Subprocessors
Last updated: June 16, 2026
The third parties that process user data on behalf of Crosspoint Capital Inc. (the data controller, doing business as TradeFlow Quantum). This list is the canonical reference for our Privacy Policy and any Data Processing Agreement. Material changes are announced at least 30 days before the new subprocessor sees customer data.
| Provider | Purpose | Data accessed | Region |
|---|---|---|---|
| Clerk | Authentication | Email, password (hashed), IP at sign-in, optional MFA factors | US |
| Supabase | Database + storage (Postgres) | All app data: trades, settings, audit log, broker connection metadata. Broker access tokens encrypted at rest with AES-256-GCM before storage; the database administrator cannot read them. | US (configurable per project) |
| Vercel | Application hosting + request logs | IP + URL + user-agent for every request, 30-day retention. No request bodies. | US/EU edge |
| Stripe | Payment processing + billing portal | Email, billing address, last-4 of card. We never see the full card number — Stripe.js tokenizes it before our server is reachable. | US/EU |
| Resend | Transactional, lifecycle, digest, and lead-magnet email (welcome, trial reminders, weekly digest, comparison guide) | Your email address + the email body content (which is rendered per-user from your own trade data for the digest; static-copy templates for everything else) | US/EU |
| Polygon.io | Market price feed (calendar quotes + bar replay charts) | Symbol tickers from your traded history — fetched only when you visit pages that need bars. No PII, no account info. | US |
| SnapTrade | Brokerage data aggregator (read-only sync for Robinhood, Webull, Fidelity, Vanguard, Public.com, Interactive Brokers, eToro, M1, SoFi, and crypto exchanges that don't expose public OAuth) | Your brokerage account credentials (handled by SnapTrade — Crosspoint Capital Inc. never sees them), your trade and position history from the connected accounts, and a per-user identifier issued by SnapTrade. Used only when you opt in to connect a broker via SnapTrade; not used for users who only use native broker integrations. | US/CA |
| PostHog | Anonymized product analytics (opt-in via cookie consent) | Page-view URL + timestamp. We do not capture form values, clicks on PII, or session replay. | US/EU |
Brokerage data sources. When you connect a broker (Alpaca, Tradier, Schwab, E*TRADE, Tastytrade, TradeStation, Tradovate, Coinbase, Questrade, OANDA), you authorize us to read your trade history from that broker via their OAuth API. The broker is your data controller for that data. We are the processor only for the post-import journal entries we store in Supabase. Broker access tokens are encrypted at rest and revocable from the Brokers page (disconnects immediately invalidate the token).
Cookie-gated subprocessor. PostHog only loads after you accept the cookie consent banner. Decline and it never fires any network request from your browser.
No advertising or analytics resellers. We don’t use Google Analytics, Facebook Pixel, or any data broker. The list above is the complete set of third parties that ever sees customer data.
Data subject rights. Export your data anytime from Settings → Full data backup (JSON). Delete your account from Settings → Danger zone → Delete account (one-shot wipe across every subprocessor we control: Supabase rows, Stripe customer record, Clerk user). PostHog opt-out is via the cookie banner; previously-captured anonymized events expire on the standard retention schedule. EU users can exercise GDPR rights via the same self-serve flows.