Disclosure matrix for indie app stacks.

Apple Privacy Details → Purchases (Purchase History) and Identifiers (User ID) — typically Linked to user, used for App Functionality.

Google Data Safety → Financial info → Purchase history and Payment info — Collected, encrypted in transit; data shared with Stripe as a processor.

List Stripe Payments Europe, Ltd. (Ireland) and Stripe, Inc. (US) as processors; link Stripe Privacy Policy.

Stripe.js may set fraud-prevention cookies (m, __stripe_mid) — review whether EU traffic triggers a consent banner under your local guidance.

Apple Privacy Details → Contact Info (Email), Identifiers (User ID) — Linked to user when using Supabase Auth. Other categories depend on your tables.

Google Data Safety → Personal info (Email, User IDs) — Collected and shared with Supabase Inc. as a processor. Add other categories that map to columns you store.

List Supabase, Inc. as a processor. Note your selected region (US, EU, etc.).

Supabase Auth uses local storage / cookies for session tokens. Functional cookies may be exempt from consent; review your jurisdiction's rules.

Apple Privacy Details → Usage Data and Identifiers (Device ID) — typically Linked to user when you call posthog.identify(); used for Analytics.

Google Data Safety → App activity (App interactions, In-app search history) and App info and performance (Crash logs) — Collected and shared.

List PostHog Inc. (US) or PostHog B.V. (EU). State whether session replay is enabled and that DOM masking is configured.

PostHog sets analytics cookies (ph_*). Treat as non-essential — a consent banner is typically required for EU traffic.

Apple Privacy Details → Contact Info (Email Address) — Linked to user, used for App Functionality.

Google Data Safety → Personal info (Email) — Collected and shared with Resend as a processor.

List Resend, Inc. as a processor handling email delivery.

Server-side only; no client cookies from Resend itself.

Apple Privacy Details → User Content (whatever the user submits to your AI feature) — Linked to user. Disclose how prompts are used.

Google Data Safety → Messages (Other in-app messages) or App info (Other actions) — Collected and shared with OpenAI L.L.C. as a sub-processor.

List OpenAI, L.L.C. (US) — Standard Contractual Clauses are typically referenced in the OpenAI DPA. Disclose whether you opted out of training (API default since 2023).

Server-side only.

Apple Privacy Details → User Content — Linked to user; used for App Functionality. Treat inputs the same way you would treat any LLM provider.

Google Data Safety → Messages or App info → Other actions — Collected and shared with Anthropic, PBC as a sub-processor.

List Anthropic, PBC (US). Reference the Anthropic Commercial Terms and DPA. Note Anthropic states API inputs are not used to train models by default.

Server-side only.

Apple Privacy Details → Identifiers (IP address routed via Vercel edge) and Usage Data (if Analytics enabled) — typically Linked to user.

Google Data Safety → Web app and device IDs — Collected. If Vercel Analytics is on, also disclose anonymized usage data.

List Vercel, Inc. as a processor. Disclose region if you use a regional edge.

Vercel Analytics is cookieless by design. Vercel itself may set short-lived security cookies — review their current docs.

Apple Privacy Details → Identifiers (IP address) and Usage Data (request logs) — Linked to user where Cloudflare can correlate.

Google Data Safety → App info and performance (Crash logs, Diagnostics) when using Cloudflare Logs/Analytics — Collected.

List Cloudflare, Inc. as a processor. Reference Cloudflare's DPA. If using Cloudflare Turnstile, disclose it replaces a CAPTCHA challenge.

Cloudflare may set the __cf_bm bot-management cookie. Review whether it counts as strictly necessary in your jurisdiction.

Apple Privacy Details → Diagnostics (Crash data, Performance data) — usually Not Linked to user if you strip PII; Linked if you attach user context.

Google Data Safety → App info and performance (Crash logs, Diagnostics) — Collected and shared with Functional Software, Inc. (Sentry).

List Functional Software, Inc. dba Sentry as a processor.

Server-side or SDK; no analytics cookies from Sentry by default.

Apple Privacy Details → Usage Data and Identifiers (Device ID) — Linked to user; used for Analytics and Third-Party Advertising depending on settings.

Google Data Safety → App activity and Device or other IDs — Collected and shared with Google LLC. Disclose Google Signals if enabled.

List Google LLC and Google Ireland Limited. Reference Google Ads Data Processing Terms and your Consent Mode v2 setup.

GA4 sets _ga and _ga_* cookies. A consent banner is typically required for EU traffic before GA fires.

Apple Privacy Details → Contact Info (Email, possibly a relay address) and Identifiers — Linked to user.

Google Data Safety → Personal info (Email, User IDs) — Collected; shared with Apple as auth processor.

List Apple Distribution International Ltd. as a processor. Note that the email may be Apple's private relay address.

Native flow on iOS/macOS; web flow may set short-lived session cookies — review Apple's docs.

Apple Privacy Details → Usage Data and Identifiers — typically Linked to user when distinct_id is identified; used for Analytics.

Google Data Safety → App activity (App interactions) — Collected and shared with Mixpanel, Inc. as a processor.

List Mixpanel, Inc. Disclose chosen data residency (US or EU).

Mixpanel sets analytics cookies (mp_*). Treat as non-essential — consent typically required for EU traffic.