Subprocessor List

Current as of the Privacy Policy version date. We notify users of material changes at least 14 days in advance.

Each processor is bound by a Data Processing Agreement and, where applicable, the EU–US Data Privacy Framework (DPF) or Standard Contractual Clauses (SCCs).

Subprocessor	Purpose	Data Processed	Location	Transfer Mechanism
Supabase	Database, auth, storage, edge functions	Account data, brand assets, usage data	US (or EU region if configured)	DPF (verify) + SCCs
Vercel	Hosting, CDN, serverless runtime, cron	Request logs, IP (ephemeral)	US	DPF + SCCs
Sentry	Error tracking	Anonymised stack traces, user ID	US	DPF + SCCs
Mixpanel	Product analytics — funnels, cohorts (opt-in only). Optional Session Replay (separate, granular opt-in) for UX debugging.	Usage events, $device_id, user_id, tenant_id, role, email, name. Session Replay (when enabled): masked DOM events of in-app interactions; payment, integration, admin, and brand-KB routes are excluded entirely.	EU (Frankfurt)	EU residency for primary storage; SCCs for any incidental US support access
Google (Analytics 4)	Audience and acquisition analytics (opt-in only)	Pseudonymous client_id, page URL, referrer, user_id once authenticated	US (with EU regional collection per GA4 default)	DPF + SCCs
Resend	Transactional email	Email address, name, message body	US	DPF + SCCs
OpenAI	AI content generation	Prompts + brand context	US	DPF
Anthropic	AI content generation	Prompts + brand context	US	SCCs
Google (Gemini)	AI fact-checking	Prompts + brand context	US / EU	DPF
Ideogram / Flux (BFL)	AI image generation	Image prompts	US / EU	SCCs
Customer-connected integrations (WordPress, Buffer, WooCommerce, Google Ads, Meta Ads, Brevo)	Publishing + analytics	API keys, publishing payloads, analytics	Varies per vendor	Customer-configured

To subscribe to change notifications or ask questions about this list, email kobi@leanspothub.com.