Legal
Subprocessors
Last updated: May 24, 2026
ExpiresOS uses the vendors below to deliver the service. Each one processes customer data only on our written instructions and is bound by an underlying data processing agreement. We update this list when we add, remove, or replace a subprocessor.
| Vendor | Purpose | Data | Location |
|---|---|---|---|
| Clerk | Authentication, MFA, and user identity | Email, name, profile photo, session metadata | United States |
| Supabase | Application database and document storage | All application data, including uploaded documents | United States (us-east-1) |
| Render | Application hosting and the OCR microservice | Server-side request data, application logs | United States |
| Anthropic | AI extraction of dates and fields from uploaded documents | Text content of a document at the moment it is processed; not retained by Anthropic beyond the request | United States |
| Stripe | Payment processing for paid plans | Billing identifiers and card data (handled entirely by Stripe) | United States and global |
| Resend | Transactional email — reminders and account email | Recipient email address and message contents | United States |
| Twilio | SMS reminder delivery | Recipient phone number and message contents | United States and global |
Notice of changes
We post additions or replacements here at least 30 days before they take effect, unless a faster change is required for security or continuity. To receive these notices by email, write to privacy@expiresos.com asking to subscribe.