Legal
Subprocessors
Last reviewed: April 22, 2026
Overview
A subprocessor is any third-party service Recoup Systems Inc. uses to operate the Recoup application that may access Customer Data on our behalf. We hold each subprocessor to the standards described in our Privacy Policy and require a Data Processing Agreement (DPA) where commercially reasonable.
The current list of subprocessors is reproduced below. We will provide at least 30 days' advance notice of any new subprocessor via in-app banner and email to the account's primary contact. Customers may request notification of subprocessor changes by emailing tech@recoup.cash.
Current subprocessors
| Vendor | Purpose | Data accessed | Region | DPA |
|---|---|---|---|---|
| Supabase Inc. | Managed Postgres database + authentication + Vault key storage | All Recoup data (Customer Data, OAuth tokens, audit logs) | United States (AWS) | Yes — Supabase publishes a DPA |
| Vercel Inc. | Application hosting, edge network, runtime logs | Request traffic, encrypted env vars, deployment artifacts | United States | Yes — Vercel publishes a DPA |
| Anthropic PBC | AI message generation (Claude API) and reply classification when Email Parts B+C resume | Minimum context to draft a reminder: invoice metadata, customer name, balance, prior message snippets. No bulk Customer Data export. | United States | Pending — request in progress |
| Resend Inc. | Outbound email delivery and bounce/complaint webhooks | Outbound email body + recipient address + delivery events | United States | Pending — request in progress |
| Google LLC (Gmail API) | Send AR reminders from owner's Gmail (gmail.send); detect customer replies to those threads (gmail.readonly, post-CASA) | OAuth tokens for owner's Google account; Gmail messages matching Recoup-sent Message-IDs (read access only) | United States | Yes — Google API Services Terms + Limited Use commitments |
| Intuit Inc. (QuickBooks) | QuickBooks Online sync — source of truth for AR data | QBO realm metadata, customer records, invoices, payments, OAuth tokens (encrypted) | United States | Yes — Intuit API Terms of Service |
| Cloudflare, Inc. | Turnstile captcha — bot protection on auth flows | Captcha challenge tokens, request IP addresses | United States (global edge) | Yes — Cloudflare publishes a DPA |
| Stripe, Inc. | Subscription billing for Recoup (when activated) | Owner's billing details: card token, last-4, expiration, billing address | United States | Yes — Stripe publishes a DPA |
What we never share
- We do not sell Customer Data to anyone, ever.
- We do not share Customer Data with advertisers or use it for cross-context behavioral advertising.
- We do not share email content with any third party except as necessary to operate the Service (for example, sending message context to Anthropic to generate a reply draft).
- We do not allow our AI subprocessors to use your data to train their generative models. Anthropic's commercial API does not train on inputs or outputs as of the last review date above.
Reporting concerns
Security concerns or subprocessor questions can be sent to tech@recoup.cash. For coordinated disclosure of vulnerabilities, see our security.txt.