Effective date: 1 June 2026 · Last reviewed: 1 June 2026 · Version 2.5 (Added Australian Business Register / ABN Lookup web services disclosures for the optional subcontractor / TPAR ABN check: a new ABN Lookup row was added to the Current subprocessors table, immediately after the Bureau of Meteorology row.) Earlier change history: Version 2.4 (18 May 2026) (Places API (New) row added - address-fragment autocomplete shipped 17 May 2026 with the Google OAuth migration; Maps Platform row narrowed to tiles + the legacy geocode REST proxy; Netlify row note added to record its role serving the OAuth callback page for Gmail and Drive flows.) Earlier change history: Version 2.3 (14 May 2026) added Anthropic, Bureau of Meteorology, APNs and FCM push-delivery sub-rows; softened the Document AI retention claim; added the ML Kit metrics caveat.
SoloTrade is operated by SoloTradeOS (sole trader, Australian Business Number 75 640 151 073). To deliver the Application, we engage a small number of third-party service providers who process personal information on our behalf. Each is bound by a Data Processing Agreement that obliges it to apply protections substantively comparable to the Australian Privacy Principles.
This page is published in good faith for transparency. It is updated whenever a subprocessor is added, removed, or substantially changed. Material changes will also be notified through the Application or by email, in line with our Privacy Policy.
| Provider | Purpose | Data residency | DPA / contract |
|---|---|---|---|
| Supabase (Supabase, Inc., USA) | Database, authentication, file storage, server-side Edge Functions, scheduled cron jobs. | AWS Asia Pacific (Tokyo) - region ap-northeast-1. Supabase, Inc. is incorporated in Delaware, USA; corporate access from the USA. |
Supabase Data Processing Addendum (auto-accepted at account creation). |
| RevenueCat (RevenueCat, Inc., USA) | Subscription state and platform-receipt validation. | United States - AWS US-East regions. | RevenueCat Data Processing Addendum. |
| Resend (Plus Five Five, Inc., trading as Resend, USA) | Outbound email delivery - only for emails the user initiates (quote / invoice / overdue reminders) and the operator's transactional and lifecycle emails. Verified sending domain solotrade.com.au. |
United States - AWS US-East-1 (Northern Virginia). | Resend Data Processing Addendum. |
| Sentry (Functional Software, Inc., trading as Sentry, USA) | Crash reports + sampled performance traces from production app sessions. Email, auth tokens, request bodies, cookies are stripped client-side before send. Used to diagnose bugs. | United States primary, Germany fail-over. | Sentry Data Processing Addendum at sentry.io/legal/dpa/. |
| Google Cloud - Document AI (Google LLC, USA) | Receipt OCR for Synced-mode receipts only. The Specialised Receipt Parser extracts structured fields (merchant, totals, GST, line items) and returns them to the application. Receipt content is processed by Google only for the duration of the synchronous API call and is not retained for training or other purposes, subject to the Google Cloud Data Processing Addendum and the Service Specific Terms for AI / Machine Learning Products applicable to Document AI. | Australia (Sydney) - region australia-southeast1. Receipt photos are processed in-region; Google LLC is incorporated in Delaware, USA. |
Google Cloud Data Processing Addendum and the AI / ML Service Specific Terms at cloud.google.com/terms/service-terms. |
| Google Cloud - Places API (New) (Google LLC, USA) | Address autocomplete on the address fields in the New Client and New Job Site screens. As you type, the fragment of address text you have entered (after 3 characters) is sent through the SoloTrade places-autocomplete Edge Function - which proxies to Google with a server-side IP-restricted key - and Google returns suggested addresses. When you pick a suggestion, a one-shot places-details lookup returns the full formatted address plus coordinates. Each typing session is grouped by a randomly-generated session token so Google bills the keystrokes as one session; no SoloTrade user identifier, account ID, or device identifier is sent - only the address-fragment text, the session token, and the AU region bias. Use of the Places API is governed by the Google Maps Platform Terms of Service (developers.google.com/maps/documentation/places/web-service/policies), which permit indefinite storage of Google place_id values but restrict caching of other Places content. |
