Subprocessors
Last updated: May 12, 2026
These are the third-party services Cradled uses to operate the App. Each processes personal data on our behalf under their own privacy terms. We update this list when we add, remove, or materially change a processor.
Professional Users: Data Processing Agreement
If you use Cradled as a Care Provider and need a signed Data Processing Agreement (DPA) to satisfy PIPEDA, PHIPA, PIPA, GDPR, or your regulatory college's requirements, email [email protected]. Cradled is not a HIPAA Business Associate and does not sign BAAs at this time — see Section 11 of our Terms for details.
Supabase
Privacy policy →- Purpose
- Primary database, authentication, file storage, realtime subscriptions
- Data processed
- All user-provided content: profiles, check-ins, tasks, feed posts, messages, plan responses, appointment + invoice data, care provider notes
- Region
- AWS us-east-1 (Virginia, USA)
Stripe
Privacy policy →- Purpose
- Payment processing and Stripe Connect for Care Provider direct payouts
- Data processed
- Care Provider and client name, email, billing address, payment-method details (tokenised by Stripe), invoice amounts, payout metadata
- Region
- Global (Stripe's primary US + EU regions)
Resend
Privacy policy →- Purpose
- Transactional email (invoices, contracts, notification emails)
- Data processed
- Recipient email address, email subject/body content (e.g. invoice amount, link to pay)
- Region
- US
RevenueCat
Privacy policy →- Purpose
- Mobile subscription entitlement management (App Store / Google Play)
- Data processed
- User ID, subscription status, purchase history, platform attribution
- Region
- US
PostHog
Privacy policy →- Purpose
- Product analytics and feature adoption tracking
- Data processed
- User ID, screens visited, features used, event timestamps. No check-in content, messages, or clinical data.
- Region
- US
Expo / EAS
Privacy policy →- Purpose
- Mobile app build pipeline, over-the-air update delivery, push notification routing
- Data processed
- Expo push tokens, app version, device platform. No application content passes through Expo.
- Region
- US
Google (FCM, Calendar API)
Privacy policy →- Purpose
- Android push notifications via Firebase Cloud Messaging; Google Calendar sync for Care Providers who opt in
- Data processed
- FCM tokens; notification payloads at delivery time; for Calendar sync, appointment metadata shared with the connected Google account
- Region
- Global (Google Cloud)
Google (Analytics, Ads)
Privacy policy →- Purpose
- Website analytics for cradledapp.com; conversion measurement and audience building for Google Ads and YouTube campaigns
- Data processed
- Cookies and page-level visit data on cradledapp.com; ad-click attribution tokens (e.g. gclid) when arriving from a Google or YouTube ad. No app account data, check-in content, or health information.
- Region
- Global (Google Cloud)
Apple (APNs, App Store)
Privacy policy →- Purpose
- iOS push notifications; App Store subscription billing
- Data processed
- APNs device tokens; notification payloads at delivery; subscription receipt data
- Region
- Global (Apple)
Firebase Crashlytics
Privacy policy →- Purpose
- Crash and error reporting for the mobile app
- Data processed
- Crash stack traces, device model, OS version, app version, anonymised user ID
- Region
- Global (Google Cloud)
Railway
Privacy policy →- Purpose
- Hosting for cradledapp.com (marketing site + Care Provider web dashboard)
- Data processed
- Server-side rendered content, session cookies, request logs
- Region
- US (Railway's default region)
Questions? Email [email protected].