Subprocessors
Effective date: 2026-07-09
What's a subprocessor?
Under GDPR, a "subprocessor" is a third-party service that processes personal data on our behalf, beyond what we do ourselves. When a venue (the data controller) uses ExcuseMe (the data processor), they transitively use every subprocessor on this list.
Our Data Processing Agreement authorises us to engage these subprocessors. We commit to:
- Keeping this list accurate.
- Notifying customers at least 30 days before we add a new one (unless added urgently for security, in which case we notify on addition).
- Signing a GDPR Article 28-compliant DPA with each subprocessor.
- Applying Standard Contractual Clauses (SCCs) or the UK Addendum where transfers leave the EEA / UK.
You can subscribe to subprocessor-change notifications at privacy@excuseme.pro (or watch this page for changes).
Current subprocessors
Infrastructure
| Provider | Service | Data categories | Location | Transfer safeguard | |---|---|---|---|---| | Supabase, Inc. | Managed Postgres + Auth + Storage + Realtime | All tenant data (orders, menus, accounts, loyalty, chat sessions) | eu-central-1 (Frankfurt) | EU/EEA — no transfer needed | | Vercel, Inc. | Application hosting, Edge runtime, CDN | Request metadata, IP address, session cookies, uploaded assets | EU primary region where configured; edge/CDN processing may occur in other regions | SCCs where data leaves the EEA / UK |
AI
| Provider | Service | Data categories | Location | Transfer safeguard + notes | |---|---|---|---|---| | Anthropic, PBC | Claude API (AI bartender chat) | Chat prompts, menu context, user messages, assistant responses | United States; EU routing where contractually available | SCCs. Commercial API terms: API content is not used for model training by default. Production access runs under a dedicated business organization (configuration verified 2026-07-08). | | OpenAI, L.L.C. (Realtime) | Optional voice-ordering engine | Customer voice audio in transit, transcribed text, model output, tool-call arguments | United States or configured processing region | SCCs. Not enabled in production today — guest voice runs on Google Gemini Live. If enabled, OpenAI retains API inputs and outputs for up to 30 days solely for abuse monitoring, then deletes them; content is not used for model training. ExcuseMe does not persist raw audio at the application layer. | | OpenAI, L.L.C. (embeddings) | Text embeddings for menu and knowledge search | Menu item descriptions and venue knowledge content | United States or configured processing region | SCCs. OpenAI retains API inputs and outputs for up to 30 days solely for abuse monitoring, then deletes them; content is not used for model training. | | Google LLC / Google Ireland Ltd. (Gemini Live) | Voice-ordering engine | Customer voice audio in transit, transcript, model output, tool-call arguments | EU where configured via Google Cloud / Vertex AI; otherwise other Google processing regions may apply | SCCs + UK Addendum where data leaves the EEA / UK. Paid-tier API on a billing-enabled project: content is not used to improve Google products (configuration verified 2026-07-08). | | Google LLC / Google Ireland Ltd. (Cloud TTS / STT) | Cloud voice synthesis, speech-to-text fallback | Text to synthesise, audio snippets | EU where configured; otherwise other Google processing regions may apply | SCCs + UK Addendum where data leaves the EEA / UK. Standard Google Cloud commercial terms apply. |
Identity and authentication (SSO sign-in)
Engaged only when a user chooses social sign-in. We receive a basic identity profile (name, email, the provider's account identifier) from the provider's account chooser; we never receive the user's password.
| Provider | Service | Data categories | Used by | Transfer safeguard | |---|---|---|---|---| | Google LLC / Google Ireland Ltd. | OAuth account chooser ("Sign in with Google") | Name, email, Google account id | Venue staff sign-in and guest loyalty sign-in | SCCs + UK Addendum where data leaves the EEA / UK; governed by Google's terms | | Microsoft Corporation / Microsoft Ireland Operations Ltd. | OAuth account chooser ("Sign in with Microsoft", Microsoft Entra ID) | Name, email, Microsoft account id | Venue staff (Admin User) sign-in | SCCs + UK Addendum where data leaves the EEA / UK; governed by Microsoft's terms | | Apple Inc. / Apple Distribution International Ltd. | OAuth account chooser ("Sign in with Apple") | Name, email (or Apple Private Relay address), Apple account id | Venue staff (Admin User) sign-in | SCCs where data leaves the EEA / UK; governed by Apple's terms |
Billing
| Provider | Service | Data categories | Location | Notes | |---|---|---|---|---| | Paddle.com Market Ltd. | Merchant of Record (subscription billing, tax, invoicing, card processing) | Admin User name + email, billing address, card data (never stored by us) | United Kingdom + EU | Paddle acts as Merchant of Record and may act as an independent controller for parts of the payment flow. |
Email and communications
| Provider | Service | Data categories | Location | Legal basis | |---|---|---|---|---| | Resend (Plus Five Five, Inc.) | Transactional email (invites, password resets, receipts, quota alerts, data-subject request confirmations) | Admin User + customer email addresses + message contents | EU where available | SCCs where data leaves the EEA / UK (attached to the Resend DPA). DPA in effect — incorporated into Resend's Terms of Service and effective as of our acceptance; dated copy retained in company records. |
Support and operations
| Provider | Service | Data categories | Location | Legal basis | |---|---|---|---|---| | (email only — hello@excuseme.pro / billing@excuseme.pro) | Support conversations | Whatever the user writes in + their email | EU (handled directly by ExcuseMe staff via the Resend-fronted inbox) | Not applicable — ExcuseMe is the controller; no third-party support tool. |
Optional integrations (only when the venue enables them)
| Provider | Service | Data categories | Enabled by | Legal basis | |---|---|---|---|---| | Slack Technologies, Inc. | Incoming Webhook for operational alerts | Order summaries, alert messages | Venue pastes a webhook URL | Data sent only when the tenant configures it; Slack's own DPA applies | | Discord Inc. | Incoming Webhook | Same as Slack | Venue pastes webhook URL | Discord's own terms apply | | Telegram | Bot messages | Same as Slack | Venue pastes bot token + chat ID | Telegram's own terms apply |
Regional data residency
Our default setup runs in the EU where the selected provider and plan support it. When a customer (venue) is located in a jurisdiction with specific data-residency requirements, we can discuss:
- EU-only database and storage configuration where available.
- Regionally-routed application hosting where available.
- Provider selection for AI where an EU processing option is available; otherwise transfers rely on appropriate safeguards.
Contact privacy@excuseme.pro to request a residency-specific configuration.
When a subprocessor changes
- New subprocessor added — we update this page, note the date, and email Admin Users at least 30 days before the change takes effect. DPA customers can object under DPA §7.3; if we can't reach agreement, the customer can terminate the affected services without penalty.
- Subprocessor removed — we update this page; data at that provider is deleted or migrated per the removal plan.
- Subprocessor breach — we notify affected Admin Users within 72 hours of discovery per GDPR Art. 33, plus relevant supervisory authorities.
Version history
We keep a full change history in the repository at
doc/public/legal/subprocessors.md. The effective date at
the top of this page reflects the current version.
Contact
privacy@excuseme.pro for questions about the subprocessor list or to request a residency-specific configuration.