ChatME — Sub-processor list
Version: 1.4 · Last reviewed: 2026-07-09
Controller (us): ChatMe OÜ · Reg. 17391989 · VAT EE102933761 · Järvevana tee 9, Tallinn, 11314, Estonia · privacy@chatme.es
This document lists every third party that processes personal data on our behalf when you use ChatME. Each entry shows: what they do, what data they receive, where they process it, and the legal basis for any transfer outside the EEA.
If you are a ChatME customer (the data controller for your end-users' data), you have the right under your DPA with us to know who our sub-processors are and to object to changes. We will give 30 days' notice via email and an updated version of this page before adding any new sub-processor.
How to read this list
- Service: the vendor + what they do for ChatME.
- Data processed: the specific personal data they touch.
- Region: where the data is physically processed.
- Transfer mechanism: how data lawfully leaves the EEA (when it does). Either adequacy decision, Standard Contractual Clauses (SCCs), or n/a (data stays in EEA).
- DPA / safeguards: link to the vendor's signed Data Processing Addendum.
- Role: sub-processor (acts on our instructions) vs joint controller (acts on its own).
1 · Supabase
|
|
| Service |
Managed Postgres database + Auth + Storage. Hosts every row of customer + visitor data. |
| Data processed |
Owner account info (email, hashed password, full name, business name, locale, plan), chatbot configuration, knowledge base content + embeddings, visitor conversations, form submissions, link clicks, usage logs, audit logs, Instagram OAuth tokens. |
| Region |
EU — eu-west-1 (Dublin, Ireland) |
| Transfer mechanism |
n/a (data stays in EEA) |
| DPA |
supabase.com/legal/dpa |
| Role |
Sub-processor |
| Vendor |
Supabase, Inc., 970 Toa Payoh North, #07-04, Singapore 318992 (US/EU operations via subsidiaries) |
| Notes |
All data encrypted at rest (AES-256) and in transit (TLS 1.2+). RLS enforced at the database level. |
2 · Anthropic
|
|
| Service |
LLM inference for chatbot conversations. We call claude-haiku-4-5 per visitor message. |
| Data processed |
The chatbot's system prompt (your custom instructions + knowledge-base chunks retrieved via RAG) and the visitor's current message + recent turn history (last ~20 messages). This may include PII the visitor pastes (name, email, phone, free-text). |
| Region |
United States (Anthropic's US-East datacenters) |
| Transfer mechanism |
Standard Contractual Clauses (SCCs), Module 3 (processor → processor). |
| DPA |
anthropic.com/legal/commercial-terms — Commercial Terms include the DPA by reference |
| Role |
Sub-processor |
| Vendor |
Anthropic, PBC, 548 Market Street, PMB 90375, San Francisco, CA 94104, USA |
| Notes |
Anthropic's commercial terms guarantee: no training on customer data, no human review of inputs/outputs, 30-day data retention for abuse monitoring then deletion. |
3 · OpenAI
|
|
| Service |
Text embeddings for RAG (Retrieval-Augmented Generation). Model: text-embedding-3-small (1536 dims). |
| Data processed |
(a) Visitor message text, embedded per chat turn for vector search against your knowledge base. (b) Your knowledge-source content (web pages + uploaded documents), embedded once when added to the knowledge base. |
| Region |
United States |
| Transfer mechanism |
Standard Contractual Clauses (SCCs), Module 3 |
| DPA |
openai.com/policies/data-processing-addendum |
| Role |
Sub-processor |
| Vendor |
OpenAI, L.L.C., 3180 18th Street, San Francisco, CA 94110, USA |
| Notes |
API tier (not ChatGPT): no training on inputs, no human review by default, 30-day retention for abuse monitoring. |
4 · Resend
|
|
| Service |
Transactional email delivery — Welcome / Trial-ending / Welcome-to-paid / Payment-failed / Canceled emails, Supabase auth emails (confirm, reset, magic link), and form-submission notifications to chatbot owners. |
| Data processed |
Recipient email address, sender info, email subject + body. Body content may include: visitor name, business name, billing amount, plan name, form-submission field values (name / email / phone / message), one-time auth links. |
| Region |
United States (primary), with global delivery infrastructure |
| Transfer mechanism |
Standard Contractual Clauses (SCCs), Module 3 |
| DPA |
resend.com/legal/dpa |
| Role |
Sub-processor |
| Vendor |
Resend, Inc., 2261 Market Street #4790, San Francisco, CA 94114, USA |
| Notes |
Emails are stored at Resend for 30 days for delivery diagnostics, then deleted. |
5 · Stripe
|
|
| Service |
