Legal

Sub-processors

The vendors that process firm or client data on our behalf, what they handle, and where they sit.

Last updated: 22 May 2026

What this list covers

This is the list of third parties — "sub-processors" — that we use to deliver the PlanHouse service. They process information on our behalf, only to the extent needed to provide the service, and under contracts that require appropriate security and confidentiality.

Tools we use to run our own business but that do not process firm or client personal information (for example, internal communications or accounting software) are not sub-processors for the purposes of this list.

Notice of changes

Before we add or replace a sub-processor that processes personal information, we will notify active firms by email with reasonable notice (we aim for at least 30 days). If your firm reasonably objects on data-protection grounds, we will work with you to find an alternative or, where no alternative is workable, you may terminate the affected service without penalty.

To receive notifications, make sure your firm admin's email is current in app.planhouse.ai.

Current sub-processors

Vultr Holdings, LLC

Purpose:
Virtual-server hosting for the PlanHouse application and database.
Data:
All firm and client information held in the PlanHouse database; host-level operational data. Adviser-uploaded files are stored separately in Cloudflare R2 (see the next row), not on the Vultr host.
Location:
Sydney, Australia.
Agreement:
Vultr Master Services Agreement; encryption at rest at the storage layer.

Cloudflare, Inc.

Purpose:
Object storage (R2) for files uploaded by advisers and for encrypted database backups; DNS for planhouse.ai; email routing for inbound replies.
Data:
Uploaded files; encrypted database backup blobs (we encrypt the dumps with a key we hold before upload, so Cloudflare cannot read the contents); DNS records; inbound email routed to our inbox.
Location:
Cloudflare R2 — Oceania jurisdiction. DNS and email routing — Cloudflare global edge.
Agreement:
Cloudflare Self-Serve Subscription Agreement and Data Processing Addendum.

Anthropic, PBC

Purpose:
Large language model API ("Claude") used to power AI features — drafting advice document sections, summarising notes, suggesting strategies, preparing review packs.
Data:
The grounded context for a single AI request — the relevant subset of one client's record needed to answer the adviser's prompt. Requests are not blended across clients or firms.
Location:
United States.
Agreement:
Anthropic Commercial Terms of Service and Data Processing Addendum. Under those terms, Anthropic does not use API inputs or outputs to train their models.

MailerSend (Mailerlite UAB)

Purpose:
Transactional email delivery — sign-up invitations, password-reset links, forgot-password emails and similar service messages.
Data:
Recipient name and email, message subject and body, send metadata required for delivery and deliverability reporting.
Location:
European Union and United States infrastructure.
Agreement:
MailerSend Terms of Service and Data Processing Addendum.

How AI processing works in this chain

When you use an AI feature in PlanHouse, the relevant subset of a single client's record is composed into a prompt and sent to Anthropic's API. Anthropic returns the model output to PlanHouse, which displays it in the application as a draft for adviser review. Under Anthropic's commercial API terms they do not use the request or the response to train or improve their models; they may retain the data briefly for safety and abuse monitoring. Nothing about other clients or other firms is included in the request.

Questions

For questions about this list or about how a specific sub-processor handles your data, email [email protected].

See also: our security page for how data is protected end-to-end, and our privacy policy for the broader picture.