Boilerplate-Stack
Legal document

Subprocessors

The third-party service providers that process personal data on our behalf, with details about their role, data categories, hosting region, and the data processing agreement (DPA) that governs the relationship.

Last updated: May 21, 2026

We use the following subprocessors to operate our service. Each one is bound by a Data Processing Agreement (DPA) and, where applicable, the European Commission's Standard Contractual Clauses for international transfers. This list is published in compliance with GDPR Article 28, UK GDPR, Quebec Law 25, Swiss FADP, and the CCPA service-provider disclosure requirement.

SubprocessorPurposeData categoriesHosting regionLegal docs
SupabaseDatabase, authentication, file storage
  • Account data
  • Profile data
  • Usage data
  • Uploaded content
US (with EU/UK hosting available)
StripePayment processing, subscription billing
  • Email
  • Billing address
  • Card data (PCI-DSS scope, Stripe-hosted)
  • Transaction history
US / IE (EU operations)
Brevo (Sendinblue)Transactional & marketing email delivery
  • Email address
  • Name
  • Email engagement metrics
FR / EU
MailjetTransactional email delivery (fallback)
  • Email address
  • Name
  • Email engagement metrics
FR / EU
CloudflareCDN, DDoS protection, Turnstile bot protection
  • IP address
  • User agent
  • Turnstile challenge metadata
US (EU SCCs in place)
UpstashRedis-based rate limiting & ephemeral caching
  • IP address (rate-limit keys, short retention)
US (with EU regions)
CrispLive chat support (loaded only with consent)
  • Email
  • Name
  • Chat content
  • Page URL
FR / EU
Google (Tag Manager + Analytics)Web analytics (loaded only with analytics consent)
  • IP address (truncated)
  • Device data
  • Page interaction events
US (EU SCCs + Data Privacy Framework)
Meta (Pixel)Marketing conversion tracking (loaded only with marketing consent)
  • Event data
  • Hashed identifiers
US / IE (EU SCCs)
OpenAIAI inference (chat, code, writing assistants)
  • Prompt content
  • Generated output
  • Usage metadata
US (EU SCCs; zero-retention API mode)
AnthropicAI inference (Claude models)
  • Prompt content
  • Generated output
  • Usage metadata
US (EU SCCs)
Google AI (Gemini)AI inference (Gemini models)
  • Prompt content
  • Generated output
  • Usage metadata
US (EU SCCs + Data Privacy Framework)

International transfers

Some of our subprocessors are located outside the European Economic Area. For transfers to the United States, we rely on the EU–US Data Privacy Framework where the recipient is certified, and on the European Commission's Standard Contractual Clauses (SCCs) in all other cases. Switzerland is recognized as offering an adequate level of protection. Transfers to or from Canada are covered by PIPEDA-equivalent safeguards.

Changes to this list

When we add or remove a subprocessor that materially changes how we process your personal data, we update this page. If you would like to be notified of changes by email, contact us at [email protected].