Subscription billing, payment processing, customer portal. Used only by ChatME owners (paying customers), never end-user visitors. |
| Data processed |
Owner email + name, billing address, VAT/NIF, payment method token (we never see the actual card number — it goes Stripe-direct via Stripe Elements / Checkout). Subscription state mirrored back to our DB via webhooks. |
| Region |
EU — Stripe Payments Europe, Ltd. (Ireland) is the contracting Stripe entity for EU customers |
| Transfer mechanism |
Primary data resides in EU. Some operational data may be processed in the US under SCCs. |
| DPA |
stripe.com/legal/dpa |
| Role |
Joint controller for payment-related data (Stripe sets its own retention/anti-fraud rules per PCI-DSS), sub-processor for everything else |
| Vendor |
Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland |
| Notes |
Stripe is PCI-DSS Level 1 certified. ChatME is out-of-scope for PCI because we never receive cardholder data. |
6 · Vercel
|
|
| Service |
Application + marketing-site hosting + CDN + Edge functions. Every HTTP request to app.chatme.es and chatme.es, and every widget script load, transits Vercel. |
| Data processed |
HTTP request metadata (IP address, user agent, referrer, request body) and response payloads — which includes everything else in this list during normal app operation. |
| Region |
Vercel's edge network is global; serverless functions for ChatME are pinned to fra1 (Frankfurt, EU) via vercel.json. Edge cache served from the nearest PoP. Logs are processed in the US. |
| Transfer mechanism |
Standard Contractual Clauses (SCCs), Module 3 — for log processing in the US. |
| DPA |
vercel.com/legal/dpa |
| Role |
Sub-processor |
| Vendor |
Vercel, Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA |
| Notes |
Vercel logs requests for 30 days for debugging, then deletes. |
7 · Google
|
|
| Service |
Google Calendar API — only when a ChatME owner connects their own Google Calendar to enable chatbot appointment booking (optional feature). |
| Data processed |
The owner's primary-calendar free/busy ranges (read) and new appointment events we create on their behalf. We never read event titles, descriptions, attendees or content. OAuth access/refresh tokens, stored encrypted (AES-256-GCM). |
| Region |
United States |
| Transfer mechanism |
Standard Contractual Clauses (SCCs), Module 3 |
| DPA |
cloud.google.com/terms/data-processing-addendum |
| Role |
Sub-processor (client-authorized integration). The calendar data belongs to the owner (controller-side); the owner connects and disconnects it themselves. |
| Vendor |
Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (Google LLC, USA, for processing) |
| Notes |
Use of Google data adheres to the Google API Services User Data Policy, including Limited Use. Tokens are deleted when the owner disconnects the calendar. |
8 · Meta Platforms (Instagram & WhatsApp messaging — only if connected)
|
|
| Service |
Instagram DM and WhatsApp Business messaging channels. Active only if a ChatME owner connects their Instagram/WhatsApp account so the chatbot can reply on those channels. |
| Data processed |
Visitor messages sent via Instagram/WhatsApp, the sender's platform ID, and the messaging access tokens (stored encrypted) needed to receive and reply. |
| Region |
United States (with global infrastructure) |
| Transfer mechanism |
Standard Contractual Clauses (SCCs), Module 3 |
| DPA |
facebook.com/legal/terms/dataprocessing |
| Role |
Sub-processor for the messaging relay; Meta is an independent controller of its own platform data. |
| Vendor |
Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland |
| Notes |
The visitor chose to message the business on Meta's platform, so Meta's own policies also apply there. ChatME only processes the message to generate the chatbot's reply. |
9 · Plausible Analytics
|
|
| Service |
Privacy-friendly, cookieless web analytics for our public marketing site (chatme.es only — not the app or the widget). Aggregated traffic measurement: page views, top pages, referral sources, country, device type. |
| Data processed |
Page URL, referrer, browser, operating system, device type, and country (derived from IP). The visitor's IP address and user-agent are used only transiently to compute a daily-rotating, one-way anonymized hash for counting unique visitors, then immediately discarded — never stored. No cookies, no persistent identifiers, no cross-site or cross-day tracking, no personal data retained. |
| Region |
EU — Germany (Hetzner; Falkenstein / Nuremberg). All data is stored and processed within the EU. |
