Compliance summary
Aupa publishes more about its compliance posture than most products provide. This page summarises who handles your data, why, and on what lawful basis.
Purposes register version: 2026-04-17
Compliance contacts
Processor register
Operators we engage to process your data on our behalf.
| Processor | Service | Data categories | Sub-processors | Transfer basis |
|---|---|---|---|---|
| Hetzner Online GmbH | Hosting — VPS (Germany/Falkenstein), encrypted backups (Frankfurt). Stores the Postgres cluster, Fastify + web images, and R2-agnostic disk state. | profile data, encrypted identity documents, messages, subscription records, audit_log | — | SCC |
| Cloudflare, Inc. | Edge realtime Worker (ConversationRoom Durable Objects) + R2 object storage for data exports + identity-document scans. | message payloads (in-flight), data export bundles (7-day TTL), identity document scans (encrypted) | Amazon Web Services (R2 infrastructure) | SCC |
| Paystack Payments Limited | Payment processing (ZAR). Initialises checkout sessions, verifies transactions, and posts webhooks back to Aupa on plan activation. | name, email, payment amount, transaction reference | — | s72(1)(c) contract |
| Resend, Inc. | Transactional + marketing email delivery (verification, DSR confirmations, data-export ready, marketing announcements). | email address, first name, message subject + body | Amazon Web Services (SES backbone) | SCC |
| Umami Software | Self-hosted, cookieless web analytics. Only loaded after analytics consent. Honours Do Not Track. | page URL, referrer, user-agent (coarse), anonymised session fingerprint | — | adequacy |
| Google LLC | OAuth sign-in (optional). Aupa receives the Google-verified email and basic profile info on sign-up only. | email address, Google display name | — | adequacy |
| Meta Platforms, Inc. (Facebook Login) | OAuth sign-in (optional). | email address, Facebook display name | — | adequacy |
| Apple Inc. | OAuth sign-in (optional) + push notification backbone via APNs. | anonymised Apple relay email, push token | — | adequacy |
| Expo, Inc. | Push notification delivery for the Aupa mobile app (wraps APNs + FCM). | push token, recipient device id | Apple APNs, Google FCM | SCC |
Purposes register
Why we process data and on what lawful basis.
Cross-border transfers
Your data is hosted on infrastructure in Germany (EU). Transfers from South Africa to the EU are lawful under POPIA s72(1)(b) (consent / adequate protection in receiving jurisdiction); transfers from the EU to other regions, where applicable, rely on Standard Contractual Clauses with the relevant processor.
PDPA (Singapore) and equivalent regimes
Aupa is a South African service primarily regulated by POPIA, with equivalent obligations honoured for visitors covered by GDPR. For users resident in jurisdictions with comparable frameworks — including Singapore’s Personal Data Protection Act (PDPA) — we follow the stricter of the local rule and POPIA. The same data-subject rights apply: access, rectification, erasure (subject to retention law), restriction, and objection. Contact io@aupa.co.za to exercise any right and we will route the request through our Information Officer.
Want a copy of your data?
Sign in and head to Settings → Privacy. We’ll honour POPIA and GDPR rights requests within the statutory window.