tsumu。
tsumu。
WorkspaceSign in

Legal

Subprocessors

Production providers that help Tsumu operate the app, billing, AI features, support, and security controls.

Legal documentsCurrent: Subprocessors
EnglishPrimary legal documents and support.
Terms of ServiceRules for using Tsumu.Privacy PolicyHow personal data is handled.Data Processing AddendumB2B controller and processor terms.SubprocessorsProviders that support Tsumu operations.SupportHelp, security, privacy, and legal contact.ContactPublic support request form.Cancel subscriptionStart online cancellation for a paid plan.
Operator noticesGerman statutory notices because the operator is established in Germany; not German-market product positioning.
NutzungsbedingungenGerman statutory reference copy.DatenschutzerklärungGerman statutory privacy reference.AuftragsverarbeitungGerman statutory DPA reference.ImpressumAnbieterkennzeichnung und Kontakt.

Status

Effective date: May 20, 2026.

This page lists production providers and public vendor legal references for Tsumu.

Questions or objections can be sent to support@tsumuapp.com.

Scope

Subprocessors may process personal data only for the purposes needed to provide, secure, support, bill, and maintain Tsumu.

Tsumu does not sell workspace data and does not share personal data for cross-context behavioral advertising.

Provider legal references below link to vendor DPA, transfer, and subprocessor pages where available. Apple iCloud Mail is used for direct email sent to Tsumu support or contact addresses under Apple/iCloud public terms.

Provider list9 production providers
SupabaseAuthentication, database, storage, edge functions, and operational logs.
Data categories
Account data, workspace records, source and notebook content, chat records, usage/security logs.
Location / transfer note
Current production project hosted in Ireland. Supabase publishes DPA, transfer, and subprocessor terms and may process limited account, usage, support, security, or service metadata under its own provider terms.
Firebase App Hosting / Google CloudWeb app hosting, deployment, runtime infrastructure, and hosting logs.
Data categories
Technical request data, deployment/runtime logs, and related operational metadata.
Location / transfer note
App Hosting backend configured in europe-west4. Firebase and Google Cloud publish data-processing, transfer, and subprocessor terms.
Cloudflare TurnstileBot and abuse prevention for signup, login, password reset, confirmation resend, and security-sensitive account flows.
Data categories
Client IP address, TLS/browser fingerprints, user-agent header, sitekey and origin, challenge tokens/results, and related security metadata.
Location / transfer note
Cloudflare publishes Turnstile privacy, DPA, transfer, and subprocessor terms. Turnstile may process security signals through Cloudflare's global network and may use signals to improve Turnstile under its own privacy notice.
OpenAIAI generation, source processing, and moderation/safety checks.
Data categories
Prompts, message or reply text for moderation, source excerpts, chat context, generated context, and usage metadata.
Location / transfer note
Provider locations, transfer terms, API data controls, and retention rules are documented by OpenAI. Tsumu does not intentionally opt workspace content into provider model training.
AnthropicAI chat generation for supported models.
Data categories
Prompts, source excerpts, chat context, generated context, and usage metadata.
Location / transfer note
Provider locations, transfer terms, API data controls, and retention rules are documented by Anthropic. Tsumu does not intentionally opt workspace content into provider model training.
StripeCheckout, subscriptions, invoices, customer portal, payment handling, failed-payment handling, cancellation, and billing webhooks.
Data categories
Billing identifiers, customer details, invoice metadata, payment metadata, subscription status, plan metadata, and fraud/security signals.
Location / transfer note
Provider locations, transfer terms, and service-provider terms are documented by Stripe. Stripe may process some payment, fraud, risk, compliance, security, and legal-obligation data under its own legal role.
Umami CloudCookie-free website analytics for pageviews, referrers, browsers, devices, approximate location, and aggregate visit metrics.
Data categories
Website analytics events, page path without URL query strings or hash fragments, referrer URL, page title, browser, operating system, device type, screen size, language, approximate location derived from request or network metadata, and aggregate visit metrics.
Location / transfer note
Umami Cloud is operated by Umami Software, Inc. Umami publishes cloud, privacy, DPA, and subprocessor references. Tsumu configures Umami to respect browser Do Not Track and exclude URL query strings and hash fragments.
ResendProduction authentication and transactional account email delivery configured through Supabase Auth.
Data categories
Recipient email, account email, authentication email content, confirmation or reset links, and delivery metadata.
Location / transfer note
Provider locations, transfer terms, email-content handling, and optional tracking controls are documented by Resend. Tsumu does not use Resend for marketing email or support request forwarding at launch.
Apple iCloud MailDirect support, privacy, legal, and contact email mailbox.
Data categories
Emails sent to Tsumu support or contact addresses, sender address, message content, voluntary attachments, and related mail metadata.
Location / transfer note
Direct email sent to Tsumu support or contact addresses is handled under Apple/iCloud public terms. It is disclosed as a fallback mailbox, not a DPA-backed primary support processor. In-app support requests are stored in Supabase.
Provider legal referencesVendor DPA, transfer, and subprocessor links
SupabaseThe DPA includes SCC/transfer terms and a subprocessor schedule.
  • Data Processing Addendum
  • Privacy Policy
  • Security documentation
Firebase App Hosting / Google CloudPublic Firebase and Google Cloud data-processing, SCC, and subprocessor sources are listed below.
  • Firebase Data Processing and Security Terms
  • Firebase SCCs
  • Firebase subprocessors
  • Google Cloud Data Processing Addendum
  • Google Cloud EU C2P SCCs
  • Google Cloud EU P2P SCCs
  • Google Cloud EU P2C SCCs
  • Google Cloud Alternative Transfer Solution
  • Google Cloud subprocessors
Cloudflare TurnstileTurnstile is used as a CAPTCHA alternative for security-sensitive forms.
  • Turnstile Privacy Addendum
  • Turnstile documentation
  • Cloudflare Data Processing Addendum
  • Cloudflare subprocessors
OpenAIThe DPA includes SCC/transfer terms by reference.
  • Data Processing Addendum
  • Subprocessor list
AnthropicThe DPA includes SCC/transfer terms.
  • Data Processing Addendum
  • Subprocessors
StripePublic Stripe DPA, transfer, privacy framework, and service-provider sources are listed below.
  • Data Processing Agreement
  • Data Transfers Addendum
  • Data Privacy Framework policy
  • Service providers
Umami CloudUmami Cloud provides cookie-free website analytics. The DPA identifies Umami Software, Inc. as data processor.
  • Privacy Policy
  • Terms of Service
  • Subprocessors
  • Data Processing Agreement
  • Cloud FAQ
  • Metric definitions
ResendThe DPA includes SCC/transfer terms.
  • Data Processing Addendum
  • Subprocessors
Apple iCloud MailApple iCloud Mail is used for direct email sent to the published support or contact addresses. In-app support requests are stored in Supabase.
  • iCloud Terms
  • Apple Privacy Policy
  • iCloud Mail privacy disclosure
Additional notesAnalytics, support mail, DPA scope, and backups

