Skip to main content

Data Transfer Impact Assessment

Version 2026-07-02 · Effective 2026-07-02

What this is

This page summarises how we assess transfers of personal data to our processors, in line with Articles 44–49 of the GDPR and the Schrems II ruling. It is the EU/UK transfer assessment; transfers relevant to India (DPDP Act) and the United States are addressed in our Privacy Notice. It accompanies our Privacy Notice and our internal Data Protection Impact Assessment.

If you have questions about international transfers, write to support@myfinmaps.com.

Scope, necessity and proportionality

MyFinMaps processes the personal and financial data you enter to deliver the service, together with limited security and usage signals. We collect only what we need (email is mandatory; a mobile number is optional), we do not solicit special-category data, and we delete data on a published retention schedule.

How we protect transferred data

Wherever data is transferred outside the EEA or UK to a country without an adequacy decision, we rely on the EU Standard Contractual Clauses and/or the UK International Data Transfer Agreement, supported by supplementary measures: encryption in transit (TLS), encryption at rest, and application-layer encryption of identifier data such as your mobile number and policy/account numbers.

We minimise what each processor receives — for example, our hosting and email providers do not receive your encrypted portfolio store — and, where feasible, we prefer EU/UK regions for our database, cache, and serverless functions.

Per-processor transfer assessment

ProcessorPurposeData they receiveRegionTransfer
PostgreSQL host (Neon)Primary application databaseAll application PII (users, holdings, cash-flow, audit/event logs)configurableBlank
VercelHosting, CDN, serverless functions, logsRequest metadata, IP, logs, all trafficUS (default)SCC
Cloudflare TurnstileAnti-bot CAPTCHAIP address, challenge tokenGlobalSCC
Upstash RedisRate limiting, login lockout, short-lived tokensIP, normalised email (lockout)configurableBlank
SMTP provider (Gmail or admin-configured)Transactional emailRecipient email, email bodyUS (Gmail) or admin-configuredSCC

Residual risk and review

For US-region processors we have considered the risk of government access and concluded that the limited, encrypted data exposed — combined with SCCs/IDTA and the measures above — keeps residual risk at an acceptable level. We review this assessment at least annually and whenever a processor, region, or data category changes.

This is a public summary. Our full DPIA and Transfer Impact Assessment, including outstanding actions, is maintained internally and available to supervisory authorities on request.