| Sub-processor | Service | Location | Safeguards |
|---|---|---|---|
| Supabase, Inc. | Authentication, database, file storage | EU (Frankfurt) | Data Processing Agreement, EU-hosted, ISO 27001 |
| Cloudflare, Inc. | CDN, edge proxy, compute | Global, EU-routed | EU–U.S. Data Privacy Framework, Standard Contractual Clauses, ISO 27001 |
| OpenAI, LLC | AI label analysis (ingredient text only) | USA | DPF, SCCs. API data not used for model training. |
| Apple Inc. | App Store payments, push notifications | USA, EU | DPF, SCCs, Apple Developer Program License |
| RevenueCat, Inc. | Subscription receipt management | USA | DPF, SCCs, DPA on file |
| Cloudflare Email Routing | Email forwarding for support@ and privacy@ | Global | Same as Cloudflare |
Notifications
We notify users via an in-app banner at least 30 days before adding a new sub-processor with a different category of processing. We update this page on the same day the change takes effect.
How to object
If you object to a new sub-processor, you may close your account before the change takes effect by emailing privacy@finoapp.co or using the form at /delete-account.
Audit trail
Earlier versions of this page are available on request at privacy@finoapp.co.
Always read the original label. Fino is informational only and not a substitute for medical advice.
Questions about this document?
Email privacy@finoapp.co for privacy-related requests, or support@finoapp.co for general questions. We reply within 2 business days.