SaasDash.ai (operated by Pmc Negocios Digitais Ltda) uses the third-party sub-processors listed below to deliver the service. Each sub-processor is bound by a written agreement with confidentiality and security obligations consistent with our Privacy Policy and Data Processing Agreement.
For each sub-processor we list the purpose, the categories of personal data they receive, the country where data is processed, and the transfer mechanism we rely on for personal data originating in the EEA, the United Kingdom, or Switzerland — either the EU-US Data Privacy Framework (DPF) where the vendor self-certifies, or the EU Standard Contractual Clauses (SCCs, Decision 2021/914) with the UK International Data Transfer Addendum where applicable.
Authentication & Identity
| Service | Purpose | Data received | Region | Transfer mechanism |
|---|
| Google LLC (OAuth) | Google sign-in | Email, name, profile picture, OAuth tokens | United States | EU-US DPF + SCCs |
| GitHub, Inc. (OAuth) | GitHub sign-in | Email, username, profile picture, OAuth tokens | United States | SCCs (Microsoft DPF certification) |
| Resend, Inc. | Email magic-link delivery | Email address, magic-link token | United States | SCCs |
Payments
| Service | Purpose | Data received | Region | Transfer mechanism |
|---|
| Stripe, Inc. | Subscription billing, Customer Portal, Stripe Connect for affiliate payouts | Name, email, billing address, payment-method token, subscription metadata | United States, with EU sub-processing | EU-US DPF + SCCs |
Email & Communications
| Service | Purpose | Data received | Region | Transfer mechanism |
|---|
| Resend, Inc. | Transactional and marketing email delivery (onboarding bumpers, dunning, alerts, newsletters) | Recipient email and name, template variables (metrics summaries, invitation tokens) | United States | SCCs |
| Google LLC (Gmail API) | Inbound email ingestion for the Executive Assistant | Full email content (subject, body, headers, attachments) sent by senders to our support aliases | United States | EU-US DPF + SCCs |
| Telegram FZ-LLC | Internal-only strategic founder alerts (security & billing incidents) | Incident metadata; no customer personal data is sent in these alerts | United Arab Emirates / Global | SCCs (no customer personal data transferred) |
AI & Machine Learning
| Service | Purpose | Data received | Region | Transfer mechanism |
|---|
| Anthropic, PBC (Claude API) | AI insights, Ask Science, Activation Advisor, Executive Assistant triage | Conversation messages, metrics context, company profile, inbound email content when triaged | United States | EU-US DPF + SCCs. Anthropic does not train its foundation models on commercial API inputs or outputs. |
Analytics & Product Telemetry
| Service | Purpose | Data received | Region | Transfer mechanism |
|---|
| PostHog, Inc. | Product analytics, feature usage, exception telemetry | Pseudonymous user/visitor ID (on consent), event properties, page views, plan, role, stack traces and request context for unhandled errors | United States (US Cloud) — EU Cloud available on request | SCCs. Session recording is disabled. |
| Google LLC (Google Analytics 4) | Web analytics (production only, consent-gated) | Pseudonymous client ID, page views, event properties, plan, role | United States | EU-US DPF + SCCs. IP anonymization on by default in GA4. |
Advertising & Attribution
| Service | Purpose | Data received | Region | Transfer mechanism |
|---|
| Meta Platforms, Inc. (Meta Pixel + Conversions API) | Conversion attribution, ad audience optimization | SHA-256 hashed email and phone, event metadata (event name, value, currency, event ID, URL, user agent). Sent only when marketing-cookie consent is given. | United States | EU-US DPF + SCCs. First-party Meta cookies (_fbp, _fbc) are stripped server-side after each event. |
Hosting & Infrastructure
| Service | Purpose | Data received | Region | Transfer mechanism |
|---|
| Vercel, Inc. | Application hosting, serverless compute, edge middleware | All application data in transit; request logs (IP, user agent, URL, timestamp) | United States (with global edge) | SCCs |
| Neon, Inc. | PostgreSQL database hosting | All application data (account, metrics, AI conversations, etc.), encrypted at rest | Configurable per project (currently US East) | SCCs |
| Upstash, Inc. | Redis-based rate limiting | Request identifiers, counters, time windows (no customer personal data) | Configurable per database (currently US East) | SCCs |
Change Notice
When we add a new sub-processor that handles personal data, or materially change the role of an existing one, we will update this page at least 30 days in advance. Business customers may subscribe to change notifications by emailing legal@saasdash.ai with the subject line "Sub-processor notifications".
For questions about any sub-processor listed here, contact privacy@saasdash.ai.
