Sub-processors

The third parties that process your data on our behalf. Last updated 2026-05-21. We give 30 days' notice before adding any new sub-processor (subscribe to legal@dietfam.app).

Infrastructure

Amazon Web Services

Ireland (eu-west-1)

Cloud hosting — Lambda, RDS Postgres, S3, SES, CloudFront, Route 53. Stores voice notes (30d), transcripts (1y), summaries + logs (indefinite until deleted), inbound email (1y).

Authentication & web auth

Clerk

United States (SOC 2)

Email + password + OAuth sign-in for the web dashboard. Stores email, hashed password, OAuth identity tokens.

Payments & billing

Stripe Inc.

United States + Ireland (PCI-DSS Level 1)

Subscription billing, card-on-file storage, invoice issuance. We never see your raw card details — they go directly to Stripe via Stripe Checkout.

Messaging

Meta Platforms Inc. (WhatsApp Cloud API)

United States + Ireland

WhatsApp message delivery — both inbound voice notes and outbound coach replies. Subject to Meta's WhatsApp Business Solution Terms.

AI / LLM providers

Anthropic PBC (Claude Sonnet 4.6)

United States

All outbound coach generation — daily summaries, partner reports, weekly retros, summary regen. Receives the day's voice-note transcripts + recent log context. Anthropic do NOT train on API customer data.

Google LLC (Gemini 3.0 Flash)

United States

Speech-to-text for voice notes. Receives raw audio bytes. We pin the API's no-training flag.

Email infrastructure

Amazon SES

Ireland (eu-west-1)

Outbound transactional email (receipts, password-reset) + inbound support email at support@dietfam.app.

Svix (via Clerk)

United States

Webhook delivery for Clerk events. Receives event payloads (email, user_id) but no PII beyond what Clerk holds.

What we DO NOT use

  • No third-party analytics (Google Analytics, Mixpanel, Amplitude, etc.)
  • No tracking pixels, no advertising cookies
  • No third-party customer-support tools (Intercom, Zendesk)
  • No data brokers or audience-resale partners
  • No third-party observability that ships PII (we use a self-hosted Postgres trace table; see /safety)

Cross-border transfer

Several sub-processors above are US-based. We rely on the EU–US Data Privacy Framework + Standard Contractual Clauses for any personal-data transfer to those parties. Anthropic, Google, Stripe, Meta, and Clerk all maintain DPF certifications or equivalent SCC commitments.

How to be notified of changes

Email legal@dietfam.app with subject "subscribe sub-processor list". We'll add you to the notice list and email at least 30 days before any new sub-processor goes live. We may add sub-processors faster if compelled by law (and we'll explain when that happens).

Questions? See our privacy policy, safety page, or email dpo@dietfam.app.