Subprocessors
Version 2.0Last update:
This page lists the third-party subprocessors (vendors and service providers) that Zenovay ("Zenovay", "we", "us", or "our") uses to assist in providing, maintaining, and improving our analytics platform and related services.
We carefully select subprocessors that maintain high standards for security, privacy, and data protection. All subprocessors are required to comply with applicable data protection laws and our data processing requirements.
What is a Subprocessor
A subprocessor is a third-party data processor engaged by Zenovay to assist in providing our Services. These subprocessors may process customer data on our behalf for purposes such as:
- Hosting infrastructure and content delivery
- Database management and data storage
- Payment processing and subscription management
- Email delivery and communication services
- Authentication and identity management
- Analytics and monitoring services
Current Subprocessors
The following table lists all active subprocessors used by Zenovay as of the date shown above:
| Subprocessor | Purpose | Location | Transfer Mechanism | Website |
|---|---|---|---|---|
| Cloudflare, Inc. | Edge computing (Workers), key-value storage (KV), static hosting (Pages), object storage (R2), CDN, DDoS protection, bot protection (Turnstile), and AI Gateway | United States (Global Edge) | EU-US DPF / Swiss-US DPF | cloudflare.com/privacypolicy/ |
| Supabase, Inc. | PostgreSQL database, real-time data synchronization, authentication, and storage | European Union (eu-central-1, Frankfurt) - primary database region since 24 April 2026 | Adequacy (data resident in EU); SCCs apply for any operational support data flows | supabase.com/privacy |
| Stripe, Inc. | Payment processing, billing, and subscription management | United States | EU-US DPF / Swiss-US DPF | stripe.com/privacy |
| Resend, Inc. | Transactional email delivery and notification services | United States | SCCs | resend.com/legal/privacy-policy |
| Mapbox, Inc. | Geolocation services and 3D globe visualization | United States | SCCs | mapbox.com/legal/privacy |
| Google LLC | OAuth social authentication (optional sign-in method) | United States | EU-US DPF / Swiss-US DPF | policies.google.com/privacy |
| GitHub (Microsoft Corp.) | OAuth social authentication (optional sign-in method) | United States | EU-US DPF / Swiss-US DPF | docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement |
| OpenAI, LLC | AI-powered analytics insights and natural language processing (optional feature) | United States | SCCs | openai.com/policies/privacy-policy |
| IPwho.is | IP geolocation fallback service | EU / Global | Adequacy / SCCs | ipwho.is |
| Meta Platforms, Inc. | Advertising conversion tracking and remarketing via Meta Pixel (requires user consent) | United States | EU-US DPF / Swiss-US DPF | facebook.com/privacy/policy/ |
| Reddit, Inc. | Advertising conversion tracking and remarketing via Reddit Pixel (requires user consent) | United States | SCCs | reddit.com/policies/privacy-policy |
| Google LLC (Analytics) | Website analytics, traffic measurement, and conversion tracking via Google Analytics 4 (requires user consent) | United States | EU-US DPF / Swiss-US DPF | policies.google.com/privacy |
| Sentry, Inc. | Error monitoring, application performance tracking, and crash reporting | United States | SCCs | sentry.io/privacy/ |
| LemonSqueezy (Lemon Squeezy, LLC) | Alternative payment processing, merchant-of-record billing, and invoice management for customers selecting LemonSqueezy at checkout | United States | SCCs | lemonsqueezy.com/privacy |
| Polar Software, Inc. | Alternative payment processing, subscription billing, and webhook delivery for customers selecting Polar at checkout | United States | SCCs | polar.sh/legal/privacy |
| Anthropic, PBC | AI-assisted email classification and drafting routed through Cloudflare AI Gateway. Processes only customer-owned email content and aggregated analytics; no raw visitor session data is sent. | United States | EU-US DPF / SCCs | anthropic.com/privacy |
Optional Subprocessors
The following subprocessors are only engaged when customers enable specific optional features:
| Subprocessor | Purpose | Feature | Transfer Mechanism | Website |
|---|---|---|---|---|
| IPinfo | Third-party data enrichment for business intelligence | B2B Company Identification | SCCs | ipinfo.io/privacy |
| Clearbit (HubSpot) | Third-party data enrichment for business intelligence | B2B Company Identification | EU-US DPF / SCCs | hubspot.com/data-privacy/privacy |
