List of Subprocessors
A complete list of third-party sub-processors engaged by Latch for data processing. This page is maintained in accordance with our Subscriber Data Policy.
Last updated: 13 May 2026
1. Introduction
This page lists all third-party sub-processors engaged by USELATCH LTD (trading as “Latch”) to assist in the provision of our property management platform. This list is maintained in accordance with our obligations under Article 28 of the UK GDPR and our Subscriber Data Policy.
- Each sub-processor has been assessed for adequate data protection practices.
- Sub-processors are bound by data processing agreements imposing equivalent data protection obligations.
- This page is updated when sub-processors are added, removed, or materially changed.
- For full details of how we handle subscriber data, please see our Privacy Policy and Subscriber Data Policy.
- This page also identifies statutory recipients of data that are not sub-processors (such as HMRC), where Latch transmits data at the subscriber’s instruction to a body acting as an independent data controller.
2. Current Sub-processors
The following sub-processors are currently engaged by Latch:
| Sub-processor | Purpose | Location | Data Processed | Transfer Mechanism |
|---|---|---|---|---|
| Supabase (AWS) | Primary database, user authentication, and secure file storage | EU (AWS eu-west region) | All core application data including account details, property records, tenant information, financial records, and uploaded documents | UK adequacy regulations 2021 (EU/EEA); DPA in place |
| Stripe, Inc. | Subscription billing and payment processing | United States | Subscriber name, email address, subscription plan, lease count, billing cycle, offer code, payment card tokens (full card numbers never stored by Latch); webhook events for subscription lifecycle, invoices, and refunds | UK IDTA / EU SCCs + UK Addendum (Stripe DPA) |
| SendGrid (Twilio) | Transactional email delivery and newsletter communications | United States | Recipient email addresses, names, and email content (verification codes, rent reminders, payment receipts, invoice notifications, security alerts, newsletter emails); delivery, bounce, open, click, deferred, dropped, and spam-report event tracking via webhook | UK IDTA / EU SCCs + UK Addendum (Twilio DPA) |
| Twilio (WhatsApp Business API) | WhatsApp messaging for automated rent reminders and landlord-tenant communications | United States (message content also traverses Meta WhatsApp infrastructure) | Recipient phone numbers, WhatsApp message content, delivery status tracking via webhooks, and WhatsApp opt-in/opt-out consent records | UK IDTA / EU SCCs + UK Addendum (Twilio DPA) |
| Plaid Inc. | UK Open Banking (PSD2) connectivity for bank account linking and transaction synchronisation | United States | Bank account and routing identifiers, account balances, transaction history, and OAuth-style access tokens. Bank credentials are entered into Plaid Link directly and are never seen by Latch. | UK IDTA / EU SCCs + UK Addendum (Plaid DPA) |
| Google (Gemini API) | Default AI provider for chat assistant, document analysis, and intelligent recommendations | United States | User prompts, attached file content, prior conversation turns, and contextual account data (property summaries, lease text, expense descriptions, tenant notes, document text). Processed under Google API terms; not used to train Google's general-purpose models. | Google API Terms of Service; UK IDTA / EU SCCs |
| Zhipu AI | Secondary AI inference for selected background AI tasks (e.g. low-cost classification) — optional / configurable | People's Republic of China | User prompts and contextual account data routed for the relevant feature only. Does not include passwords, payment details, NINO/UTR, HMRC tokens, or trusted-device identifiers. Processed under Zhipu API terms; not used to train Zhipu's general-purpose models. | UK International Data Transfer Agreement (IDTA), supported by a documented Transfer Risk Assessment that considers the PRC Cybersecurity Law 2017, Data Security Law 2021, and Personal Information Protection Law 2021 |
| Google (Gmail API) | Email integration for receipt extraction and communication management | United States | OAuth authorisation tokens, email content, and attachments (only when explicitly authorised by the user) | Google API Services User Data Policy; UK IDTA / EU SCCs |
| Google (Calendar API) | Calendar event synchronisation for viewing schedules and property events | United States | OAuth authorisation tokens and calendar event details (titles, dates, times) | Google API Services User Data Policy; UK IDTA / EU SCCs |
| Microsoft (Graph API / Outlook) | Outlook calendar event synchronisation — optional, only if Outlook is connected | United States | OAuth authorisation tokens and calendar event details | Microsoft DPA; UK IDTA / EU SCCs |
| Tavily | AI-powered web search for current public information retrieval — optional, only when AI web-search is enabled | United States | Search queries generated by the AI assistant. Only the query string is transmitted; no account context. Not used to train Tavily's models. | UK IDTA / EU SCCs (Tavily Privacy Policy) |
| Vercel | Application hosting, serverless function execution, and scheduled task processing | United States | Server access logs, request metadata, and IP addresses | UK IDTA / EU SCCs + UK Addendum (Vercel DPA) |
| Canopy (RentalStep Ltd) | Tenant background screening and credit checks — processes tenant personal data to provide referencing reports including credit history, identity verification, employment checks, and right to rent confirmation | United Kingdom | Tenant name, email address, phone number, date of birth, current and previous addresses, employment details; returns screening results, credit check outcomes, and referencing recommendations | Domestic (UK); subject to Canopy's own Terms and DPA |
| Cloudflare, Inc. (R2 Object Storage) | Private and public file storage across separate buckets: documents (private, signed-URL access), public, avatars, support attachments, email_assets, and csv import/export | United States | Uploaded files (documents, receipts, certificates, photographs, avatars, e-signature PDFs, support attachments). Documents bucket served via signed URLs with limited TTL. | UK IDTA / EU SCCs + UK Addendum (Cloudflare DPA) |
