Tidyflow uses a limited number of trusted third-party service providers (“sub-processors”) to help us operate, secure, and improve the platform.
Sub-processors may process customer data solely for the purpose of providing services to Tidyflow. Each sub-processor is contractually required to implement appropriate technical and organizational security measures.
Infrastructure & Hosting
DigitalOcean
Purpose: Application hosting and infrastructure
Location: United States
Amazon Web Services (AWS)
Purpose: Secure database storage, file storage, and encrypted backups
Location: United States
Cloudflare
Purpose: Hosting (Cloudflare Pages), content delivery network, DNS, and bot/spam protection (Cloudflare Turnstile) for our public marketing website (tidyflow.com)
Location: United States, with global edge presence
Cloudflare processes request metadata (such as IP address, user agent, and request URL) on our behalf to serve and cache the marketing site and to protect it from automated abuse and denial-of-service attacks. Cloudflare Turnstile additionally evaluates browser and network signals when you interact with forms on our marketing site (such as sign-up, demo request, and lead-capture forms) to distinguish humans from bots. See the Cloudflare Turnstile Privacy Addendum for details. Cloudflare does not have access to customer data inside the Tidyflow application.
Payments
Stripe
Purpose: Subscription billing and secure payment processing
Location: United States
Tidyflow does not store or process full payment card details. All payment information is handled directly by Stripe.
Email & Communications
Postmark
Purpose: Transactional email delivery (system notifications and alerts)
Location: United States
Postmark delivers Tidyflow’s own transactional and notification email (e.g. password resets, system alerts, in-product notifications). Postmark does not receive Gmail message content or Google Calendar event content from connected customer accounts.
Google Workspace
Purpose: Internal communications and customer support correspondence
Location: United States
Customer support email (e.g. messages sent to [email protected]) is received and handled in Tidyflow’s own Google Workspace mailbox.
Authentication
Google Identity
Purpose: User authentication (OAuth login)
Location: United States
Microsoft Identity Platform
Purpose: User authentication (OAuth login)
Location: United States
Email Integration
Google Gmail API
Purpose: Email sync, viewing, composing, and sending for connected Gmail mailboxes
Location: United States
Google Gmail API is engaged as a sub-processor only where a customer has authorised the connection of a Gmail account via OAuth 2.0. Tidyflow accesses email data (message content, metadata, sender/recipient information, and attachments) solely to provide email functionality within the Service. Tidyflow’s use of Google user data adheres to the Google API Services User Data Policy, including the Limited Use requirements. For full details, see our Use of Google API Services page.
Google Calendar API
Purpose: Accepting, declining, and updating calendar events created in response to email invitations received in connected Gmail accounts
Location: United States
Google Calendar API is engaged as a sub-processor only where a customer has authorised Calendar access on a connected Google account via OAuth 2.0. Tidyflow’s use of the Calendar API is limited to user-initiated actions against meeting invitations in the Tidyflow email surface (e.g. RSVP, event updates). Tidyflow does not list or import the customer’s wider Google Calendar. Tidyflow’s use of Google user data adheres to the Google API Services User Data Policy, including the Limited Use requirements. For full details, see our Use of Google API Services page.
Microsoft Graph API (Microsoft 365 / Outlook)
Purpose: Email sync, viewing, composing, and sending for connected Microsoft 365 and Outlook mailboxes
Location: United States
Microsoft Graph API is engaged as a sub-processor only where a customer has authorised the connection of a Microsoft email account via OAuth 2.0. Tidyflow accesses email data (message content, metadata, sender/recipient information, and attachments) solely to provide email functionality within the Service.
AI Features
OpenAI
Purpose: Third-party AI processing for optional AI Features, including summarisation, classification, conversational assistants, workflow automation, and content generation Location: United States
OpenAI is engaged as a sub-processor only where a customer has opted in to AI Features. Data transmitted to OpenAI is pseudonymised via tokenisation before leaving the Tidyflow platform. OpenAI processes data in real time and is contractually committed to the minimum retention period required to operate its API. OpenAI is contractually prohibited from using customer data to train or improve its models. Google Calendar event data is not transmitted to OpenAI. For full details, see our AI Terms of Use.
Product Analytics
PostHog
Purpose: Product analytics and feature flags Location: United States
PostHog receives anonymised product-analytics events only (e.g. “feature used”, “page viewed”). Session recording and DOM/input capture are disabled. No Gmail message content or Google Calendar event content is transmitted to PostHog. See Use of Google API Services for details.
Sub-processor Engagement
Tidyflow engages sub-processors to support the delivery of its services. Each sub-processor is bound by a written data processing agreement that includes confidentiality, security, and data protection obligations consistent with applicable data protection laws.
International Data Transfers
Tidyflow primarily operates using United States-based infrastructure. Where personal data is transferred outside a customer’s jurisdiction, we implement appropriate safeguards in accordance with applicable data protection regulations.
Customers may contact us for additional information regarding data transfer safeguards.
Updates to This List
We may update this list from time to time as our services evolve. The most current version will always be available on this page.
Contact
For questions regarding sub-processors or data handling practices, please contact [email protected].