| Amazon Web Services (AWS S3) | Customer-managed object storage. Aggregated analytics_daily metrics are PUT to a bucket the customer owns and configures. Zenovay acts solely as an agent - credentials, bucket, region, and lifecycle policy are entirely customer-controlled. | Warehouse Export (S3) - Scale plan | Customer-controlled (transfer occurs under the customer's own AWS DPA, not Zenovay's) | aws.amazon.com/privacy/ |
Data Processing Standards
All subprocessors listed above are required to:
- Maintain appropriate technical and organizational security measures to protect customer data
- Process data only in accordance with Zenovay's documented instructions
- Comply with applicable data protection laws, including data protection regulations, CCPA, and other relevant regulations
- Implement data protection impact assessments where required by law
- Notify Zenovay promptly of any data breaches, security incidents, or unauthorized access
- Assist with data subject requests, including access, deletion, and portability requests
- Maintain appropriate certifications and security standards where applicable to their service category and size
- Return or delete customer data upon termination of services, as instructed
International Data Transfers
Zenovay's primary database (Supabase) is hosted in the European Union (eu-central-1, Frankfurt) since 24 April 2026, and Cloudflare R2 (heatmap screenshots) is configured with EU data location preference. Some of our other subprocessors (e.g. Stripe, Resend, OpenAI via Cloudflare AI Gateway) are US-based, which may involve transfers of personal data outside the European Economic Area (EEA) to countries that do not provide the same level of data protection as EEA countries.
For transfers of personal data from the EEA to countries without an adequacy decision, we ensure compliance through:
- EU-US Data Privacy Framework (DPF) / Swiss-US DPF: For US-based subprocessors that are certified under the EU-US and Swiss-US Data Privacy Framework, we rely on the DPF as a valid transfer mechanism (European Commission Adequacy Decision of 10 July 2023).
- Standard Contractual Clauses (SCCs): We use European Commission-approved Standard Contractual Clauses (Decision 2021/914) with subprocessors that are not certified under the DPF or as an additional safeguard.
- Data Processing Agreements (DPAs): All subprocessors are bound by comprehensive Data Processing Agreements that include appropriate data protection safeguards.
- Adequacy Decisions: Where applicable, we rely on adequacy decisions issued by the European Commission for certain countries.
- Supplementary Measures (Schrems II): We implement supplementary measures as recommended by the EDPB, including encryption in transit (TLS 1.2+) and at rest (AES-256), access controls, Transfer Impact Assessments, and regular security audits.
Updates to This List
Zenovay may add, remove, or replace subprocessors from time to time as our business needs evolve, technology changes, or to improve our Services.
When we make changes to our subprocessors, we will:
- Update this page with the current list of subprocessors
- Update the "Last update" date at the top of this page
- Provide at least 30 days' advance notice to paying customers before adding new subprocessors
- Notify paying customers via email about material changes to subprocessors
- Provide paying customers with the right to object to new subprocessors on reasonable data protection grounds
We recommend checking this page periodically to stay informed about our current subprocessors. You may also subscribe to email notifications about subprocessor updates.
Your Rights
As a Zenovay customer, you have the right to:
- Request information about our subprocessors and their data processing activities
- Object to the use of new subprocessors on reasonable data protection grounds (available to all paying customers)
- Receive copies of our Data Processing Agreements upon request (subject to confidentiality obligations)
- Audit our compliance with data protection obligations or appoint a third-party auditor (subject to confidentiality and reasonable notice)
- Terminate your agreement if we cannot address your reasonable objections to a new subprocessor
Enterprise customers with specific data processing requirements may contact us to discuss customized data processing arrangements.
Contact Information
If you have questions about our subprocessors, data processing practices, or would like to subscribe to subprocessor update notifications, please contact us: