1. Overview
My Evening uses a small number of third-party service providers ("sub-processors") to deliver the App. Each sub-processor processes personal data only as instructed by us and only for the specific purpose listed below, under a written data processing agreement or equivalent contract terms. Where a data processing agreement is still being executed, this is noted in that sub-processor's entry below.
We will give at least 30 days' advance notice on this page (and, where required by law, by other reasonable means) before adding any new sub-processor that processes personal data, so you can object before the change takes effect.
2. Current Sub-processors
Apple Inc. / Apple Distribution International Ltd.
- Role: Authentication (Sign in with Apple); App Store distribution and subscription billing as merchant of record (StoreKit 2); HealthKit on-device APIs.
- Data flows: Inbound — signed StoreKit 2 transactions and App Store Server Notifications V2 (including REFUND and REVOKE) are delivered to our backend. Outbound — our backend calls the App Store Server API to read transaction, refund, and notification history by original transaction ID for entitlement verification and our operator admin portal. Our backend stores subscription, entitlement, and transaction data linked to your user account (this supersedes any earlier statement that we keep only anonymous transaction confirmations).
- Categories of personal data: Apple ID identifier (we store the SHA-256 hash of the
sub claim). We do not receive your name or email: the App requests no name or email at sign-in, and if an older App version ever transmitted them our server discards them and stores neither. Subscription entitlement and transaction records (product ID, original transaction ID, expiry, renewal and revocation status, environment, offer/ownership type, trial state). Apple additionally processes your Apple ID account and billing data as an independent controller under its own privacy policy. - Location: United States; Apple Distribution International Ltd. (Cork, Ireland) acts as the EEA/UK contracting party.
- Transfer mechanism: EU Standard Contractual Clauses + EU-US Data Privacy Framework (Apple Inc. is DPF-certified).
- Contract: Apple Developer Program License Agreement and Schedule 2 (Paid Applications Agreement).
- Privacy reference: apple.com/legal/privacy
ElevenLabs, Inc.
- Role: Real-time speech-to-text transcription (Scribe v2 model). When you choose to speak, microphone audio streams over an authenticated WebSocket from your device to our backend, which proxies it to ElevenLabs. Neither our app nor our backend writes the audio to disk.
- Categories of personal data: Voice audio. The names and non-relational aliases of people you thank are also sent as recognition keyterms to improve transcription accuracy (third-party personal data).
- Current handling: Audio is currently transmitted to ElevenLabs' global endpoint in the United States with the provider's default logging. We do not retain the audio on our side; provider-side retention and any training are governed by our agreement with ElevenLabs and the ElevenLabs DPA. Zero-retention mode and EU data residency are supported in our code and are being enabled pending an ElevenLabs Enterprise plan and operator configuration — they are not yet active.
- Location: United States (global endpoint). EU data residency is planned, not yet in effect.
- Transfer mechanism: EU-US Data Privacy Framework — ElevenLabs, Inc. is DPF-certified (including the UK Extension and the Swiss-US DPF), and the DPF is the primary mechanism while that certification remains active. EU Standard Contractual Clauses (Module 2: controller → processor) and the UK International Data Transfer Addendum, per the pending DPA, are the fallback.
- Contract: ElevenLabs Data Processing Addendum — execution pending; until signed, the required processor contract (GDPR Art. 28(3)) and the SCC fallback for this flow are incomplete (the DPF provides the transfer basis in the interim).
- Privacy reference: elevenlabs.io/privacy
OpenAI (OpenAI Ireland Ltd. / OpenAI L.L.C.)
- Role: Cloud-assisted person detection on gratitude entries (gpt-5-nano via the Responses API). This is a core part of how the App works — it runs automatically for every user, whenever you save a gratitude entry, to suggest who you thanked. There is no toggle to turn it on or off.
- Categories of personal data: The gratitude-entry text (first 1,000 characters) plus structured details about the people you have thanked — display name, preferred name, all aliases (including relational and kinship terms) and a count of how many times each has been thanked. This includes third-party personal data about people you mention.
- Retention / training: We set
store:false on each request, so OpenAI does not persist the request or response for retrieval or standard retention, and OpenAI does not train on API data by default. OpenAI's standard transient abuse-monitoring logging (up to ~30 days) is an account/DPA-level policy that is not controllable from our code. - Location: United States. OpenAI Ireland Ltd. (Dublin) is the EEA/UK contracting party; inference runs at OpenAI L.L.C. (US).
- Transfer mechanism: EU-US Data Privacy Framework + Standard Contractual Clauses (fallback) per OpenAI's Data Processing Addendum.
