1. Introduction
Motiw8 uses several third-party service providers ("processors") to:
- Store user data
- Process payments
- Verify identity
- Analyze media for fraud prevention
- Host backend infrastructure
- Manage subscriptions
- Provide analytics and crash reporting
This document explains:
- Who the processors are
- What data they process
- Why they process it
- Where data is stored
- How we ensure GDPR compliance
- What Standard Contractual Clauses (SCCs) apply
- How data flows end-to-end between systems
Motiw8 never sells user data.
Data is shared only with processors who support the operation, security, or compliance of the platform.
2. Summary of Third-Party Processors
Below are the official processors used by Motiw8.
| Processor | Category | Location | GDPR Status |
|---|---|---|---|
| Supabase | Database, authentication, storage | EU (Frankfurt) | DPA + SCCs |
| Stripe | Payments, payouts, fraud detection | Global (EU data hosted in EU) | GDPR-compliant, PSD2-certified |
| RevenueCat | Subscription management | Global | GDPR-compliant, SCCs |
| AWS Rekognition | Media verification, biometric analysis | EU (Frankfurt) | GDPR-compliant, SCCs |
| Firebase Analytics | App analytics | Global | GDPR-compliant, anonymized events |
| Firebase Crashlytics | Crash logs, diagnostics | Global | GDPR-compliant |
| Apple | Sign-In, HealthKit | Global | GDPR-compliant |
| Sign-In, Google Fit, Android services | Global | GDPR-compliant | |
| Vercel | Backend hosting | Global | GDPR-compliant |
| Sentry (optional) | Error monitoring | Global | GDPR-ready with SCCs |
| Tribe / Stripe Identity (planned) | KYC/AML verification | Global | PSD2/KYC compliant |
(If you want I can generate a full "Processor Register" as a downloadable PDF.)
3. Detailed Processor Profiles
Below are the long, legal-grade descriptions for each processor — used in privacy policies and vendor risk assessments.
3.1 Supabase (Primary Backend Processor)
Role:
Database, authentication, file storage, row-level security (RLS), API hosting.
Data Processed:
- Email, hashed passwords (if used)
- Authentication tokens
- Profiles (name, country, age)
- Steps and weight data
- Challenge creation & entry data
- Media metadata
- Evidence submissions
- Anti-fraud flags
- Audit logs
- Payout and transaction metadata
Storage Location:
Supabase EU Region (Frankfurt).
Safeguards:
- GDPR DPA
- SCCs
- SOC2 Tier-1 infrastructure
- Encrypted at rest and in transit
- RLS for all user tables
- Service-role isolation
Data Retention:
Matches Motiw8's internal retention rules (3–7 years for financial logs, 90–180 days for evidence).
3.2 Stripe (Payments & Payouts)
Role:
Payment processing, stake holding, payout distribution through Stripe Connect.
Data Processed:
- Name, email
- Payment method tokens (NOT card numbers)
- Stakes and payouts
- Customer ID, connected account ID
- Fraud signals (card fingerprint, IP)
- Revenue records
- Billing address (if required by law)
Storage:
EU for EU users; U.S. for U.S. users; global redundancy.
Compliance:
- PSD2
- PCI Level 1
- GDPR SCCs
- OSP-approved orchestration for payouts
- Automatic 1099-K handling based on thresholds
Motiw8 never stores:
- Card numbers
- CVV
- Full billing details
3.3 RevenueCat (Subscriptions)
Role:
Manages premium subscription entitlements across iOS and Android.
Data Processed:
- User ID
- Subscription status
- Purchase receipts
- Renewal dates
- Country (for VAT)
No health or biometric data collected.
No access to user media.
Compliance:
- GDPR SCCs
- Does not sell or share data
- Does not store payment details
3.4 AWS Rekognition (Media Verification)
Role:
Processes images and videos for:
- OCR (scale reading)
- Liveness detection
- Face similarity (baseline vs final)
- Moderation (nudity, violence)
- Label detection (objects/scenes)
Data Processed:
- Images/videos transiently, plus:
- Face vectors stored in face collection
- Liveness session results
- OCR results
- Moderation flags
- Labels (objects, scenes)
Storage Location:
AWS Europe (Frankfurt) — EU-only for GDPR compliance.
