trust center · data + privacy · GDPR
every system that touches your data, listed.
respira is one person and a short list of carefully picked vendors. here is exactly who they are, what they do, where they store things, and whether there is a DPA on file.
last updated May 24, 2026
at a glance
- data residency EU (Frankfurt) Supabase Pro · primary region
- encryption TLS 1.3 in transit AES-256 at rest
- cookie taxonomy 4 categories essentials always on · 3 opt-in
- breach notification 72 hours GDPR Art. 33
sub-processors
12 vendors. add or swap one and this page updates from a single typed source.
| vendor | purpose | region | cookies | category | DPA |
|---|---|---|---|---|---|
| Supabase | Auth, primary Postgres, file storage, edge functions. Email, hashed password, user metadata (preferences), license records, telemetry events. No payment data (handled by LemonSqueezy / Polar). | EU (Frankfurt, eu-central-1) | sb-*-auth-token | essentials | DPA → DPA signed · Nov 14, 2025 + SCCs |
| Vercel | Hosting, edge network, serverless function execution. Request headers (IP, UA, country), routing metadata. No request bodies stored beyond function log retention (24h on the hobby tier, 7d on Pro). | EU + global | server-side only | essentials | DPA → standard terms accepted · Nov 14, 2025 + SCCs |
| Google Analytics 4 | Aggregate page-view + event analytics. Truncated IP, user agent, anonymised client id, page path, event name, optional user_id (Supabase UUID) when logged in. | Global (with EU IP truncation) | _ga, _ga_F55E0B1KNX | analytics | DPA → standard terms accepted · Nov 14, 2025 + SCCs |
| PostHog | Product analytics inside the dashboard. Distinct id = Supabase user UUID, email, plan tier, is_trial. Inputs masked in session replays. No payment data, no chat content. | EU (eu.i.posthog.com) | ph_* | analytics | DPA → DPA signed · Jan 12, 2026 + SCCs |
| Customer.io | In-app messaging and journeys. Anonymous visitor id (cookie-bound) or email when logged in. Message impressions, clicks. No content payloads beyond what is needed for delivery. | EU | _cio* | messaging | DPA → DPA signed · Dec 20, 2025 + SCCs |
| Chatwoot | Live chat support widget. Visitor identifier, chat transcript, optional email if you start a conversation. Inactive sessions purge. | EU (Chatwoot self-hosted) | cw_* | messaging | DPA → standard terms accepted · Jan 5, 2026 + SCCs |
| Resend | Transactional and broadcast email delivery. Recipient email, subject, body, delivery + open + click events. Bodies retained 14 days. | EU | server-side only | essentials | DPA → DPA signed · Nov 25, 2025 + SCCs |
| LemonSqueezy | Payment, subscription billing, affiliate payouts. Billing email, name, billing address, payment method tokens (never raw card numbers — those stay with Stripe via LemonSqueezy). Affiliate code only. | Global | respira_aff, ls_aff, LemonSqueezy session cookies during checkout | essentials | DPA → standard terms accepted · Nov 14, 2025 + SCCs |
| Polar | Payment + subscription billing (newer surfaces). Billing email, billing address, payment method tokens. No browser cookies on respira.press. | EU | server-side only | essentials | DPA → standard terms accepted · Feb 8, 2026 + SCCs |
| Anthropic | LLM inference for OG image text, page-feedback embeddings. Public-page title + description text. No user identifiers, no chat content, no PII. | US (with EU SCCs) | server-side only | essentials | DPA → DPA signed · Dec 1, 2025 + SCCs |
| Sentry | Error tracing and reliability monitoring. Stack traces, breadcrumbs, request metadata (path, status). Email + user_id only when explicitly attached to a captured exception. | EU (de.sentry.io) | server-side only | essentials | DPA → DPA signed · Dec 2, 2025 + SCCs |
| Frankfurter (ECB) | USD → EUR FX rate for the Earn page. None. Server-side only, requests a public exchange-rate JSON. | EU | server-side only | essentials | no DPA needed no DPA needed |
lawful basis varies per vendor (contract performance, consent, legitimate interest). per-vendor basis is documented in src/data/sub-processors.ts and surfaced via the cookie widget tune panel.
your rights
plain-english version of GDPR articles 15 through 22. response within 30 days, usually same week.
- access ask for a copy of every personal data point on file. email word@respira.press.
- rectification fix anything that is wrong about you. most fields live in /dashboard/settings; the rest is one email away.
- erasure "right to be forgotten." closes the account, drops every row, and de-identifies retained transactional logs.
- portability JSON export of your account, sites, telemetry, and billing history. file a request via email; turnaround is days, not weeks.
- restriction pause processing without deleting (useful while you decide).
- objection opt out of any processing based on legitimate interest. the cookie widget covers the consent-based categories; this is the broader sibling.
- automated decisions no automated decisions with legal effect are made about you on respira.press today. if that ever changes, you will know first.
security posture
- authentication. Supabase Auth, magic link plus OAuth.
- authorization. Postgres Row-Level Security on every table. reads scoped to
auth.uid() = user_idunless an admin gate explicitly bypasses. - secrets. never in client bundles. rotated quarterly via Vercel env vars.
- backups. Supabase daily PITR, 30-day retention.
- breach notification. 72-hour commitment per GDPR Art. 33. notified via email + posted on this page.
- error tracing. Sentry EU region, PII scrubbing on by default.
questions, requests, or just want to talk through how a workflow uses your data? word@respira.press.
