# Konto AI — Sub-processor register This document lists the third-party services ("sub-processors") that process personal data on behalf of Konto AI in order to deliver the service. It is published in compliance with **LGPD Lei 13.709/2018, Art. 33** (international transfer) and **Art. 39** (the controller must be able to demonstrate accountability for all processing on its behalf). We update this register whenever we add, remove, or materially change a sub-processor. Material changes are also reflected in the [Política de Privacidade](https://kontoai.com.br/privacidade.html). Last updated: **2026-05-01**. If you have questions about any of these, write to **encarregado@kontoai.com.br** (our LGPD DPO inbox). --- ## Active sub-processors | Provider | Purpose | Categories of data shared | Region | Legal basis | |---|---|---|---|---| | **Supabase** (Supabase Inc., USA) | Authentication, Postgres database, Edge Functions, file storage. The primary system of record for all user data. | Email, hashed password, profile info (name, phone), all financial data (bank connections, transactions, investments, goals, subscriptions), session tokens. | US (default region) | Execução de contrato (Art. 7º V) | | **Pluggy** (Pluggy Tecnologia Ltda., Brazil) | Open Finance Brazil aggregator. Connects to user-authorized banks and brokerages and returns balances, transactions, and investment positions. | User's open-finance consent token, bank/brokerage account IDs, balances, transaction descriptions and amounts, investment positions. We do NOT share email, name, or other directly-identifying PII. | Brazil | Execução de contrato (Art. 7º V) + consentimento (Art. 7º I) on each new bank connection | | **Mercado Pago** (MercadoPago.com Representações Ltda., Brazil) | Subscription billing for the Pro and Pro Max plans. Tokenizes credit cards in the user's browser; raw card data never reaches Konto. | Payer email, MP subscription ID, plan ID, optional discount code. | Brazil + AWS sa-east-1 | Execução de contrato (Art. 7º V) for paid plans only | | **Resend** (Resend Inc., USA, on top of AWS SES) | Outbound email — weekly financial report, password resets, system notifications. Domain `kontoai.com.br` is verified end-to-end (DKIM, SPF, DMARC). | Recipient email, message content (the weekly report PDF includes balances/transactions). Bounces handled via `send.kontoai.com.br` MX → AWS SES sa-east-1. | US (Resend control plane) + sa-east-1 (SMTP delivery) | Execução de contrato (Art. 7º V) | | **Twilio** (Twilio Inc., USA) | Inbound and outbound WhatsApp messages — the bot that lets the MEI assistant log transactions by text. | Recipient WhatsApp number (E.164 format), message body, AI-extracted transaction fields. | US (Twilio control plane) | Consentimento (Art. 7º I) — opt-in via Perfil → WhatsApp | | **Anthropic** (Anthropic PBC, USA) | The Claude language model powers the in-app financial assistant ("Consultor IA") and parses incoming WhatsApp messages into structured transactions. | Free-form chat text from the user, the user's current financial summary (anonymized aggregates: bank totals, monthly spending by category, goal progress, asset list with tickers — NOT raw transaction descriptions or counterparty names). Anthropic's [data policy](https://www.anthropic.com/legal/commercial-terms) does not use API inputs to train models. | US | Execução de contrato (Art. 7º V) | | **brapi.dev** (Brazilian individual operator) | Stock and FII price quotes for the Bens (investments) tab. | Public B3 ticker symbols only (e.g., `BBAS3`, `VALE3`). No user data is sent. | Brazil | Não há tratamento de dados pessoais | | **Netlify** (Netlify Inc., USA) | Static-site hosting (`kontoai.com.br`, `www.kontoai.com.br`) and DNS. Edge nodes globally. | IP address and User-Agent (server logs only, retained per Netlify's policy). No application-layer user data. | US + global edge | Legítimo interesse (Art. 7º IX) — operação técnica do site | | **ImprovMX** (ImprovMX SAS, France) | Inbound email forwarding for `*@kontoai.com.br` → `rafavergara4@icloud.com`. Used so users (and security researchers via `security@`) can reach a real inbox. | Sender email, message body of any mail sent to `kontoai.com.br` addresses. | EU (France) | Legítimo interesse (Art. 7º IX) | | **Apple** (Apple Inc., USA) | iCloud Mail receives forwarded administrative mail (the personal inbox of the controller). Not used for end-user data. | N/A — only mail addressed to admin/security/DPO inboxes. | US | N/A | --- ## Out-of-scope (intentionally NOT used) To keep the data footprint small, Konto AI does **not** use: - Analytics or tracking platforms (Google Analytics, Mixpanel, Segment, etc.) - Advertising networks or pixels - Customer-data platforms (CDPs) - Session-recording tools (FullStory, Hotjar, etc.) - Third-party customer-support widgets that load on every page (Intercom, Zendesk Messenger, etc.) - Any service that requires sharing raw bank transaction descriptions or counterparty names with third parties This list is intentional. If we ever change it, this register is updated first and announced via in-app banner per LGPD Art. 8º §6º. --- ## How to request access, deletion, or rectification Per LGPD Art. 18, users can: - Confirm whether their data is being processed (Art. 18 I) - Access their data (Art. 18 II) — implemented in-app via "Baixar meus dados" *(roadmap)* - Correct incomplete or inaccurate data (Art. 18 III) — in-app via Configurações - Anonymize, block, or delete unnecessary data (Art. 18 IV) — in-app via Configurações → Excluir conta *(roadmap)* - Request portability of data to another controller (Art. 18 V) - Delete data processed under consent (Art. 18 VI) — in-app via Configurações → Excluir conta *(roadmap)* - Be informed about public and private entities the data has been shared with (Art. 18 VII) — see this register - Be informed about the possibility of refusing consent and the consequences (Art. 18 VIII) — see Política de Privacidade - Revoke consent (Art. 18 IX) — disconnect WhatsApp / banks / Pro plan in-app Requests we cannot self-serve in-app should go to **encarregado@kontoai.com.br**. We respond within 15 days per LGPD Art. 19 I.