOS users

OAuth identity provider

Name, email, ID token

App users who choose Google Sign-In

U.S./Global

For login and account linking

OAuth identity provider

Name (if shared), email (relay or direct), ID token

App users who choose Apple Sign-In

U.S./Global

For login and account linking

Push notification delivery

Device push token; notification routing metadata

App users who enable notifications

U.S.

We store tokens; Apple delivers messages via APNs

Transactional email (account/support)

Email address, message content (service notices)

Website visitors & App users who contact us or receive notices

U.S.

Replace with finalized vendor name before publishing

In-app purchase processing

Purchase receipts/tokens, product identifiers

App users who subscribe

U.S./Global

Card details handled by Apple; we receive receipts only

Subscription entitlements & receipt validation

App/User identifiers, purchase receipts/tokens, entitlement state

App users who subscribe

U.S.

Bridges App Store receipts to app entitlements

LLM inference (text generation)

Prompts, conversation transcripts, context you share

App users

U.S./Global

Configured to process content only to deliver the service; we opt out of provider training where available

LLM inference (text generation)

Prompts, conversation transcripts, context you share

App users

U.S.

Used selectively alongside OpenAI; provider does not use API data to train models per provider terms

Speech/voice (TTS/STT)

Text for synthesis; generated audio; (for STT) audio segments

App users who enable voice

U.S.

Generates assistant's spoken responses; STT used for transcripts as configured