NAOA

Authorized Sub-processors

Last Updated: January 1, 2026

This page lists the Sub-processors authorized to process Customer Data on behalf of NAOA.

Changes to this list are published here. Customers using Business features may object to new Sub-processors within 14 days of publication by contacting hello@naoa.app.

Current Sub-processors

Google Cloud (Firebase/Firestore) – Primary data storage and database. Processes all Customer Data. Located in EU (europe-west1, Belgium). Safeguards: Google Cloud DPA, SOC 2, ISO 27001.

Google (Gemini AI) – AI content generation for numerological analyses. Processes birth date, name. Located in US/EU. Safeguards: Google AI Terms, SCCs.

Supabase – User authentication and identity management. Processes email, authentication tokens. Located in EU. Safeguards: Supabase DPA, SOC 2.

Stripe – Payment processing and billing. Processes payment method, billing address, transaction data. Located in US (with EU infrastructure). Safeguards: Stripe DPA, PCI DSS Level 1, SCCs.

Mailgun – Transactional email delivery. Processes email address, email content. Located in EU. Safeguards: Mailgun DPA.

Sentry – Error monitoring and application performance. Processes error logs, technical diagnostics (no PII). Located in US. Safeguards: Sentry DPA, SCCs.

PostHog – Product analytics and usage tracking. Processes usage data, anonymized identifiers. Located in EU. Safeguards: PostHog Privacy Policy, GDPR compliant.

Sub-processor Categories

Infrastructure Providers. Google Cloud (Firebase) hosts our application and stores all data in the EU region.

AI Services. Google Gemini generates numerological content based on user-provided data.

Authentication. Supabase manages user accounts and authentication.

Payment Processing. Stripe processes all payments securely.

Communication. Mailgun sends transactional emails (confirmations, receipts).

Monitoring. Sentry monitors application errors (does not process personal data from Customer Data). PostHog tracks product usage (uses localStorage, not cookies).

Data Location Summary

European Union – Firebase (Belgium), Supabase, Mailgun, PostHog

United States – Stripe*, Sentry*, Google Gemini*

*These providers have signed Standard Contractual Clauses (SCCs) and maintain EU-equivalent data protection standards.

Changes to Sub-processors

Notification Process. We update this page when Sub-processors are added, removed, or changed. The Last Updated date is updated. Customers using Business features have 14 days to object.

How to Object. If you object to a new Sub-processor, contact us at hello@naoa.app within 14 days of the update. Provide your objection in writing with specific concerns. We will work to address your concerns or provide alternatives. If we cannot resolve your objection, you may terminate your subscription without penalty.

Security Certifications

Our Sub-processors maintain the following certifications:

Google Cloud – SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018

Supabase – SOC 2 Type II

Stripe – PCI DSS Level 1, SOC 1, SOC 2

Sentry – SOC 2 Type II

Contact

For questions about our Sub-processors or to object to changes:

Email: hello@naoa.app

Address: Aleksander Popek ul. Pawia 3/14 05-803 Pruszków, Poland