Legal

Subprocessors

Last updated May 20, 2026

Journey Builder uses trusted service providers to operate the product. These providers may process personal data only to deliver their services to us. This list is maintained for transparency and should be reviewed before adding any new production vendor.

Provider

Purpose

Data processed

Region

Status

Supabase

Authentication, Postgres database, file storage, row-level security, and operational logs.

Account data, workspace data, journey data, files/assets, auth/session metadata.

EU (Frankfurt)

Active

Hetzner / self-managed VPS

Application hosting, reverse proxy, local Postgres for operational tables, request diagnostics, and runtime logs.

Request metadata, runtime logs, IP/user-agent data, AI usage logs, CSP reports, and application traffic.

EU (self-managed VPS)

Active

Anthropic (Claude)

AI-assisted persona, stage, insight, review, action, and document extraction features for paid tiers or quality fallback.

Selected journey context, user prompts, uploaded document content (only when AI is invoked).

Active

Google (Gemini AI)

AI-assisted persona, stage, insight, review, action, and document drafting depending on workspace tier and AI routing policy.

Selected journey context and prompts (only when AI is invoked).

Global; Free-tier keys may allow Google product-improvement use where disclosed in app

Active

Ollama (self-hosted local AI)

Local AI inference for selected workspace tasks before cloud fallback.

Selected journey context and prompts processed on self-managed infrastructure.

EU (self-managed VPS or local host, depending on deployment)

Active when configured

Resend

Transactional email delivery (signup confirmation, password reset, workspace invitations).

Recipient email address, message content (auth links + invitations).

EU (eu-west-1)

Active

Cloudflare

DNS hosting and Turnstile bot-protection challenges on signup/login forms.

IP address, user agent, browser fingerprint signals (Turnstile only).

Global edge

Active

Sentry

Error tracking and performance monitoring (client + server).

Stack traces, request URL, user id (anonymous), browser context.

EU (Frankfurt)

Active only when user grants "error reporting" cookie consent

PostHog

Product analytics — feature usage, funnel analysis.

Anonymous events, user id (when authenticated), URL paths, click events.

US (us.i.posthog.com)

Active only when user grants "product analytics" cookie consent

Before adding a new provider

We should review the provider's security posture, sign or accept a data processing agreement where required, confirm transfer safeguards, and update this page before the provider receives production personal data.

Questions

For questions about subprocessors or vendor changes, contact contact@customerexperience.ro.