Sub-Processors | Rythm

The following third-party service providers (“sub-processors”) process personal data on behalf of Rythm to provide the Service. This list is referenced by our Privacy Policy.

We will update this page when we add or remove sub-processors. If a change materially affects how your personal data is processed, we will notify you in accordance with Section 16 of our Privacy Policy.

Infrastructure & Hosting

Provider	Purpose	Data Processed	Location
Amazon Web Services (AWS)	Cloud infrastructure, database hosting, serverless compute, encryption key management	All stored data (encrypted at rest via KMS AES-256)	United States (us-east-1)
Vercel	Web application hosting, frontend delivery	Standard web server access logs (IP address, browser type, page path)	United States

Email Provider Integrations

Provider	Purpose	Data Processed	Location
Google (Gmail API)	Email paywall enforcement, label management, contact-based whitelist initialization	OAuth credentials, email metadata, labels. Email body read in memory only (never stored).	United States
Microsoft (Graph API)	Email paywall enforcement (Outlook), folder/category management	OAuth credentials, email metadata, categories. Email body read in memory only (never stored).	United States

Payment Processing

Provider	Purpose	Data Processed	Location
Square	Card-based subscription billing	Email address, name, tokenized card data (card numbers never reach Rythm servers)	United States
Strike	Lightning Network subscription payments and service revenue sweep	Payment amounts only. No user-identifying information is sent.	United States
Cashu Mints (public, third-party operated)	Email delivery credit verification and settlement	Cryptographic proof data and Lightning invoices. No user-identifying information is sent.	Various (operator-dependent)

Communications

Provider	Purpose	Data Processed	Location
Resend	Transactional rejection notification emails	Sender email address (notification recipient). In rare failure cases, email delivery credit proof data for manual recovery.	United States

Important Notes

No analytics sub-processors. Rythm does not use any third-party analytics, tracking, or advertising services (no Google Analytics, Segment, Mixpanel, or similar).
Data Processing Addendums. AWS and Vercel process data under their respective Data Processing Addendums. Square is PCI-DSS Level 1 certified.
Cashu mints are decentralized. Cashu mints are independently operated services. Rythm does not control them and does not send any user-identifying data to them. Mint interactions are limited to cryptographic proof verification and Lightning invoice settlement.

Questions about our sub-processors? Contact us at privacy@rythm.xyz.