What this is
This page summarises how we assess transfers of personal data to our processors, in line with Articles 44–49 of the GDPR and the Schrems II ruling. It is the EU/UK transfer assessment; transfers relevant to India (DPDP Act) and the United States are addressed in our Privacy Notice. It accompanies our Privacy Notice and our internal Data Protection Impact Assessment.
If you have questions about international transfers, write to support@myfinmaps.com.
Scope, necessity and proportionality
MyFinMaps processes the personal and financial data you enter to deliver the service, together with limited security and usage signals. We collect only what we need (email is mandatory; a mobile number is optional), we do not solicit special-category data, and we delete data on a published retention schedule.
How we protect transferred data
Wherever data is transferred outside the EEA or UK to a country without an adequacy decision, we rely on the EU Standard Contractual Clauses and/or the UK International Data Transfer Agreement, supported by supplementary measures: encryption in transit (TLS), encryption at rest, and application-layer encryption of identifier data such as your mobile number and policy/account numbers.
We minimise what each processor receives — for example, our hosting and email providers do not receive your encrypted portfolio store — and, where feasible, we prefer EU/UK regions for our database, cache, and serverless functions.
Per-processor transfer assessment
| Processor | Purpose | Data they receive | Region | Transfer |
|---|---|---|---|---|
| PostgreSQL host (Neon) | Primary application database | All application PII (users, holdings, cash-flow, audit/event logs) | configurable | Blank |
| Vercel | Hosting, CDN, serverless functions, logs | Request metadata, IP, logs, all traffic | US (default) | SCC |
| Cloudflare Turnstile | Anti-bot CAPTCHA | IP address, challenge token | Global | SCC |
| Upstash Redis | Rate limiting, login lockout, short-lived tokens | IP, normalised email (lockout) | configurable | Blank |
| SMTP provider (Gmail or admin-configured) | Transactional email | Recipient email, email body | US (Gmail) or admin-configured | SCC |
Residual risk and review
For US-region processors we have considered the risk of government access and concluded that the limited, encrypted data exposed — combined with SCCs/IDTA and the measures above — keeps residual risk at an acceptable level. We review this assessment at least annually and whenever a processor, region, or data category changes.
This is a public summary. Our full DPIA and Transfer Impact Assessment, including outstanding actions, is maintained internally and available to supervisory authorities on request.