Global edges. Address-fragment requests are proxied through our Tokyo-region Edge Function before they reach Google. Google LLC is incorporated in Delaware, USA. | Google Cloud Data Processing Addendum + Google Maps Platform Terms of Service. |
| Google Cloud - Maps Platform (Google LLC, USA) | Map tile rendering on Job Site maps; optional address-to-coordinates lookup ("Find my address") via the SoloTrade geocode-address Edge Function which proxies to Google with a separate IP-restricted server-side key. Note: address-fragment autocomplete is a separate Google product - see the "Places API (New)" row above. |
Global edges; geocode REST proxied through our Tokyo-region Edge Function before it hits Google. Google LLC is incorporated in Delaware, USA. | Google Cloud Data Processing Addendum. |
| Google Cloud - Drive API (Google LLC, USA) - only if you opt in | Backing up your data (CSV + ZIP) to your own Google Drive at your request. Scope is drive.file: only files our app creates in your Drive are visible to us. Refresh token stored encrypted in Supabase Vault. |
Your Drive's home region (typically United States for AU users; varies by your Google Account). | Google Cloud Data Processing Addendum + your direct relationship with Google. |
| Google Cloud - Gmail API (Google LLC, USA) - only if you opt in | Sending your quote/invoice emails from your Gmail address (the message appears in your Sent folder; replies go to you, not us). Scope is gmail.send: we cannot read your inbox or contacts. Refresh token stored encrypted in Supabase Vault. |
United States. | Google Cloud Data Processing Addendum + your direct relationship with Google. |
| Google Cloud - Play Integrity (Google LLC, USA) | Returns a short-lived signed verdict that the app on your device is a genuine, unmodified install. Used by privacy-sensitive Edge Functions to reject root-kits / cloud emulators. No PII. | Google global. | Google Play Developer Distribution Agreement. |
| Google ML Kit Text Recognition (Google LLC, USA - on-device library) | On-device OCR for three flows: (1) Private-mode receipts (Mode B), (2) V36.3 Photo → quote line-item OCR, and (3) V36.7 Compliance Scan Card. In all three flows the image content stays on your device - the text-recognition model is bundled into the APK and processes the photo locally; only the extracted plain text is then used (sent to Anthropic for structured parsing in flows 2 and 3, retained locally and the structured metadata only synced for flow 1). Per the published ML Kit Terms, Google's libraries may collect anonymous library-performance metrics (e.g. how long the OCR call took, library version, device model) for the purpose of improving the library - this is metadata about the library's operation, not your image content. | OCR is on-device; library metrics are sent by Google's library directly to Google. | ML Kit Terms at developers.google.com/ml-kit/terms. |
| Upstash (Upstash, Inc., USA) | Per-user request-rate counters used to defend our server-side functions from abuse. Counters are keyed on user-id and function-name; they contain no user content. | Australia (Sydney) - AWS region ap-southeast-2. Upstash, Inc. is incorporated in Delaware, USA. |
Upstash Data Processing Addendum at upstash.com/static/trust/dpa.pdf. |
| Anthropic (Anthropic, PBC, USA) | Generative-AI model (Claude Haiku 4.5) used for three operator-facing surfaces: quote-line drafting (short professional descriptions for quote items); follow-up email drafting (operator-approved reminder emails to clients of an existing commercial relationship); and the conversational job-history lookup (operator asks a question about their own past work; we send relevant matched records to the model and return a cited answer). Each call sends only the data necessary for the surface: business name, trade type, operator writing tone, and short free-text context about a single quote, invoice, or matched-record set. We never send authentication credentials, payment data, photos, audio, or location coordinates. Output is operator-reviewed before any client-facing send. | United States. API calls are issued from our Supabase Edge Functions (Tokyo) to api.anthropic.com in the USA. |
Anthropic Commercial Terms of Service and the Anthropic Data Processing Addendum. Anthropic's published API policy is that customer inputs are retained for 30 days for trust-and-safety review and are not used to train their models. |
