Sub-processors
The third-party services PolicifyAI uses to operate its platform. All sub-processors are bound by contractual data-processing terms and appropriate transfer mechanisms.
Last updated: 17 June 2026
| Sub-processor | Purpose | Data types | Location |
|---|---|---|---|
| Supabase ↗ | Database, authentication, and storage | Account data, generated policies, authentication identifiers | EU (Frankfurt) |
| Vercel ↗ | Web hosting and edge compute | Request metadata, IP addresses, user-agent strings | Global edge; primary compute regions: EU & US |
| Stripe ↗ | Payment processing and subscription billing | Billing name, email, card details (tokenised), transaction history | EU / US |
| Anthropic ↗ | AI model inference for policy generation | Prompt inputs during generation (business name, industry, jurisdiction) | US |
| OpenRouter ↗ | Multi-model AI routing for policy generation and scoring | Prompt inputs during generation | US |
| Resend ↗ | Transactional email delivery | Email address, email content (receipts, confirmations, notifications) | EU / US |
| Google Analytics ↗ | Aggregated website usage analytics (GA4) | Anonymised page views, events, session data (IP anonymised) | US (Google LLC) |
| PostHog ↗ | Product analytics and feature tracking | Anonymised product usage events, feature interactions | EU (Frankfurt) |
International transfers
Where sub-processors operate outside the UK or EEA, transfers are governed by the UK International Data Transfer Agreement or the EU Standard Contractual Clauses, as applicable.
Notice of changes
We update this list when sub-processors change. Material changes will be announced to customers at least 30 days in advance where contractually required.
Questions
For DPA requests or questions about sub-processors, email [email protected].