uselatch

List of Subprocessors

A complete list of third-party sub-processors engaged by Latch for data processing. This page is maintained in accordance with our Subscriber Data Policy.

Last updated: 13 May 2026

1. Introduction

This page lists all third-party sub-processors engaged by USELATCH LTD (trading as “Latch”) to assist in the provision of our property management platform. This list is maintained in accordance with our obligations under Article 28 of the UK GDPR and our Subscriber Data Policy.

  • Each sub-processor has been assessed for adequate data protection practices.
  • Sub-processors are bound by data processing agreements imposing equivalent data protection obligations.
  • This page is updated when sub-processors are added, removed, or materially changed.
  • For full details of how we handle subscriber data, please see our Privacy Policy and Subscriber Data Policy.
  • This page also identifies statutory recipients of data that are not sub-processors (such as HMRC), where Latch transmits data at the subscriber’s instruction to a body acting as an independent data controller.

2. Current Sub-processors

The following sub-processors are currently engaged by Latch:

Sub-processorPurposeLocationData ProcessedTransfer Mechanism
Supabase (AWS)Primary database, user authentication, and secure file storageEU (AWS eu-west region)All core application data including account details, property records, tenant information, financial records, and uploaded documentsUK adequacy regulations 2021 (EU/EEA); DPA in place
Stripe, Inc.Subscription billing and payment processingUnited StatesSubscriber name, email address, subscription plan, lease count, billing cycle, offer code, payment card tokens (full card numbers never stored by Latch); webhook events for subscription lifecycle, invoices, and refundsUK IDTA / EU SCCs + UK Addendum (Stripe DPA)
SendGrid (Twilio)Transactional email delivery and newsletter communicationsUnited StatesRecipient email addresses, names, and email content (verification codes, rent reminders, payment receipts, invoice notifications, security alerts, newsletter emails); delivery, bounce, open, click, deferred, dropped, and spam-report event tracking via webhookUK IDTA / EU SCCs + UK Addendum (Twilio DPA)
Twilio (WhatsApp Business API)WhatsApp messaging for automated rent reminders and landlord-tenant communicationsUnited States (message content also traverses Meta WhatsApp infrastructure)Recipient phone numbers, WhatsApp message content, delivery status tracking via webhooks, and WhatsApp opt-in/opt-out consent recordsUK IDTA / EU SCCs + UK Addendum (Twilio DPA)
Plaid Inc.UK Open Banking (PSD2) connectivity for bank account linking and transaction synchronisationUnited StatesBank account and routing identifiers, account balances, transaction history, and OAuth-style access tokens. Bank credentials are entered into Plaid Link directly and are never seen by Latch.UK IDTA / EU SCCs + UK Addendum (Plaid DPA)
Google (Gemini API)Default AI provider for chat assistant, document analysis, and intelligent recommendationsUnited StatesUser prompts, attached file content, prior conversation turns, and contextual account data (property summaries, lease text, expense descriptions, tenant notes, document text). Processed under Google API terms; not used to train Google's general-purpose models.Google API Terms of Service; UK IDTA / EU SCCs
Zhipu AISecondary AI inference for selected background AI tasks (e.g. low-cost classification) — optional / configurablePeople's Republic of ChinaUser prompts and contextual account data routed for the relevant feature only. Does not include passwords, payment details, NINO/UTR, HMRC tokens, or trusted-device identifiers. Processed under Zhipu API terms; not used to train Zhipu's general-purpose models.UK International Data Transfer Agreement (IDTA), supported by a documented Transfer Risk Assessment that considers the PRC Cybersecurity Law 2017, Data Security Law 2021, and Personal Information Protection Law 2021
Google (Gmail API)Email integration for receipt extraction and communication managementUnited StatesOAuth authorisation tokens, email content, and attachments (only when explicitly authorised by the user)Google API Services User Data Policy; UK IDTA / EU SCCs
Google (Calendar API)Calendar event synchronisation for viewing schedules and property eventsUnited StatesOAuth authorisation tokens and calendar event details (titles, dates, times)Google API Services User Data Policy; UK IDTA / EU SCCs
Microsoft (Graph API / Outlook)Outlook calendar event synchronisation — optional, only if Outlook is connectedUnited StatesOAuth authorisation tokens and calendar event detailsMicrosoft DPA; UK IDTA / EU SCCs
TavilyAI-powered web search for current public information retrieval — optional, only when AI web-search is enabledUnited StatesSearch queries generated by the AI assistant. Only the query string is transmitted; no account context. Not used to train Tavily's models.UK IDTA / EU SCCs (Tavily Privacy Policy)
VercelApplication hosting, serverless function execution, and scheduled task processingUnited StatesServer access logs, request metadata, and IP addressesUK IDTA / EU SCCs + UK Addendum (Vercel DPA)
Canopy (RentalStep Ltd)Tenant background screening and credit checks — processes tenant personal data to provide referencing reports including credit history, identity verification, employment checks, and right to rent confirmationUnited KingdomTenant name, email address, phone number, date of birth, current and previous addresses, employment details; returns screening results, credit check outcomes, and referencing recommendationsDomestic (UK); subject to Canopy's own Terms and DPA
Cloudflare, Inc. (R2 Object Storage)Private and public file storage across separate buckets: documents (private, signed-URL access), public, avatars, support attachments, email_assets, and csv import/exportUnited StatesUploaded files (documents, receipts, certificates, photographs, avatars, e-signature PDFs, support attachments). Documents bucket served via signed URLs with limited TTL.UK IDTA / EU SCCs + UK Addendum (Cloudflare DPA)
Inngest, Inc.Event-driven background job processing (rent arrears checks, lease reminders, compliance expiry notifications, account lifecycle, scheduled workflows)United StatesEvent payloads with account/property identifiers and task metadata; no tenant personal data passed directlyUK IDTA / EU SCCs (Inngest DPA)
Langfuse GmbH (optional)AI observability and tracing for monitoring AI quality. Only active when configuredEU (Germany)AI prompt/response traces including user messages and AI outputs. Traces are stored for our review only and are not used by Langfuse for model training.UK adequacy regulations 2021 (EU/EEA); DPA in place
Google (Maps/Places API)Address autocomplete and geocoding for property addressesUnited StatesProperty addresses entered by users; resulting geocoded coordinatesGoogle API Terms of Service; UK IDTA / EU SCCs
IP-API.comIP address reputation checking for fraud prevention and security monitoring during authenticationUnited StatesUser IP addresses; returns ISP name, organisation, and proxy/VPN/Tor/hosting detection flags. Results cached in our database for 7 daysUK IDTA / EU SCCs (free tier; no personal data beyond IP address is transmitted)
IndexNow / Microsoft BingSearch engine URL indexing notifications for SEO purposesUnited StatesPublic page URLs only; no personal data is transmittedOperational service; no personal data processed

