Sub-processors
Last updated: 29 June 2026
When you use OneSixth, we engage the following sub-processors to help us deliver the service. Each is bound by a written contract requiring appropriate technical and organisational security measures and processing only on our documented instructions, in line with UK GDPR Article 28.
For transfers outside the UK, we rely on the UK International Data Transfer Addendum (IDTA) to the EU Standard Contractual Clauses (SCCs), or an applicable adequacy decision.
Active sub-processors
| Provider | Purpose | Data processed | Location |
|---|---|---|---|
| Supabase (Supabase Inc.) | Application database (Postgres), authentication, edge compute, storage | Account data, VAT calculations, journals, audit logs, OAuth tokens | European Union (eu-west / eu-central regions) |
| Stripe (Stripe Payments Europe Ltd.) | Subscription billing and payment processing | Name, email, billing address, payment method (held by Stripe), subscription status | EU / United States (UK IDTA / EU SCCs in place) |
| Lovable (Lovable AB) | Application hosting and AI Gateway for product features | Operational logs; no customer VAT data sent to AI providers | European Union |
| Resend (Resend, Inc.) | Transactional email delivery (sign-in, invitations, billing notices) | Recipient email address, message metadata, message body | United States (UK IDTA / EU SCCs in place) |
| PostHog (PostHog Inc.) | Product analytics — page views and feature usage (loaded only after analytics cookie consent) | Usage events; when you are signed in, your user ID and email; sensitive URL parameters are redacted before sending | European Union (PostHog Cloud EU, Frankfurt) |
| Google Analytics (Google Ireland Ltd.) | Traffic measurement across our website and app (loaded only after analytics cookie consent; IP anonymisation enabled) | Anonymised usage metrics and an analytics client identifier; sensitive URL parameters are redacted before sending | EU / United States (UK IDTA / EU SCCs in place) |
| Sentry (Functional Software, Inc.) | Application error monitoring and performance diagnostics (no session replay) | Error events, stack traces, browser/device metadata; when you are signed in, your user ID and email | European Union (Sentry EU data region) |
| Airtable (Airtable, Inc.) | CRM for newsletter sign-ups, beta requests and contact-form enquiries | Name, email, firm, message content and enquiry metadata you submit to us | United States (UK IDTA / EU SCCs in place) |
Independent controllers
These providers determine their own purposes for the data they collect and so act as independent controllers, not our sub-processors. They are listed here for transparency. They only operate after you accept analytics cookies.
| Provider | Purpose | Data processed | Location |
|---|---|---|---|
| Microsoft Clarity (Microsoft Corporation) | Heatmaps and session replay on our public website only — loaded after analytics cookie consent and never run on authenticated application screens | Behavioural metrics, page interactions and session replay of public website pages | United States (UK IDTA / EU SCCs in place); Microsoft acts as an independent controller |
Third-party data recipients (your connected platforms)
These are independent controllers / your own accounting platforms. We exchange data with them on your authority via OAuth — they are not our sub-processors, but we list them here for transparency.
| Provider | Purpose | Data processed | Location |
|---|---|---|---|
| Xero (Xero Limited) | Accounting platform you connect — we read invoices/bills and post journals on your authority | Invoices, bills, journals, contacts, organisation metadata, OAuth tokens | Determined by your Xero region |
| QuickBooks Online (Intuit Inc.) | Accounting platform you connect — we read transactions and post journals on your authority | Transactions, journals, customers, OAuth tokens | Determined by Intuit |
| Sage (The Sage Group plc) | Accounting platform you connect — we read transactions and post journals on your authority | Transactions, journals, customers, OAuth tokens | United Kingdom / EU |
| FreeAgent (FreeAgent Central Ltd.) | Accounting platform you connect — we read transactions and post journals on your authority | Transactions, journals, contacts, OAuth tokens | United Kingdom |
| HMRC (HM Revenue & Customs) | Making Tax Digital VAT connection you authorise — we exchange OAuth tokens and read your VAT obligations, returns, liabilities and payments for filing reconciliation and the VAT calendar | VAT registration number, VAT obligations, returns, liabilities, payments, OAuth tokens | United Kingdom |
| DVLA Vehicle Enquiry Service | Validate vehicle metadata for the Motor Trade Stock Book (UK only) | Vehicle Registration Mark you enter | United Kingdom |
Change notifications
We will update this page before adding or replacing a sub-processor that processes customer personal data. To be notified of changes, email dpo@onesixth.app and ask to be added to the sub-processor change list.