Sub-processors
Third-party services Moniqo uses to operate. We don't add new sub-processors silently — when the list changes, every user gets an email announcing the change at least 30 days before it takes effect.
Amazon Web Services (AWS)
Infrastructure hosting (compute, database, S3 storage, KMS keys)
- Region
- ap-south-1 (Mumbai, India)
- Data accessed
- All customer data is stored on AWS infrastructure under encryption at rest. AWS personnel cannot decrypt without keys we control.
AWS SES
Transactional email delivery (password reset, OTP, alerts)
- Region
- ap-south-1 (Mumbai)
- Data accessed
- Email address + email body. Sent only when you explicitly trigger an email-bearing action (sign up, password reset, support session approval).
Google Gemini API
Monthly AI-generated spending insights
- Region
- United States (Google Cloud)
- Data accessed
- PII-redacted aggregates only. Account numbers, exact balances, personal notes, and counterparty names are stripped before any data leaves Moniqo (see lib/ai-redact.ts in our codebase). Never raw transactions.
Sentry
Error tracking (env-gated; can be disabled)
- Region
- United States / EU
- Data accessed
- Stack traces + request metadata. PII and transaction data are scrubbed by Sentry-side filters before storage.
What we deliberately don't use
- No advertising or marketing trackers. No Google Analytics, no Meta Pixel, no Hotjar, no Mixpanel, no Amplitude.
- No transaction-aggregator services. We do not use Plaid, MX, Yodlee, or any equivalent. Bank statements arrive as user-uploaded PDFs and we parse them locally.
- No social-media login telemetry.If you sign in with Google or Microsoft, we receive only your basic profile (name, email, avatar) — we don't request any extended scopes.
Last updated: 12 May 2026. See /security for the full operator-access model.