Subprocessors List
Last updated: May 27, 2026
Fitness Vendor SAS (RCS Cherbourg 921 713 418, 41 Les Bertrands, 50470 Tollevast, France) maintains an exhaustive and up-to-date list of subprocessors involved in the processing of personal data carried out within the AdCoach AI platform.
This page is the versioned source of truth referenced by the Privacy Policy §6 and the DPA §7, in accordance with Article 28.2 of the General Data Protection Regulation (GDPR).
Active Subprocessors
| Subprocessor | Service Provided | Data Location | Transfer Framework | DPA / Link |
|---|---|---|---|---|
| Supabase Inc. | PostgreSQL database, authentication (Auth), encrypted storage of Meta OAuth tokens (Vault). Dedicated AdCoach project sliknnlswswkfjpxlssc, eu-west-3 Paris region. | AWS Paris (eu-west-3) - European Union | Signed DPA - data in EU, no transfer | supabase.com/legal/dpa |
| Vercel Inc. | Next.js application hosting, CDN, serverless functions (API routes, Cron). Compute in cdg1 region (Paris, EU). | EU Edge (cdg1, Paris) - US HQ | DPA + Standard Contractual Clauses (SCCs 2021/914) | vercel.com/legal/dpa |
| Anthropic, PBC | Claude API (AI language model) for the conversational AI Coach. Transmitted data is pseudonymized (no direct identifier). Commitment to not train models on user data. | United States | SCCs (2021/914) + EU-US Data Privacy Framework | anthropic.com/legal/commercial-terms |
| Meta Platforms Ireland Limited | Meta Marketing Graph API: reading ad accounts, campaigns, performance insights, leads (via OAuth). Via intermediary service integrations.fitness-vendor.com. Joint controller (Art. 26 GDPR) for OAuth connection; processor for advertising data. | Ireland (EU) / United States | SCCs + adequacy decision (Ireland) + EU-US DPF | facebook.com/privacy/policy |
| Stripe Payments Europe Limited | Recurring payments, billing, monthly subscription management. PCI-DSS Level 1 certified. No raw banking data transits through AdCoach AI. | Ireland (Dublin) - European Union | DPA + EU data (no transfer) + PCI-DSS L1 | stripe.com/legal/dpa |
| Resend Inc. | Sending transactional emails (authentication magic link, payment notifications, alerts). Configured without recipient behavior tracking (no open pixel). | United States | DPA + EU-US Data Privacy Framework | resend.com/legal/dpa |
| OVH SAS | DNS registrar for adcoachai.com and fitness-vendor.com domains. No application personal data processed. | France - European Union | EU data, no transfer | ovhcloud.com/en/personal-data-protection |
| Functional Software, Inc. (Sentry) | Real-time application error monitoring. EU instance (fitnessvendor.sentry.io). Automatic PII scrubbing enabled: no identifiable personal data is retained in error reports. | United States | SCCs (2021/914) + signed DPA | sentry.io/privacy |
| Upstash, Inc. | Distributed Redis cache for HMAC anti-replay nonce management (TTL 6 minutes). Non-personal data (nonce hash only). | United States / EU | SCCs (2021/914) | upstash.com/trust/privacy.pdf |
| Inngest, Inc. | Orchestration of asynchronous and scheduled jobs (Meta sync, report generation, email delivery, account deletion). Processes user identifiers, email addresses and campaign data for the duration of execution. | United States | SCCs (2021/914) | inngest.com/privacy |
| Amazon Web Services (AWS) | Compute and storage infrastructure underlying Supabase. eu-west-3 Paris region. Fitness Vendor SAS is not a direct AWS customer - this subprocessor is engaged by Supabase as a tier-2 sub-subprocessor. | European Union (eu-west-3 Paris) | SCCs + adequacy decision + AWS-Supabase DPA | aws.amazon.com/compliance/gdpr-center |
Prior Notice and Right to Object
In accordance with Article 28.2 of the GDPR and Article 7 of the DPA, Fitness Vendor SAS commits to:
- Notify Users by email at least 30 days before adding any new subprocessor likely to process their personal data;
- Include in this notification: the new subprocessor's identity, location, service rendered, and applicable transfer safeguards for transfers outside the EU;
- Allow Users to exercise their right to object within this 30-day period by sending a reasoned email to contact@fitness-vendor.com;
- In the event of an unresolved legitimate objection, allow the User to terminate their subscription without fees.
For any questions about the subprocessors list: contact@fitness-vendor.com
Change History
| Date | Subprocessor | Action | Reason |
|---|---|---|---|
| 2026-05-27 | Supabase Inc., Vercel Inc., Anthropic PBC, Meta Platforms Ireland Ltd, Stripe Payments Europe Ltd, Resend Inc., OVH SAS, Functional Software Inc. (Sentry), Upstash Inc., Amazon Web Services | Initial publication | GDPR Article 28.2 compliance - first complete versioned subprocessors list for AdCoach AI |
See also: Privacy Policy · DPA