← Back to privacy policy
Subprocessors
Last updated: May 10, 2026
These are the service providers we use to operate Lunarosa. Each is contractually bound to handle your data only as we direct, and only to provide the service we hire them for. We will update this page when we add or remove a provider. The "Last updated" date above is canonical.
| Provider | What we use them for | Location | Privacy policy |
|---|---|---|---|
| Vercel | Hosting, serverless functions, and primary database (Vercel Postgres). Encrypted at rest. Production database in São Paulo region; static assets cached globally on Vercel's edge network. | USA | vercel.com |
| Upstash | Short-lived authentication tokens, magic-link tokens, and rate-limiting counters (Redis). Data is ephemeral; no long-term storage. | USA | upstash.com |
| Stripe | Payment processing for Premium subscriptions. Stripe receives card details directly; we never see them. We receive only your subscription status and a Stripe customer ID. | USA | stripe.com |
| Sentry | Crash reporting from inside the authenticated app only. Health-data routes are filtered out before any error is sent. No session replay. No breadcrumbs of user input. Never operates on the marketing pages. | USA | sentry.io |
Things we explicitly do not use
- No third-party analytics services (no Google Analytics, no PostHog, no Mixpanel, no Segment, no Amplitude, no Heap, no Hotjar, no FullStory).
- No advertising platforms (no Google Ads, no Meta/Facebook Pixel, no TikTok Pixel).
- No session replay tools.
- No customer-data platforms (no Customer.io, no Iterable, no Klaviyo).
- No external attribution / install-tracking SDKs (no AppsFlyer, no Adjust, no Branch).
If you spot a tracker or third-party request from any Lunarosa page that isn't listed above, please email support@lunarosa.app. We treat that as a bug, not a feature.