Preppy — Sub-processor Register

Last updated: 2026-04-28 Canonical URL: https://www.trypreppy.com/sub-processors

This page lists the sub-processors that process personal data on behalf of Preppy (a service operated by a sole proprietor based in Belgium — Belgian KBO/BCE registration pending; operator details available on request via privacy@trypreppy.com) in connection with the Preppy Service. It is maintained in accordance with Clause 9 of the EU Standard Contractual Clauses (Module 2) and the data-processing agreements we enter with our customers.

Notice of changes

We will notify affected customers and users at least 30 days before adding a new sub-processor or materially changing an existing engagement. Notice is given by:

email to the primary administrative contact on file; and
an update to this page (with the Last updated date above changed accordingly).

If you object to a new sub-processor on reasonable data-protection grounds, contact privacy@trypreppy.com during the notice period. We will work in good faith to address your concerns, and where we cannot, you may terminate the affected portion of your agreement without penalty as set out in our DPA.

Current sub-processors

#	Sub-processor	Purpose	Data categories	Primary location	DPA / safeguard
1	Supabase, Inc.	Primary database (PostgreSQL) and authentication service	Account data, profile and preferences, user-generated content, health/nutrition data, meal-plan data	EU (`eu-west-2`, London) — corporate entity US	EU SCCs Module 2 — DPA (PDF version available; legally binding PandaDoc requires signature via the dashboard's legal documents page)
2	Cloudflare, Inc.	API edge workers, CDN, DDoS protection, bot mitigation	Data in transit (IP, request metadata); any payload transiting the API	Global edge (routing primarily EU-edge for EU users where possible)	EU SCCs + UK Addendum — DPA v6.4 (automatically incorporated by reference into the Self-Serve Subscription Agreement accepted at signup; explicit signing only required for Enterprise customers)
3	Vercel, Inc.	Hosting of the Next.js web application	Data in transit; server-side render context	US	EU SCCs Module 2 — DPA (incorporated by reference into the Vercel Customer Agreement; no separate signature needed)
4	PostHog, Inc.	Product analytics — opt-in only	Pseudonymous event data, truncated IP, feature-usage events	US (decision: stay on US Cloud for now; revisit EU Cloud migration if Preppy serves EU customers at scale)	EU SCCs Module 2 — DPA (explicit signature required at "IN WITNESS WHEREOF" blocks)
5	Functional Software, Inc. (Sentry)	Application error monitoring	Stack traces, error context, truncated IP	US / EU	EU SCCs Module 2 — DPA (electronic acceptance via login / TOS agreement)
6	Axiom, Inc.	Server log storage and search	Server logs (request metadata, application logs — PII-scrubbed before ingestion per audit §G.6)	US	EU SCCs Module 2 — Axiom's standard Terms of Service incorporate data-processing terms by reference. A separately-signed DPA is available on request via trust.axiom.co or `support@axiom.co`. Pre-launch deferred (minimal personal data given the scrubber); revisit at first paying customer.
7	Resend, Inc.	Transactional and (opt-in) marketing email delivery	Email address, name, email content, delivery metadata	US	EU SCCs Module 2 — DPA (binding upon TOS acceptance; executed version accessible from the Resend dashboard)
8	OpenAI, L.L.C.	LLM API for recipe parsing, shopping-list normalisation, meal scheduling	Recipe/meal-plan text; no account identifiers beyond a pseudonymous request ID	US	EU SCCs + API DPA — `https://openai.com/policies/data-processing-addendum/` (opt-in via OpenAI platform settings; URL canonical, automated verification blocked by site WAF — verify in browser when opting in). OpenAI does not train on API inputs by default.
9	Anthropic, PBC	LLM API (fallback tier)	Same as OpenAI	US	EU SCCs Module 2 — Anthropic's Commercial Terms of Service include data-processing obligations by reference. A separately-signed DPA is available via Anthropic commercial sales or `usersafety@anthropic.com`. Pre-launch deferred (bounded LLM data, no account identifiers); revisit at first paying customer.
10	Google LLC (Gemini / AI Studio)	LLM API (primary tier per stack)	Same as OpenAI	US	EU SCCs Module 2 — Google Cloud DPA (incorporated by reference into the Google Cloud Agreement; no separate signature needed)
11	Google LLC (Google Fit OAuth)	Optional health-data source	Steps, weight, nutrition entries (only if user connects)	US	User's explicit OAuth consent + Google API terms; same DPA via Google Cloud Agreement applies
12	Edamam, Inc.	Recipe search + food-database search	Search-query text	US	EU SCCs — Edamam's standard API terms govern data processing. A separately-signed DPA is available via Edamam support / commercial contact. Pre-launch deferred (only search-query strings transit; no account identifiers); revisit at first paying customer. Note: Edamam contractually requires attribution adjacent to any displayed nutrition/recipe data — see audit row §E.1.
13	USDA FoodData Central	Public nutrition-reference API	Food-name queries only; no personal data	US	Public API, no personal data transferred — DPA not required.
14	Kroger	Grocery-pricing data (US market)	Product queries, optional ZIP code	US	API terms only; no public DPA. Document reliance on Kroger's standard API terms; revisit if processing personal data at scale.