Safeguards:
- GDPR SCCs
- Strong encryption
- No permanent storage of raw images
- Face vectors only (mathematical representations)
3.5 Firebase Analytics (Optional Consent)
Role:
App analytics, user behavior tracking.
Data Processed:
- Device model
- OS version
- App version
- Session events
- Screen views
- Conversion events
NOT processed:
- Names
- Emails
- Payment data
- Health data
Safeguards:
- IP anonymization
- GDPR SCCs
- Event-level pseudonymization
3.6 Firebase Crashlytics
Role:
Crash reporting to improve app stability.
Data Processed:
- Crash logs
- Device model
- OS version
- Anonymous instance ID
Not Processed:
- Names
- Emails
- Health data
- Photos/videos
3.7 Apple Sign-In & HealthKit
Apple Sign-In
Processes:
- Apple ID private email relay
- Authentication tokens
HealthKit
Accessed only with explicit permission.
Motiw8 may read:
- Steps
- Weight
- Body composition (future)
Never writes to HealthKit.
Never shares HealthKit data with third parties.
3.8 Google Sign-In & Google Fit
Google Sign-In
Processes:
- Profile ID
Google Fit
May read:
- Steps
- Weight
Never shared externally.
3.9 Vercel (Hosting Platform)
Role:
Hosts backend server code and public website.
Data Processed:
- Request logs (IP, user agent)
- API routing metadata
Safeguards:
- GDPR DPA
- SCCs
- Encrypted traffic
Never sees media or PII beyond logs.
3.10 Sentry (Optional)
If enabled, processes:
- Error logs
- Device metadata
- Stack traces
No PII or media unless user specifically uploads it (not allowed in Motiw8).
3.11 Future: Stripe Identity / Tribe Identity (KYC)
Purpose:
- Identity verification for payouts above threshold
- AML compliance
- Age verification (18+)
Processes:
- Government IDs
- Selfie/video
- Liveness detection
- Fraud checks
Stored by provider, not by Motiw8.
4. Data Flow (End-to-End)
Below is the high-level flow.
4.1 Registration & Authentication Flow
User → App → Supabase Auth
Optional: Apple Sign-In / Google Sign-In → Supabase
Data stored: email, auth tokens
4.2 Challenge Participation Flow
User → App → Supabase DB
Data stored: challenge entries, stakes, history
Stake purchase → Stripe → Supabase
Stripe returns paymentIntent and fees.
4.3 Verification Flow
User uploads media → Supabase Storage
Supabase provides signed URLs → AWS Rekognition
AWS extracts:
- OCR
- Labels
- Moderation
- Face vectors
- Liveness
Results → Supabase database → Verification worker → Admin dashboard
4.4 Payout Flow
Supabase → Payout Engine → Stripe Connect → User's Stripe Express account → User's bank
4.5 Analytics Flow
App → Firebase (anonymized) → Firebase console → internal dashboards
4.6 Error Logging
App → Crashlytics/Sentry → Internal triage
5. Transfers Outside the EU
Processors must use:
- EU Data Region (Supabase, AWS)
- SCCs
- Encryption at rest & transit
- Zero access to media contents except for processing
Stripe uses EU storage for EU users.
Firebase uses SCCs for U.S. data transfers.
6. Security Measures & Safeguards
Encryption
All data encrypted at rest and in transit:
- AES-256 at rest
- TLS 1.3 in transit
Access Control
- Zero-trust architecture
- Role-based access control
- Admin access logged and monitored
Logging
- Audit logs kept 7 years
- Attempted intrusions tracked
- Verification operations logged
Vulnerability Management
- Regular patching
- Automated dependency scanning
- Penetration testing (annual recommended)
7. Retention & Deletion in Processor Systems
Processors follow Motiw8's retention policy:
- Evidence photos: 180 days
- Evidence videos: 90 days
- Face vectors: until account deletion
- Audit logs: 7 years
- Financial logs: 7 years
- Backups: 30–90 days (immutable)
Deletion cascades through:
- Storage
- Databases
- Processor systems
- Backups during rotation
8. Compliance Documentation
Each processor provides:
- GDPR DPA
- SCCs
- Subprocessor lists
- ISO/SOC certifications
Motiw8 retains these in internal compliance records.
9. Contact for Processor Questions
Motiw8 UAB
Vilnius, Lithuania