Abstract gradient background in NinthMoon's brand colors

    Subprocessor List

    Version: v1.0Last Updated: Jun 25, 2026

    NinthMoon engages the following sub-processors to provide the Services. Each is bound by contractual terms requiring it to protect personal data with safeguards equivalent to those we apply, and to process data only as needed to provide its service.

    Google Cloud Platform / Firebase (Google LLC)

    Sub-processorPurposeData involvedLocation / regionProtections
    Google Cloud RunApplication hosting/computeAll data transiting the app in-processus-central1 (Iowa, USA)Google Cloud DPA & SCCs; TLS in transit, encryption at rest; private VPC egress; SOC 1/2/3, ISO 27001/27017/27018
    Cloud Build & Artifact RegistryBuild pipeline & container image storageBuild artifacts (no end-user PII)us-central1 (USA)Same Google DPA; IAM-restricted; encrypted storage
    Cloud FirestorePrimary databaseAccount, profile, chat, journal, calendar, subscription datanam5 — US multi-regionGoogle DPA & SCCs; encryption at rest & in transit; security rules; IAM
    Firebase Cloud StorageFile/object storage (generated documents, audio, assets)Generated documents and audio. User-uploaded files are not retained.USA (default, co-located with project)Same Google DPA; encryption at rest & in transit; signed-URL / IAM
    Firebase AuthenticationIdentity & authenticationEmail, auth identifiers, social-login fieldsGlobal (Google infrastructure, US-primary)Same Google DPA; encrypted credentials; tokenized sessions
    Firebase Cloud Messaging (FCM)Push notificationsDevice push tokens, notification contentGlobal (Google infrastructure, US-primary)Same Google DPA; encryption in transit
    Google Cloud Text-to-Speech / Speech-to-TextVoice synthesis & transcriptionUser audio input & synthesized outputUS (global endpoint, US-primary)Same Google DPA & SCCs; encryption in transit; not used to train Google models
    Google Cloud Natural LanguageSentiment / safety analysisChat & journal text submitted for scoringUS (global endpoint, US-primary)Same Google DPA; encryption in transit; transient processing
    Google Cloud Secret ManagerStorage of API keys/credentialsService secrets (no end-user PII)USA (default, co-located with project)Same Google DPA; encryption at rest; IAM-restricted
    Redis (Google Cloud Memorystore)Caching & background job queues (BullMQ)Transient cached records, queued job payloadsus-central1 (USA), private VPCPrivate VPC-only (no public ingress); encryption in transit; ephemeral storage

    Non-Google third parties

    Sub-processorPurposeData involvedLocation/regionProtections
    OpenAIAI assistant/chat & document generationUser chat messages, prompts, uploaded content (transient), and relevant profile/health context to personalize responsesUSAOpenAI DPA & SCCs; API business terms; encryption in transit & at rest; not used to train models by default
    Apple (App Store IAP & Server Notifications)iOS in-app subscription billing & entitlement verificationSubscription/transaction identifiers; server notificationsUSA (global)Apple DPA; signed JWS payloads; encryption in transit
    Google Play (Google LLC)Android in-app subscription billing, receipt validation & renewal notifications (Play Developer API + RTDN)Purchase token, product/SKU, order ID, subscription status/expiry, obfuscated account identifierUSA (global)Google Play DPA & SCCs; service-account (OAuth2 JWT) auth; signed Pub/Sub delivery; encryption in transit
    Zoho (Zoho Mail / SMTP)Transactional & notification emailRecipient email address & message contentUSA / EU / India (per Zoho account data-center)Zoho DPA; TLS-encrypted SMTP; ISO 27001 / SOC 2
    VercelHosting of admin-panel front-endAdmin-user session data via admin UIUSA (global edge, US-primary)Vercel DPA & SCCs; TLS; SOC 2 Type 2

    Active payment processors

    The active payment sub-processors are Apple (App Store IAP) for iOS and Google Play (Play Billing) for Android. NinthMoon does not collect or store card details; billing, renewals, and refunds are handled by the stores.

    All consumer payments are handled by the app stores; NinthMoon does not use any third-party card or payment processor outside Apple and Google Play.

    Notes

    User-uploaded files are not stored; any residual upload/test data is being purged. Conversations, memory summaries, journaling entries, and community content are stored in Cloud Firestore (US). Questions: legal@ninthmoon.ai.

    Soft, calming gradient background in NinthMoon's brand colors

    Your privacy matters to us.

    Transparent policies.

    HIPAA-conscious design.

    We never sell your data.

    Built on trust, designed with care.

    Download NinthMoon today 💛