Statutory Recipients (Not Sub-processors)

The following entities receive data from Latch at the subscriber’s instruction but are not sub-processors. They act as independent data controllers under their own legal authority:

RecipientPurposeLocationData ReceivedLegal Basis
HM Revenue & Customs (HMRC)Receiving quarterly income and expense submissions, annual adjustments, and final tax declarations under Making Tax Digital for Income Tax Self AssessmentUnited KingdomNational Insurance Number, aggregated rental income and property expenses, annual adjustments, fraud prevention headers (device ID, timezone, screen info, IP address, user agent, MFA status)HMRC acts as independent data controller under tax legislation (Finance Act, Income Tax (Digital Requirements) Regulations)

HMRC is a United Kingdom government department exercising statutory functions. Data submitted to HMRC is governed by HMRC’s own privacy notice and applicable tax legislation. Latch has no control over how HMRC processes or retains data once submitted.

Note: two HMRC-mandated fraud-prevention header values that browsers do not reliably expose (Gov-Client-Public-Port, because Vercel terminates TLS at the edge proxy; and Gov-Client-Multi-Factor, which is sent only when an MFA factor is in verified status) are intentionally omitted. See the Privacy Policy section on HMRC fraud prevention for the full specification mapping.

3. International Transfer Safeguards

The following table summarises the transfer mechanisms applied to each destination country in which our sub-processors operate:

DestinationSub-processors thereUK transfer mechanism
United KingdomCanopyDomestic — no international transfer
EEA / EUSupabase (AWS eu-west), Langfuse (Germany)UK adequacy regulations 2021
United StatesStripe, SendGrid, Twilio (WhatsApp), Plaid, Google (Gemini, Maps, OAuth, Gmail, Calendar), Microsoft Graph, Cloudflare R2, Vercel, Inngest, Tavily, IP-APIUK International Data Transfer Agreement (IDTA) and/or EU Standard Contractual Clauses with the UK Addendum, per the relevant sub-processor DPA
People's Republic of ChinaZhipu AIUK IDTA supported by a documented Transfer Risk Assessment considering the PRC Cybersecurity Law 2017, Data Security Law 2021, and Personal Information Protection Law 2021. Categories of data sent are constrained per the AI section of our Privacy Policy.
  • We regularly review our transfer mechanisms to ensure continued compliance with UK data protection requirements.
  • You may request further information about the specific safeguards applied to your data transfers by contacting us at [email protected].

4. Changes to Sub-processors

  • We will update this page when sub-processors are added, removed, or materially changed.
  • For subscribers covered by our Subscriber Data Policy, we will notify affected subscribers via email of any intended changes to sub-processors prior to the change taking effect.
  • Subscribers may object to a new sub-processor within 30 days of notification. If the objection cannot be reasonably accommodated, the subscriber may terminate their subscription without penalty.
  • We aim to provide at least 30 days' notice before any material change to our sub-processor list.

5. Contact

If you have questions about our sub-processors or data transfers, please contact:

Privacy enquiries: [email protected]

General support: [email protected]

Company: USELATCH LTD

Registered address: 5 Orrok Lane, Edinburgh, EH16 5HF

ICO Registration Number: 02450028338

6. Material Change History

  • 13 May 2026 (v2.1) — HMRC MTD ITSA compliance pack alignment: annotated Microsoft Graph, Tavily, and Zhipu AI as optional/conditional sub-processors so subscribers can identify which integrations are essential vs feature-gated; added explicit “not used for model training” clauses to the Zhipu AI, Tavily, and Langfuse rows mirroring the existing Gemini wording; added a cross-reference to the Privacy Policy explaining the two HMRC fraud-prevention header values intentionally omitted from MTD API calls (Gov-Client-Public-Port and Gov-Client-Multi-Factor).
  • 5 May 2026 (v2.0) — Added Plaid as a US sub-processor for live UK Open Banking (replaces “coming soon” references); added Zhipu AI as a PRC sub-processor for selected background AI inference, with UK IDTA + Transfer Risk Assessment safeguards; split Twilio (WhatsApp) from SendGrid into separate rows to clarify message-content paths; added a Transfer Mechanism column to the sub-processor table; added a transfer-mechanism summary table to section 3; added the ICO registration number to the contact section.
  • 23 March 2026 (v1.0)— Initial publication.