| Transfer mechanism |
n/a (data stays in EEA) |
| DPA |
plausible.io/dpa |
| Role |
Sub-processor |
| Vendor |
Plausible Insights OÜ, Västriku tn 2, Tartu, 50403, Estonia |
| Notes |
Cookieless and compliant with GDPR, the ePrivacy Directive and PECR without requiring a consent banner, because it sets no cookies and stores no personal data. EU-owned (Estonian company) and EU-hosted. Open-source. |
10 · Google Analytics & Google Ads (marketing site — only with consent)
|
|
| Service |
Traffic analytics (Google Analytics 4) and advertising/conversion measurement + remarketing (Google Ads) on our public marketing site (chatme.es only — not the app or the widget), loaded via Google Tag Manager. Activated only after the visitor consents (Google Consent Mode v2; denied by default). |
| Data processed |
Pseudonymous cookie identifiers (_ga, _gcl_au), IP address (shortened by GA before storage), page URLs, referrer, device/browser, and ad-interaction / conversion events. No account credentials or chatbot/visitor conversation data. |
| Region |
United States (Google Ireland Ltd. is the EU contracting entity) |
| Transfer mechanism |
Standard Contractual Clauses (SCCs) — Google Ads Data Processing Terms |
| DPA |
business.safety.google/adsprocessorterms |
| Role |
Processor for GA4 analytics; joint controller for Google Ads measurement |
| Vendor |
Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland |
| Notes |
In the default (no-consent) state, Consent Mode sends cookieless pings only — no cookies, no identifiers. Cookies (_ga, _ga_<ID>, _gcl_au) are written only after opt-in. See the Cookie Policy §3.1. |
11 · Rewardful (affiliate program)
|
|
| Service |
Affiliate-program tracking & attribution. Records visits, sign-ups and conversions that originate from an affiliate link on chatme.es, and calculates the resulting commissions. Active only for our affiliate program. |
| Data processed |
For a visitor who arrives via an affiliate link: a first-party referral identifier (a random UUID — no personal data), pages visited, and — if they subscribe — the conversion linked to their Stripe customer (passed as client_reference_id) plus the subscription amount, used to compute the affiliate's commission. Separately, for affiliates who join: the account + payout details they enter directly into Rewardful's own hosted portal (name, email, PayPal/Wise). |
| Region |
United States (Rewardful is hosted on AWS, US) |
| Transfer mechanism |
Standard Contractual Clauses (SCCs), Module 3. |
| DPA |
Available on request from Rewardful — dpo@rewardful.com; see rewardful.com/trust-center |
| Role |
Sub-processor for the referral/conversion tracking we instruct. Rewardful acts as an independent controller for the affiliates' own account + payout data they submit to its portal. |
| Vendor |
Rewardful Inc. (North America) |
| Notes |
The referral cookie is first-party and stores only a random referral ID — no name, email, or cross-site advertising identifier, and no profiling. Conversion data shared is limited to what's needed to attribute the sale and compute the commission. |
Summary table
| # |
Vendor |
Service |
Region |
Transfer |
Role |
| 1 |
Supabase |
Database + Auth + Storage |
🇮🇪 EU |
n/a |
Sub-processor |
| 2 |
Anthropic |
LLM inference |
🇺🇸 US |
SCCs |
Sub-processor |
| 3 |
OpenAI |
Embeddings |
🇺🇸 US |
SCCs |
Sub-processor |
| 4 |
Resend |
Email delivery |
🇺🇸 US |
SCCs |
Sub-processor |
| 5 |
Stripe |
Billing |
🇮🇪 EU |
n/a (primary) |
Joint controller |
| 6 |
Vercel |
Hosting + edge |
🌍 Multi |
SCCs |
Sub-processor |
| 7 |
Google |
Calendar (if connected) |
🇺🇸 US |
SCCs |
Sub-processor |
| 8 |
Meta |
IG/WhatsApp (if connected) |
🇺🇸 US |
SCCs |
Sub-processor |
| 9 |
Plausible |
Web analytics (chatme.es) |
🇩🇪 EU |
n/a |
Sub-processor |
| 10 |
Google Analytics / Ads |
Marketing-site analytics + ads (consent) |
🇺🇸 US |
SCCs |
Processor / joint controller |
| 11 |
Rewardful |
Affiliate tracking (chatme.es) |
🇺🇸 US |
SCCs |
Sub-processor |
Updates to this list
We will notify ChatME customers at least 30 days before adding a new sub-processor. Notifications go to:
- The email on file for your ChatME account.
- Updates to this page on app.chatme.es.
If you object to a new sub-processor and we can't offer an alternative, you can terminate your subscription with a pro-rata refund for the unused portion.
Contact
Questions about this list, requests to exercise your data subject rights, or to object to a sub-processor: privacy@chatme.es
Data-protection queries and data-subject requests: privacy@chatme.es.