Our Sub-Processors

The third parties we rely on to deliver WalletGrower's services, and the categories of data each one processes on our behalf.

Last updated: May 6, 2026

Fiat Growth, LLC ("we") is the data controller for WalletGrower. To deliver our services we use a small number of third-party service providers, listed below. These providers are our "sub-processors" under the GDPR (and equivalent terms under UK GDPR, Swiss FADP, and CCPA/CPRA): they process personal data on our behalf, under written data-processing agreements that limit how that data may be used.

Where a sub-processor is located outside your jurisdiction, the transfer is covered by the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum (IDTA), or — for Swiss data subjects — the Swiss FADP equivalent. Most of our infrastructure is hosted in the United States; transfers from the EEA, UK, and Switzerland to the United States are made under those mechanisms.

We update this list when we add, remove, or change a sub-processor. Material changes will be reflected on this page; significant additions affecting how user data is processed will also be communicated by email or in-app notice.

Questions or objections? Contact hello@walletgrower.com. You can also exercise your data-subject rights by following the instructions in our Privacy Policy.

Vercel Inc.

Purpose: Web hosting, edge content delivery, serverless function execution, and DDoS mitigation for walletgrower.com and app.walletgrower.com.
Data accessed: All page requests, IP address, user-agent, geographic region (country/region), authentication cookies.
Location: United States (global edge network).
Cross-border transfer: Covered by EU Standard Contractual Clauses, UK IDTA, and Swiss FADP equivalents where applicable.

Supabase Inc.

Purpose: Primary database (PostgreSQL), authentication (OAuth + email/password), session management, file storage.
Data accessed: Account profile (email, name, hashed password if applicable, OAuth provider IDs), saved tools data, calculator inputs, chat logs, email-subscriber records, earnings ledger cache.
Location: United States (us-east-1).
Cross-border transfer: Covered by EU Standard Contractual Clauses, UK IDTA, and Swiss FADP equivalents where applicable.

Anthropic, PBC

Purpose: Powers the Walley AI chatbot — generates conversational responses to user questions about personal finance.
Data accessed: Each chat message you send to Walley (your text), conversation context. We do not send your account email, identity, or earnings data to Anthropic.
Location: United States.
Cross-border transfer: Covered by EU Standard Contractual Clauses, UK IDTA, and Swiss FADP equivalents where applicable.

Besitos Corporation, LLC

Purpose: Powers the WalletGrower Earn marketplace: games, surveys, deals, cashback offers, the user wallet, and cashout to gift cards / PayPal / Venmo. Also handles customer support for wallet, earnings, and payout questions.
Data accessed: Account identifier (Supabase user ID), first/last name, email, IP address, device identifiers, country, click and conversion events on offers, survey responses (when you opt in), wallet balance and transaction history.
Location: United States. EU/UK/Swiss user data is transferred under EU Standard Contractual Clauses (Module 2 + 4) and the UK International Data Transfer Addendum. Sub-processor list at https://wall.besitos.ai/subprocessors.
Cross-border transfer: Covered by EU Standard Contractual Clauses, UK IDTA, and Swiss FADP equivalents where applicable.

Engine Tech, Inc.

Purpose: Powers our financial-product matching for credit cards, personal loans, mortgages, deposits, insurance, and similar verticals — surfaces personalized offers and routes qualified leads to lenders/issuers.
Data accessed: Anonymous browsing context (article ID, placement tags, campaign tags, user segment), and — when you submit a financial-product application form — the data you enter into that form (e.g., requested loan amount, ZIP code, income range).
Location: United States.
Cross-border transfer: Covered by EU Standard Contractual Clauses, UK IDTA, and Swiss FADP equivalents where applicable.

Resend Inc.

Purpose: Transactional and lifecycle email delivery (welcome series, weekly digests, behavioral triggers, password resets, earnings notifications).
Data accessed: Email address, name, message content (subject, body, links). Email-engagement signals (open, click) when you interact.
Location: United States.
Cross-border transfer: Covered by EU Standard Contractual Clauses, UK IDTA, and Swiss FADP equivalents where applicable.

Beehiiv Inc.

Purpose: Newsletter customer-relationship management — stores subscriber records and powers segmentation/analytics for our editorial newsletter.
Data accessed: Email address, signup source, country/region, subscription status, engagement signals (open, click).
Location: United States.
Cross-border transfer: Covered by EU Standard Contractual Clauses, UK IDTA, and Swiss FADP equivalents where applicable.

Cloudflare, Inc.

Purpose: Bot protection (Cloudflare Turnstile) on signup and contact forms.
Data accessed: IP address, user-agent, browser fingerprinting signals (collected by Turnstile, retained per Cloudflare's policy).
Location: United States (global edge).
Cross-border transfer: Covered by EU Standard Contractual Clauses, UK IDTA, and Swiss FADP equivalents where applicable.

Google LLC

Purpose: Google OAuth (Sign in with Google) and Google Analytics 4 (aggregate-only usage analytics, opt-in via cookie banner).
Data accessed: OAuth: Google account email, profile name, profile photo URL. Analytics: pageviews, session metadata, anonymized IP, country/region (only after you accept analytics cookies).
Location: United States (global infrastructure).
Cross-border transfer: Covered by EU Standard Contractual Clauses, UK IDTA, and Swiss FADP equivalents where applicable.

Tango Card, Inc. (via Besitos)

Purpose: Gift-card and prepaid-card cashout fulfillment when users redeem earnings.
Data accessed: Email address, redemption amount, gift-card brand selection. WalletGrower does not interact with Tango directly — Besitos provisions the payout.
Location: United States.
Cross-border transfer: Covered by EU Standard Contractual Clauses, UK IDTA, and Swiss FADP equivalents where applicable.

PayPal, Inc. and Venmo (a service of PayPal)

Purpose: PayPal and Venmo cashout rails when users redeem earnings to a connected wallet (via Besitos).
Data accessed: Email address (PayPal) or phone/handle (Venmo), redemption amount. WalletGrower does not interact with PayPal/Venmo directly — Besitos provisions the payout.
Location: United States.
Cross-border transfer: Covered by EU Standard Contractual Clauses, UK IDTA, and Swiss FADP equivalents where applicable.

GitHub, Inc.

Purpose: Source code, build artifacts, scheduled jobs (GitHub Actions). Does not process end-user runtime data; included for completeness as part of our infrastructure supply chain.
Data accessed: No end-user personal data is stored in GitHub. Listed for full transparency on our infrastructure stack.
Location: United States.
Cross-border transfer: Covered by EU Standard Contractual Clauses, UK IDTA, and Swiss FADP equivalents where applicable.

About this list.The above are "sub-processors" in the GDPR sense — they process personal data on our behalf as part of operating WalletGrower. Other vendors we use that do notprocess end-user personal data (e.g., development tools, internal monitoring) are not listed here, but we're happy to share them on request.

For the legal basis on which we share your data with these sub-processors, see our Privacy Policy. For our editorial / monetization disclosures, see our Disclosure Policy.