← app.chatme.es

ChatME — Sub-processor list

Version: 1.4 · Last reviewed: 2026-07-09 Controller (us): ChatMe OÜ · Reg. 17391989 · VAT EE102933761 · Järvevana tee 9, Tallinn, 11314, Estonia · privacy@chatme.es

This document lists every third party that processes personal data on our behalf when you use ChatME. Each entry shows: what they do, what data they receive, where they process it, and the legal basis for any transfer outside the EEA.

If you are a ChatME customer (the data controller for your end-users' data), you have the right under your DPA with us to know who our sub-processors are and to object to changes. We will give 30 days' notice via email and an updated version of this page before adding any new sub-processor.


How to read this list

  • Service: the vendor + what they do for ChatME.
  • Data processed: the specific personal data they touch.
  • Region: where the data is physically processed.
  • Transfer mechanism: how data lawfully leaves the EEA (when it does). Either adequacy decision, Standard Contractual Clauses (SCCs), or n/a (data stays in EEA).
  • DPA / safeguards: link to the vendor's signed Data Processing Addendum.
  • Role: sub-processor (acts on our instructions) vs joint controller (acts on its own).

1 · Supabase

Service Managed Postgres database + Auth + Storage. Hosts every row of customer + visitor data.
Data processed Owner account info (email, hashed password, full name, business name, locale, plan), chatbot configuration, knowledge base content + embeddings, visitor conversations, form submissions, link clicks, usage logs, audit logs, Instagram OAuth tokens.
Region EU — eu-west-1 (Dublin, Ireland)
Transfer mechanism n/a (data stays in EEA)
DPA supabase.com/legal/dpa
Role Sub-processor
Vendor Supabase, Inc., 970 Toa Payoh North, #07-04, Singapore 318992 (US/EU operations via subsidiaries)
Notes All data encrypted at rest (AES-256) and in transit (TLS 1.2+). RLS enforced at the database level.

2 · Anthropic

Service LLM inference for chatbot conversations. We call claude-haiku-4-5 per visitor message.
Data processed The chatbot's system prompt (your custom instructions + knowledge-base chunks retrieved via RAG) and the visitor's current message + recent turn history (last ~20 messages). This may include PII the visitor pastes (name, email, phone, free-text).
Region United States (Anthropic's US-East datacenters)
Transfer mechanism Standard Contractual Clauses (SCCs), Module 3 (processor → processor).
DPA anthropic.com/legal/commercial-terms — Commercial Terms include the DPA by reference
Role Sub-processor
Vendor Anthropic, PBC, 548 Market Street, PMB 90375, San Francisco, CA 94104, USA
Notes Anthropic's commercial terms guarantee: no training on customer data, no human review of inputs/outputs, 30-day data retention for abuse monitoring then deletion.

3 · OpenAI

Service Text embeddings for RAG (Retrieval-Augmented Generation). Model: text-embedding-3-small (1536 dims).
Data processed (a) Visitor message text, embedded per chat turn for vector search against your knowledge base. (b) Your knowledge-source content (web pages + uploaded documents), embedded once when added to the knowledge base.
Region United States
Transfer mechanism Standard Contractual Clauses (SCCs), Module 3
DPA openai.com/policies/data-processing-addendum
Role Sub-processor
Vendor OpenAI, L.L.C., 3180 18th Street, San Francisco, CA 94110, USA
Notes API tier (not ChatGPT): no training on inputs, no human review by default, 30-day retention for abuse monitoring.

4 · Resend

Service Transactional email delivery — Welcome / Trial-ending / Welcome-to-paid / Payment-failed / Canceled emails, Supabase auth emails (confirm, reset, magic link), and form-submission notifications to chatbot owners.
Data processed Recipient email address, sender info, email subject + body. Body content may include: visitor name, business name, billing amount, plan name, form-submission field values (name / email / phone / message), one-time auth links.
Region United States (primary), with global delivery infrastructure
Transfer mechanism Standard Contractual Clauses (SCCs), Module 3
DPA resend.com/legal/dpa
Role Sub-processor
Vendor Resend, Inc., 2261 Market Street #4790, San Francisco, CA 94114, USA
Notes Emails are stored at Resend for 30 days for delivery diagnostics, then deleted.