- Contract: OpenAI Data Processing Addendum — execution pending; until signed, the required processor contract (GDPR Art. 28(3)) and the SCC fallback for this flow are incomplete (the DPF provides the transfer basis in the interim).
- Privacy reference: openai.com/policies/privacy-policy
Microsoft Corporation (Microsoft Azure)
- Role: Hosting and infrastructure: Azure Functions, App Service, Table Storage, Key Vault, Application Insights / Log Analytics, Front Door (global edge), Static Web Apps.
- Categories of personal data: Hashed Apple
sub identifier and account timestamps (the user profile record — no email or name is stored; the App no longer transmits them, and any legacy values written by older App versions are discarded on sign-in and being removed); subscription, entitlement and transaction records linked to your account; per-user daily usage counters (call counts, token and cost totals, audio byte and session totals — counts only, never journal content); per-user and per-IP-hash rate-limit counters; live WebSocket connection counters; anonymous first-party analytics events (the onboarding funnel and counts-only ritual usage summaries, keyed only to random identifiers generated on your device — never to your account, email, name, or device identifier); and pseudonymous Application Insights / Log Analytics telemetry keyed to the hashed Apple sub (custom events such as person-detection, speech-to-text and subscription events, plus exceptions and Azure-default request telemetry that may include a masked client IP). Front Door edge access logs hold client IP, user-agent and path. Key Vault holds secrets only — no end-user personal data. - Location: All backend resources that hold personal data — compute, Table Storage, Key Vault, Functions, App Service and Log Analytics — are in North Europe (Ireland). The marketing website static hosting is in West Europe (no personal data); Front Door is a global edge.
- Transfer mechanism: EU Data Boundary commitment (in-region processing for EEA customer data) + Microsoft Online Services DPA (which includes EU SCCs and the UK IDTA).
- Contract: Microsoft Customer Agreement + Microsoft Products and Services Data Protection Addendum (Online Services Terms).
- Privacy reference: Microsoft Trust Center
Microsoft Entra ID (Azure AD) — operator portal identity provider
- Role: Identity provider that authenticates the sole operator's sign-in to our internal admin portal. No end-user personal data flows to Entra ID — it processes only the operator's own administrator login. Listed here for transparency.
- Categories of personal data: The operator's administrator account credentials and sign-in metadata. None of your data.
- Location: Microsoft cloud (operator tenant). Covered by the same Microsoft Online Services DPA as Azure above.
- Transfer mechanism: Microsoft Online Services DPA (EU SCCs and UK IDTA where applicable).
- Contract: Microsoft Customer Agreement + Microsoft Products and Services Data Protection Addendum.
- Privacy reference: Microsoft Trust Center
3. Sub-processors We Do Not Use
Listed for transparency:
- Google Analytics, Firebase Analytics, Adjust, AppsFlyer, Mixpanel, Amplitude, TelemetryDeck — no third-party analytics SDKs of any kind (TelemetryDeck was removed in July 2026 before ever receiving data). Our only analytics are first-party, anonymous, and stored on our own Microsoft Azure backend (listed above).
- Facebook SDK, TikTok SDK, Snap SDK, X (Twitter) SDK — no social-platform SDKs.
- Sentry, Bugsnag, Crashlytics — no crash-reporting SDKs that transmit personal data.
- Stripe, PayPal, Braintree — payments are handled exclusively by Apple StoreKit 2; we do not see card numbers.
- Mailchimp, SendGrid, Postmark, Customer.io — no email-marketing or automated email-sending infrastructure of any kind. We do not hold your email address and send no marketing or transactional emails; the only email involving you is direct correspondence when you choose to write to us.
4. Notification of Changes
Material changes to this list — new sub-processors, removed sub-processors, or significant changes in role or location — will be reflected here with at least 30 days' advance notice before the change takes effect for new processing. The "Last updated" line above is bumped on every material change.
Any future sub-processor is expected to fall within the categories of service we use today — cloud infrastructure and hosting, AI speech-to-text, AI text analysis, authentication and app-distribution/billing platforms, and other similar service providers — and will be engaged only under a written data processing agreement with equivalent safeguards, including EU Standard Contractual Clauses or another valid GDPR Chapter V transfer mechanism where personal data leaves the EEA or UK. In the exceptional case where a provider must be replaced urgently to keep the service secure or available, we may make the substitution before the 30-day notice period ends; we will update this page and give notice as soon as reasonably possible, and the objection right below applies to the replacement in the same way.
If you are an EEA or UK data subject and you wish to object to a new sub-processor, contact privacy_myevening@rongan.me within the notice period.