Legal Google
Privacy policy ↗
Subprocessors
This page lists the full, current set of subprocessors YesCheck engages for delivering the platform and this website. We have data processing agreements with each of these parties. We notify existing customers of changes to the list at least 30 days in advance, so there is an opportunity to object.
Current list
Supabase
Privacy policy ↗- Legal entity
- Supabase Inc.
- Processing region
- EU (AWS eu-west-3, Paris)
- Purpose
- Database, authentication, file storage, Vault secrets
- Data scope
- Platform data (account, organisation, Google Ads and audit data)
Anthropic
Privacy policy ↗- Legal entity
- Anthropic PBC
- Processing region
- United States (EU endpoint where available)
- Purpose
- AI analysis via the Claude API (search-term analysis, ad suggestions, AI Advisor)
- Data scope
- Masked search terms and related context (after PII filter). Raw search terms are not transferred to Anthropic.
- Basis for transfer outside the EU
- SCCs + Anthropic DPA. Zero Data Retention is being requested as an additional safeguard.
Stripe
Privacy policy ↗- Legal entity
- Stripe Payments Europe, Ltd.
- Processing region
- EU + United States
- Purpose
- Payment processing and subscription billing
- Data scope
- Invoice and payment data (we do not store card data; it flows through Stripe Hosted Checkout)
- Basis for transfer outside the EU
- SCCs for processing outside the EU
Mailgun
Privacy policy ↗- Legal entity
- Sinch Email (Mailgun) — Mailgun Technologies, Inc.
- Processing region
- EU (Frankfurt)
- Purpose
- Transactional email (welcome, invoices, system notifications)
- Data scope
- Email addresses and content of transactional messages
- Legal entity
- Google LLC
- Processing region
- Worldwide
- Purpose
- Google Ads API (customer-authorised read/write access), Google Sign-In for platform authentication
- Data scope
- OAuth consent data and platform session authentication. Google Ads data is managed by Google; YesCheck is only an authorised API client.
- Basis for transfer outside the EU
- SCCs for processing outside the EU; customer provides explicit OAuth consent per Google Ads account
Sentry
Privacy policy ↗- Legal entity
- Functional Software, Inc.
- Processing region
- EU (ingest.de.sentry.io)
- Purpose
- Error monitoring and performance tracing for the platform
- Data scope
- Stack traces and request context without PII (Sentry is configured with send_default_pii=false)
Cal.com
Privacy policy ↗- Legal entity
- Cal.com, Inc. (EU instance)
- Processing region
- EU
- Purpose
- Scheduling demo appointments via this website
- Data scope
- Name, email address and appointment time of visitors who schedule a demo
Vercel
Privacy policy ↗- Legal entity
- Vercel, Inc.
- Processing region
- EU edge (Frankfurt) + United States for build and management infrastructure
- Purpose
- Hosting of the marketing website (yescheck.io) and the frontend platform (app.yescheck.io)
- Data scope
- Public web content, frontend assets and standard web server logs
- Basis for transfer outside the EU
- SCCs for US management components; workloads are served from the EU edge
Railway
Privacy policy ↗- Legal entity
- Railway Corporation
- Processing region
- EU (Netherlands)
- Purpose
- Hosting of the backend API (FastAPI) and associated background processes (api.yescheck.io)
- Data scope
- Platform data in transit via the API; persistent data remains at Supabase. Standard application and infrastructure logs.
- Basis for transfer outside the EU
- SCCs for US-parent-company management; workloads run in the EU region
Change procedure
When adding, changing or replacing a subprocessor, we notify active customers at least 30 days in advance by email and via an update on this page. Customers may object during that period. If a reasonable objection cannot be resolved, the customer retains the right to terminate the agreement in accordance with the DPA.
Contact
Questions about subprocessors or our processing in general? Email privacy@yescheck.io.