Sub-processors
Last updated: 2026-05-03
PinAppAI uses third-party services to process personal data on behalf of customers and account holders. The list below has two tiers: Active sub-processors are currently processing data; Approved sub-processors are pre-cleared by customers (via the DPA) for activation when needed. We give advance written notice before activating an Approved vendor, adding a new vendor to either tier, or otherwise materially changing this list.
Active sub-processors
| Sub-processor | Purpose | Data categories | Region | Transfer mechanism |
|---|---|---|---|---|
| Cloudflare, Inc. | Hosting (Workers), database (D1), object storage (R2), CDN, AI inference (Workers AI: Whisper for voice transcription, Gemma for content analysis) | All categories — account data, widget feedback, screenshots, audio bytes | Global edge network | SCCs + UK Addendum |
| Resend | Transactional email delivery (login codes, workspace invites) | Email address, display name | United States | SCCs |
| GitHub, Inc. (Microsoft) | Public release artifact distribution for desktop installers via the pinappai-desktop-releases mirror | IP address (download requests only — we do not see content) | United States | SCCs |
| Lemon Squeezy | Billing and merchant of record for paid plans (when active) | Email, name, billing address, subscription metadata | United States | SCCs |
Approved sub-processors
The following vendors have been disclosed in advance and pre-cleared by customers for activation. By signing the DPA, customers consent to any of these moving from Approved to Active when PinAppAI activates them, with advance written notice but no further re-authorisation. None of these are processing data today.
| Sub-processor | Purpose (if activated) | Data categories | Region | Transfer mechanism |
|---|---|---|---|---|
| Sentry | Application error tracking — request stacks containing user identifiers if a server-side error occurs | Email, IP, request payloads (sanitised where possible) | United States / Germany | SCCs |
| PostHog | Product analytics for the admin dashboard at app.pinappai.com (NOT the widget — widget telemetry would require its own disclosure) | User ID, page-view events, feature usage | United States / EU | SCCs |
| Postmark | Transactional email backup or replacement for Resend | Email address, display name | United States | SCCs |
| Stripe | Payment processing — alternative or addition to Lemon Squeezy | Email, name, billing address, subscription metadata | United States / Ireland | SCCs |
| Anthropic, PBC | Direct Claude API for AI features — alternative to routing through Cloudflare Workers AI | Comment text, screenshots, audio bytes (only when AI feature is invoked) | United States | SCCs (zero data retention available) |
| OpenAI, L.L.C. | OpenAI API for AI features — alternative inference provider | Comment text, screenshots, audio bytes (only when AI feature is invoked) | United States | SCCs (zero data retention available) |
| AWS S3 / Backblaze B2 | Off-Cloudflare backup mirror for screenshot blobs | Screenshot images | United States / EU | SCCs |
Exceptional circumstances
In exceptional circumstances — a security incident requiring an urgent vendor swap, urgent regulatory compliance, or termination of a sub-processor’s service outside our control — we may engage a sub-processor with shorter notice or after-the-fact, with prompt notification and full documentation in our internal change log. This is a fallback for genuine emergencies, not a routine practice.
How we evaluate sub-processors
Before adding a sub-processor, we review:
- Their published security and privacy posture (SOC 2, ISO 27001, or equivalent).
- Whether they have a Data Processing Agreement that flows down GDPR Art. 28 obligations.
- The transfer mechanism for international data flows (SCCs, adequacy decision, or other).
- Whether the sub-processor is necessary for the Service or merely convenient.
We track each sub-processor in an internal vendor register and reassess annually.
Notification of changes
When we activate an Approved sub-processor, add a new vendor to either tier, or otherwise materially change this list, we update this page, post a changelog entry, and email account holders with advance written notice. The notice gives you sufficient time to evaluate the change and raise reasonable objections; if no alternative is feasible, you may terminate the affected service without penalty.