ChatME — Sub-processor list
Version: 1.0 · Last reviewed: 2026-05-21
Controller (us): ChatMe OÜ · Reg. EE102933761 · Järvevana tee 9, Tallinn, 11314, Estonia · privacy@chatme.es
This document lists every third party that processes personal data on our behalf when you use ChatME. Each entry shows: what they do, what data they receive, where they process it, and the legal basis for any transfer outside the EEA.
If you are a ChatME customer (the data controller for your end-users' data), you have the right under your DPA with us to know who our sub-processors are and to object to changes. We will give 30 days' notice via email and an updated version of this page before adding any new sub-processor.
How to read this list
- Service: the vendor + what they do for ChatME.
- Data processed: the specific personal data they touch.
- Region: where the data is physically processed.
- Transfer mechanism: how data lawfully leaves the EEA (when it does). Either adequacy decision, Standard Contractual Clauses (SCCs), or n/a (data stays in EEA).
- DPA / safeguards: link to the vendor's signed Data Processing Addendum.
- Role: sub-processor (acts on our instructions) vs joint controller (acts on its own).
1 · Supabase
|
|
| Service |
Managed Postgres database + Auth + Storage. Hosts every row of customer + visitor data. |
| Data processed |
Owner account info (email, hashed password, full name, business name, locale, plan), chatbot configuration, knowledge base content + embeddings, visitor conversations, form submissions, link clicks, usage logs, audit logs, Instagram OAuth tokens. |
| Region |
EU — eu-west-1 (Dublin, Ireland) |
| Transfer mechanism |
n/a (data stays in EEA) |
| DPA |
supabase.com/legal/dpa |
| Role |
Sub-processor |
| Vendor |
Supabase, Inc., 970 Toa Payoh North, #07-04, Singapore 318992 (US/EU operations via subsidiaries) |
| Notes |
All data encrypted at rest (AES-256) and in transit (TLS 1.2+). RLS enforced at the database level. |
2 · Anthropic
|
|
| Service |
LLM inference for chatbot conversations. We call claude-haiku-4-5 per visitor message. |
| Data processed |
The chatbot's system prompt (your custom instructions + knowledge-base chunks retrieved via RAG) and the visitor's current message + recent turn history (last ~20 messages). This may include PII the visitor pastes (name, email, phone, free-text). |
| Region |
United States (Anthropic's US-East datacenters) |
| Transfer mechanism |
Standard Contractual Clauses (SCCs), Module 3 (processor → processor). |
| DPA |
anthropic.com/legal/commercial-terms — Commercial Terms include the DPA by reference |
| Role |
Sub-processor |
| Vendor |
Anthropic, PBC, 548 Market Street, PMB 90375, San Francisco, CA 94104, USA |
| Notes |
Anthropic's commercial terms guarantee: no training on customer data, no human review of inputs/outputs, 30-day data retention for abuse monitoring then deletion. |
3 · OpenAI
|
|
| Service |
Text embeddings for RAG (Retrieval-Augmented Generation). Model: text-embedding-3-small (1536 dims). |
| Data processed |
(a) Visitor message text, embedded per chat turn for vector search against your knowledge base. (b) Your knowledge-source content (web pages + uploaded documents), embedded once when added to the knowledge base. |
| Region |
United States |
| Transfer mechanism |
Standard Contractual Clauses (SCCs), Module 3 |
| DPA |
openai.com/policies/data-processing-addendum |
| Role |
Sub-processor |
| Vendor |
OpenAI, L.L.C., 3180 18th Street, San Francisco, CA 94110, USA |
| Notes |
API tier (not ChatGPT): no training on inputs, no human review by default, 30-day retention for abuse monitoring. |
4 · Resend
|
|
| Service |
Transactional email delivery — Welcome / Trial-ending / Welcome-to-paid / Payment-failed / Canceled emails, Supabase auth emails (confirm, reset, magic link), and form-submission notifications to chatbot owners. |
| Data processed |
Recipient email address, sender info, email subject + body. Body content may include: visitor name, business name, billing amount, plan name, form-submission field values (name / email / phone / message), one-time auth links. |