Tsumu loads Umami Cloud for cookie-free website analytics and does not load Google Analytics or Firebase Analytics client code. The Firebase project still has a Google Analytics measurement ID, but GA remains uninitialized in the app code.

Tsumu configures Umami to respect browser Do Not Track, exclude URL query strings, and exclude URL hash fragments. Google Analytics, Firebase Analytics, advertising cookies, marketing pixels, or analytics requiring additional consent should not be added without updating privacy and consent materials first.

Cloudflare Turnstile may process client-side signals for bot detection and blocking on security-sensitive forms. Keep Turnstile limited to security and abuse-prevention purposes unless privacy and consent materials are reviewed again.

OpenAI and Anthropic commercial API documentation says provider-side data controls and retention can vary by endpoint, account setting, and eligibility. Tsumu does not claim Zero Data Retention or equivalent settings unless those settings are separately enabled and verified.

Stripe may process payment, fraud, risk, compliance, security, and legal-obligation data under its own controller, service-provider, or independent-provider role.

Resend may process transactional email content and delivery metadata for delivery, reliability, abuse prevention, and provider compliance. Optional open or click tracking should remain disabled unless Tsumu updates privacy and consent materials first.

In-app support requests are stored in Supabase. Direct email sent to Tsumu support or contact addresses is handled through Apple iCloud Mail.

The Data Processing Addendum describes Tsumu's processor role for customer-uploaded content where the customer controls personal data.

Backup availability follows the active infrastructure provider plan and product configuration. Provider database backups may not include separate storage objects.

Legal
EnglishTerms of ServicePrivacy PolicyData Processing AddendumSubprocessorsSupportContactCancel subscription
Operator noticesNutzungsbedingungenDatenschutzerklärungAuftragsverarbeitungImpressum