| Inngest, Inc. | Event-driven background job processing (rent arrears checks, lease reminders, compliance expiry notifications, account lifecycle, scheduled workflows) | United States | Event payloads with account/property identifiers and task metadata; no tenant personal data passed directly | UK IDTA / EU SCCs (Inngest DPA) |
| Langfuse GmbH (optional) | AI observability and tracing for monitoring AI quality. Only active when configured | EU (Germany) | AI prompt/response traces including user messages and AI outputs. Traces are stored for our review only and are not used by Langfuse for model training. | UK adequacy regulations 2021 (EU/EEA); DPA in place |
| Google (Maps/Places API) | Address autocomplete and geocoding for property addresses | United States | Property addresses entered by users; resulting geocoded coordinates | Google API Terms of Service; UK IDTA / EU SCCs |
| IP-API.com | IP address reputation checking for fraud prevention and security monitoring during authentication | United States | User IP addresses; returns ISP name, organisation, and proxy/VPN/Tor/hosting detection flags. Results cached in our database for 7 days | UK IDTA / EU SCCs (free tier; no personal data beyond IP address is transmitted) |
| IndexNow / Microsoft Bing | Search engine URL indexing notifications for SEO purposes | United States | Public page URLs only; no personal data is transmitted | Operational service; no personal data processed |
Statutory Recipients (Not Sub-processors)
The following entities receive data from Latch at the subscriber’s instruction but are not sub-processors. They act as independent data controllers under their own legal authority:
| Recipient | Purpose | Location | Data Received | Legal Basis |
|---|---|---|---|---|
| HM Revenue & Customs (HMRC) | Receiving quarterly income and expense submissions, annual adjustments, and final tax declarations under Making Tax Digital for Income Tax Self Assessment | United Kingdom | National Insurance Number, aggregated rental income and property expenses, annual adjustments, fraud prevention headers (device ID, timezone, screen info, IP address, user agent, MFA status) | HMRC acts as independent data controller under tax legislation (Finance Act, Income Tax (Digital Requirements) Regulations) |
HMRC is a United Kingdom government department exercising statutory functions. Data submitted to HMRC is governed by HMRC’s own privacy notice and applicable tax legislation. Latch has no control over how HMRC processes or retains data once submitted.
Note: two HMRC-mandated fraud-prevention header values that browsers do not reliably expose (Gov-Client-Public-Port, because Vercel terminates TLS at the edge proxy; and Gov-Client-Multi-Factor, which is sent only when an MFA factor is in verified status) are intentionally omitted. See the Privacy Policy section on HMRC fraud prevention for the full specification mapping.
3. International Transfer Safeguards
The following table summarises the transfer mechanisms applied to each destination country in which our sub-processors operate:
| Destination | Sub-processors there | UK transfer mechanism |
|---|---|---|
| United Kingdom | Canopy | Domestic — no international transfer |
| EEA / EU | Supabase (AWS eu-west), Langfuse (Germany) | UK adequacy regulations 2021 |
| United States | Stripe, SendGrid, Twilio (WhatsApp), Plaid, Google (Gemini, Maps, OAuth, Gmail, Calendar), Microsoft Graph, Cloudflare R2, Vercel, Inngest, Tavily, IP-API | UK International Data Transfer Agreement (IDTA) and/or EU Standard Contractual Clauses with the UK Addendum, per the relevant sub-processor DPA |
| People's Republic of China | Zhipu AI | UK IDTA supported by a documented Transfer Risk Assessment considering the PRC Cybersecurity Law 2017, Data Security Law 2021, and Personal Information Protection Law 2021. Categories of data sent are constrained per the AI section of our Privacy Policy. |
- We regularly review our transfer mechanisms to ensure continued compliance with UK data protection requirements.
- You may request further information about the specific safeguards applied to your data transfers by contacting us at [email protected].
4. Changes to Sub-processors
- We will update this page when sub-processors are added, removed, or materially changed.
- For subscribers covered by our Subscriber Data Policy, we will notify affected subscribers via email of any intended changes to sub-processors prior to the change taking effect.
- Subscribers may object to a new sub-processor within 30 days of notification. If the objection cannot be reasonably accommodated, the subscriber may terminate their subscription without penalty.
- We aim to provide at least 30 days' notice before any material change to our sub-processor list.
5. Contact
If you have questions about our sub-processors or data transfers, please contact:
Privacy enquiries: [email protected]
General support: [email protected]
Company: USELATCH LTD
Registered address: 5 Orrok Lane, Edinburgh, EH16 5HF
ICO Registration Number: 02450028338
6. Material Change History
- 13 May 2026 (v2.1) — HMRC MTD ITSA compliance pack alignment: annotated Microsoft Graph, Tavily, and Zhipu AI as optional/conditional sub-processors so subscribers can identify which integrations are essential vs feature-gated; added explicit “not used for model training” clauses to the Zhipu AI, Tavily, and Langfuse rows mirroring the existing Gemini wording; added a cross-reference to the Privacy Policy explaining the two HMRC fraud-prevention header values intentionally omitted from MTD API calls (
Gov-Client-Public-PortandGov-Client-Multi-Factor). - 5 May 2026 (v2.0) — Added Plaid as a US sub-processor for live UK Open Banking (replaces “coming soon” references); added Zhipu AI as a PRC sub-processor for selected background AI inference, with UK IDTA + Transfer Risk Assessment safeguards; split Twilio (WhatsApp) from SendGrid into separate rows to clarify message-content paths; added a Transfer Mechanism column to the sub-processor table; added a transfer-mechanism summary table to section 3; added the ICO registration number to the contact section.
- 23 March 2026 (v1.0)— Initial publication.