5 · Stripe

Service Subscription billing, payment processing, customer portal. Used only by ChatME owners (paying customers), never end-user visitors.
Data processed Owner email + name, billing address, VAT/NIF, payment method token (we never see the actual card number — it goes Stripe-direct via Stripe Elements / Checkout). Subscription state mirrored back to our DB via webhooks.
Region EU — Stripe Payments Europe, Ltd. (Ireland) is the contracting Stripe entity for EU customers
Transfer mechanism Primary data resides in EU. Some operational data may be processed in the US under SCCs.
DPA stripe.com/legal/dpa
Role Joint controller for payment-related data (Stripe sets its own retention/anti-fraud rules per PCI-DSS), sub-processor for everything else
Vendor Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland
Notes Stripe is PCI-DSS Level 1 certified. ChatME is out-of-scope for PCI because we never receive cardholder data.

6 · Vercel

Service Application + marketing-site hosting + CDN + Edge functions. Every HTTP request to app.chatme.es and chatme.es, and every widget script load, transits Vercel.
Data processed HTTP request metadata (IP address, user agent, referrer, request body) and response payloads — which includes everything else in this list during normal app operation.
Region Vercel's edge network is global; serverless functions for ChatME are pinned to fra1 (Frankfurt, EU) via vercel.json. Edge cache served from the nearest PoP. Logs are processed in the US.
Transfer mechanism Standard Contractual Clauses (SCCs), Module 3 — for log processing in the US.
DPA vercel.com/legal/dpa
Role Sub-processor
Vendor Vercel, Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA
Notes Vercel logs requests for 30 days for debugging, then deletes.

7 · Google

Service Google Calendar API — only when a ChatME owner connects their own Google Calendar to enable chatbot appointment booking (optional feature).
Data processed The owner's primary-calendar free/busy ranges (read) and new appointment events we create on their behalf. We never read event titles, descriptions, attendees or content. OAuth access/refresh tokens, stored encrypted (AES-256-GCM).
Region United States
Transfer mechanism Standard Contractual Clauses (SCCs), Module 3
DPA cloud.google.com/terms/data-processing-addendum
Role Sub-processor (client-authorized integration). The calendar data belongs to the owner (controller-side); the owner connects and disconnects it themselves.
Vendor Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (Google LLC, USA, for processing)
Notes Use of Google data adheres to the Google API Services User Data Policy, including Limited Use. Tokens are deleted when the owner disconnects the calendar.

8 · Meta Platforms (Instagram & WhatsApp messaging — only if connected)

Service Instagram DM and WhatsApp Business messaging channels. Active only if a ChatME owner connects their Instagram/WhatsApp account so the chatbot can reply on those channels.
Data processed Visitor messages sent via Instagram/WhatsApp, the sender's platform ID, and the messaging access tokens (stored encrypted) needed to receive and reply.
Region United States (with global infrastructure)
Transfer mechanism Standard Contractual Clauses (SCCs), Module 3
DPA facebook.com/legal/terms/dataprocessing
Role Sub-processor for the messaging relay; Meta is an independent controller of its own platform data.
Vendor Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland
Notes The visitor chose to message the business on Meta's platform, so Meta's own policies also apply there. ChatME only processes the message to generate the chatbot's reply.

9 · Plausible Analytics

Service Privacy-friendly, cookieless web analytics for our public marketing site (chatme.es only — not the app or the widget). Aggregated traffic measurement: page views, top pages, referral sources, country, device type.
Data processed Page URL, referrer, browser, operating system, device type, and country (derived from IP). The visitor's IP address and user-agent are used only transiently to compute a daily-rotating, one-way anonymized hash for counting unique visitors, then immediately discarded — never stored. No cookies, no persistent identifiers, no cross-site or cross-day tracking, no personal data retained.
Region EU — Germany (Hetzner; Falkenstein / Nuremberg). All data is stored and processed within the EU.
Transfer mechanism n/a (data stays in EEA)
DPA plausible.io/dpa
Role Sub-processor
Vendor Plausible Insights OÜ, Västriku tn 2, Tartu, 50403, Estonia
Notes Cookieless and compliant with GDPR, the ePrivacy Directive and PECR without requiring a consent banner, because it sets no cookies and stores no personal data. EU-owned (Estonian company) and EU-hosted. Open-source.