| Bureau of Meteorology (Australian Government, Commonwealth) | Daily weather-forecast lookup used by the optional weather-aware rescheduling feature: if you have a scheduled job for the next 24–72 hours, our daily 20:00 UTC cron sends the job's latitude/longitude to the BoM public forecast API to check for severe-weather warnings, and surfaces an in-app alert if a warning is in force. No personal identifier is sent - only the latitude/longitude of the scheduled job. Operators can disable weather alerts in Settings. | Australia. BoM operates Commonwealth-controlled infrastructure under the Meteorology Act 1955. | The BoM API is a public Commonwealth dataset with no user account. We send no PII; BoM publishes its data-licensing terms at bom.gov.au/other/copyright.shtml. |
| Australian Business Register - ABN Lookup web services (Australian Government, Commonwealth) | Validates an ABN for the optional subcontractor / TPAR ABN check. When you check a subcontractor's ABN, that ABN is sent to the Commonwealth's ABN Lookup web service, which returns the entity's registered or business name and GST-registration status. ABN details are public-register information. We store only a status snapshot against the subcontractor record; we re-query rather than rely on stale data, and delete cached details if notified they have been withdrawn. No SoloTrade user identifier is sent - only the ABN being checked. | Australia. The ABR is operated by the Registrar under Commonwealth-controlled infrastructure; requests are issued from our Edge Function. The Commonwealth makes no warranty as to accuracy and accepts no liability for reliance. | ABN Lookup Web Services Agreement (free registration; authentication GUID held server-side). Disclaimer + agreement at abr.business.gov.au. |
| Apple App Store (incl. APNs push delivery) | iOS app distribution and processing of subscription payments. Apple is the merchant of record for AU iOS subscriptions. We also use Apple Push Notification service (APNs) to deliver push notifications (V35.1 compliance-credential expiry reminders, V35.8 weather alerts, V34.C follow-up-ready pings) to iOS devices that have opted in. Push payloads contain only short labels (e.g. "Insurance renewal in 7 days"); detail loads from your account when you tap the notification. | Apple Pty Ltd (Australia, ABN 46 002 510 054) for the merchant relationship; Apple's data processing is global with primary servers in the USA and Ireland. | Apple Developer Program Licence Agreement; APNs terms are part of the same agreement. |
| Google Play (incl. Firebase Cloud Messaging push delivery) | Android app distribution and processing of subscription payments. Google is the merchant of record for AU Android subscriptions. We also use Firebase Cloud Messaging (FCM) to deliver push notifications to Android devices that have opted in (same trigger set as APNs above). Push payloads contain only short labels. | Google Asia Pacific Pte Ltd (Singapore) for the merchant relationship; Google's data processing is global with primary processing for AU users in Singapore and the USA. FCM is hosted in the USA. | Google Play Developer Distribution Agreement; FCM terms are part of the Firebase Terms of Service. |
| Expo Application Services (EAS) (Expo, Inc., USA) | Application build and over-the-air JavaScript bundle updates. No user content. | United States - AWS US-East-1 (Northern Virginia). | Expo Terms of Service. |
| Netlify (Netlify, Inc., USA) | Static hosting for solotrade.com.au, solotrade.netlify.app (privacy / terms / support / sub-processors / public quote-and-invoice landing pages). Since 17 May 2026, Netlify also serves the /oauth-callback static page that completes the Google OAuth handshake for the optional Gmail and Drive opt-ins - the page receives the single-use authorisation code from Google, immediately forwards it to the SoloTrade app via deep-link, and is not used by Google for any other purpose; no token is stored at Netlify. |
USA build infrastructure; CDN serves AU traffic from Sydney edge POPs. | Netlify standard terms. |
| Zoho Mail (Zoho Corporation Pvt Ltd) | Operator's support inbox at support@solotrade.com.au. |
Australia - the operator's mailbox is on Zoho Mail's Australian (AU) region; AU mailboxes are processed in Zoho's Australian data centre. | Zoho's standard customer terms. |
For completeness, the Application does not rely on the following categories of provider:
solotrade.app; that domain is not operator-controlled (it currently serves an unrelated waitlist site) and SoloTrade has no Cloudflare account. Listed here for transparency about the correction.If we add, replace, or remove a subprocessor, we will:
SoloTrade · Operated by SoloTradeOS (sole trader) · ABN 75 640 151 073 · 39 Dew Street, Thebarton, South Australia 5031 · support@solotrade.com.au
This page forms part of the disclosures required by clauses 7 and 15 of the Privacy Policy.