| Region |
United States (primary), with global delivery infrastructure |
| Transfer mechanism |
Standard Contractual Clauses (SCCs), Module 3 |
| DPA |
resend.com/legal/dpa |
| Role |
Sub-processor |
| Vendor |
Resend, Inc., 2261 Market Street #4790, San Francisco, CA 94114, USA |
| Notes |
Emails are stored at Resend for 30 days for delivery diagnostics, then deleted. |
5 · Stripe
|
|
| Service |
Subscription billing, payment processing, customer portal. Used only by ChatME owners (paying customers), never end-user visitors. |
| Data processed |
Owner email + name, billing address, VAT/NIF, payment method token (we never see the actual card number — it goes Stripe-direct via Stripe Elements / Checkout). Subscription state mirrored back to our DB via webhooks. |
| Region |
EU — Stripe Payments Europe, Ltd. (Ireland) is the contracting Stripe entity for EU customers |
| Transfer mechanism |
Primary data resides in EU. Some operational data may be processed in the US under SCCs. |
| DPA |
stripe.com/legal/dpa |
| Role |
Joint controller for payment-related data (Stripe sets its own retention/anti-fraud rules per PCI-DSS), sub-processor for everything else |
| Vendor |
Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland |
| Notes |
Stripe is PCI-DSS Level 1 certified. ChatME is out-of-scope for PCI because we never receive cardholder data. |
6 · Vercel
|
|
| Service |
Application hosting + CDN + Edge functions. Every HTTP request to app.chatme.es and every widget script load transits Vercel. |
| Data processed |
HTTP request metadata (IP address, user agent, referrer, request body) and response payloads — which includes everything else in this list during normal app operation. |
| Region |
Vercel's edge network is global; serverless functions for ChatME are pinned to fra1 (Frankfurt, EU) via vercel.json. Edge cache served from the nearest PoP. Logs are processed in the US. |
| Transfer mechanism |
Standard Contractual Clauses (SCCs), Module 3 — for log processing in the US. |
| DPA |
vercel.com/legal/dpa |
| Role |
Sub-processor |
| Vendor |
Vercel, Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA |
| Notes |
Vercel logs requests for 30 days for debugging, then deletes. |
7 · Webflow (only for the chatme.es marketing site)
|
|
| Service |
Static hosting for the public marketing site at chatme.es (NOT app.chatme.es). |
| Data processed |
Visitor IP + analytics if visitor opts in. No personal data is captured by us on the marketing site beyond standard server logs. |
| Region |
US (with global CDN) |
| Transfer mechanism |
SCCs |
| DPA |
webflow.com/legal/dpa |
| Role |
Sub-processor |
| Vendor |
Webflow, Inc., 398 11th Street, Floor 2, San Francisco, CA 94103, USA |
| Notes |
The marketing site is outside the scope of the ChatME platform DPA — listed here for transparency. No customer or visitor chat data flows through Webflow. |
Summary table
| # |
Vendor |
Service |
Region |
Transfer |
Role |
| 1 |
Supabase |
Database + Auth + Storage |
🇮🇪 EU |
n/a |
Sub-processor |
| 2 |
Anthropic |
LLM inference |
🇺🇸 US |
SCCs |
Sub-processor |
| 3 |
OpenAI |
Embeddings |
🇺🇸 US |
SCCs |
Sub-processor |
| 4 |
Resend |
Email delivery |
🇺🇸 US |
SCCs |
Sub-processor |
| 5 |
Stripe |
Billing |
🇮🇪 EU |
n/a (primary) |
Joint controller |
| 6 |
Vercel |
Hosting + edge |
🌍 Multi |
SCCs |
Sub-processor |
| 7 |
Webflow |
Marketing site only |
🇺🇸 US |
SCCs |
Sub-processor |
Updates to this list
We will notify ChatME customers at least 30 days before adding a new sub-processor. Notifications go to:
- The email on file for your ChatME account.
- Updates to this page on app.chatme.es.
If you object to a new sub-processor and we can't offer an alternative, you can terminate your subscription with a pro-rata refund for the unused portion.
Contact
Questions about this list, requests to exercise your data subject rights, or to object to a sub-processor: privacy@chatme.es
Lawyer/DPO of record: TBC (to be confirmed once Robert engages Spanish privacy counsel).