10 · Google Analytics & Google Ads (marketing site — only with consent)

Service Traffic analytics (Google Analytics 4) and advertising/conversion measurement + remarketing (Google Ads) on our public marketing site (chatme.es only — not the app or the widget), loaded via Google Tag Manager. Activated only after the visitor consents (Google Consent Mode v2; denied by default).
Data processed Pseudonymous cookie identifiers (_ga, _gcl_au), IP address (shortened by GA before storage), page URLs, referrer, device/browser, and ad-interaction / conversion events. No account credentials or chatbot/visitor conversation data.
Region United States (Google Ireland Ltd. is the EU contracting entity)
Transfer mechanism Standard Contractual Clauses (SCCs) — Google Ads Data Processing Terms
DPA business.safety.google/adsprocessorterms
Role Processor for GA4 analytics; joint controller for Google Ads measurement
Vendor Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland
Notes In the default (no-consent) state, Consent Mode sends cookieless pings only — no cookies, no identifiers. Cookies (_ga, _ga_<ID>, _gcl_au) are written only after opt-in. See the Cookie Policy §3.1.

11 · Rewardful (affiliate program)

Service Affiliate-program tracking & attribution. Records visits, sign-ups and conversions that originate from an affiliate link on chatme.es, and calculates the resulting commissions. Active only for our affiliate program.
Data processed For a visitor who arrives via an affiliate link: a first-party referral identifier (a random UUID — no personal data), pages visited, and — if they subscribe — the conversion linked to their Stripe customer (passed as client_reference_id) plus the subscription amount, used to compute the affiliate's commission. Separately, for affiliates who join: the account + payout details they enter directly into Rewardful's own hosted portal (name, email, PayPal/Wise).
Region United States (Rewardful is hosted on AWS, US)
Transfer mechanism Standard Contractual Clauses (SCCs), Module 3.
DPA Available on request from Rewardful — dpo@rewardful.com; see rewardful.com/trust-center
Role Sub-processor for the referral/conversion tracking we instruct. Rewardful acts as an independent controller for the affiliates' own account + payout data they submit to its portal.
Vendor Rewardful Inc. (North America)
Notes The referral cookie is first-party and stores only a random referral ID — no name, email, or cross-site advertising identifier, and no profiling. Conversion data shared is limited to what's needed to attribute the sale and compute the commission.

Summary table

# Vendor Service Region Transfer Role
1 Supabase Database + Auth + Storage 🇮🇪 EU n/a Sub-processor
2 Anthropic LLM inference 🇺🇸 US SCCs Sub-processor
3 OpenAI Embeddings 🇺🇸 US SCCs Sub-processor
4 Resend Email delivery 🇺🇸 US SCCs Sub-processor
5 Stripe Billing 🇮🇪 EU n/a (primary) Joint controller
6 Vercel Hosting + edge 🌍 Multi SCCs Sub-processor
7 Google Calendar (if connected) 🇺🇸 US SCCs Sub-processor
8 Meta IG/WhatsApp (if connected) 🇺🇸 US SCCs Sub-processor
9 Plausible Web analytics (chatme.es) 🇩🇪 EU n/a Sub-processor
10 Google Analytics / Ads Marketing-site analytics + ads (consent) 🇺🇸 US SCCs Processor / joint controller
11 Rewardful Affiliate tracking (chatme.es) 🇺🇸 US SCCs Sub-processor

Updates to this list

We will notify ChatME customers at least 30 days before adding a new sub-processor. Notifications go to:

  1. The email on file for your ChatME account.
  2. Updates to this page on app.chatme.es.

If you object to a new sub-processor and we can't offer an alternative, you can terminate your subscription with a pro-rata refund for the unused portion.


Contact

Questions about this list, requests to exercise your data subject rights, or to object to a sub-processor: privacy@chatme.es

Data-protection queries and data-subject requests: privacy@chatme.es.

ChatMe OÜ · Reg. 17391989 · VAT EE102933761 · Järvevana tee 9, Tallinn, 11314, Estonia ·PrivacidadTérminosCookiesDPASubencargadosprivacy@chatme.es