Infrastructure and hosting summary

Primary data store: Supabase, EU region eu-west-2 (London). The Supabase organisation is incorporated in the US, but data resides in the London region per the prod project configuration.
Application hosting: Vercel (US) for web; Cloudflare Workers (global edge) for API.
Email: Resend (US).
LLM: multi-provider (Gemini, Anthropic, OpenAI) with automatic fallback.

Historical changes

Date	Change
2026-04-28	Initial publication. DPA URLs populated for Supabase, Cloudflare, Vercel, PostHog, Sentry, Resend, Google Cloud (incl. Gemini + Google Fit). Axiom / Anthropic / Edamam: request via support — no public DPA URL.

Contact

privacy@trypreppy.com for any question about sub-processors or transfers.

Preppy — Sub-processor Register

Notice of changes

We will notify affected customers and users at least 30 days before adding a new sub-processor or materially changing an existing engagement. Notice is given by:

email to the primary administrative contact on file; and

an update to this page (with the Last updated date above changed accordingly).

Current sub-processors

Sub-processor

Purpose

Data categories

Primary location

DPA / safeguard

Supabase, Inc.

Primary database (PostgreSQL) and authentication service

Account data, profile and preferences, user-generated content, health/nutrition data, meal-plan data

EU (eu-west-2, London) — corporate entity US

EU SCCs Module 2 — DPA (PDF version available; legally binding PandaDoc requires signature via the dashboard's legal documents page)

Cloudflare, Inc.

API edge workers, CDN, DDoS protection, bot mitigation

Data in transit (IP, request metadata); any payload transiting the API

Global edge (routing primarily EU-edge for EU users where possible)

EU SCCs + UK Addendum — DPA v6.4 (automatically incorporated by reference into the Self-Serve Subscription Agreement accepted at signup; explicit signing only required for Enterprise customers)

Vercel, Inc.

Hosting of the Next.js web application

Data in transit; server-side render context

EU SCCs Module 2 — DPA (incorporated by reference into the Vercel Customer Agreement; no separate signature needed)

PostHog, Inc.

Product analytics — opt-in only

Pseudonymous event data, truncated IP, feature-usage events

US (decision: stay on US Cloud for now; revisit EU Cloud migration if Preppy serves EU customers at scale)

EU SCCs Module 2 — DPA (explicit signature required at "IN WITNESS WHEREOF" blocks)

Functional Software, Inc. (Sentry)

Application error monitoring

Stack traces, error context, truncated IP

US / EU

EU SCCs Module 2 — DPA (electronic acceptance via login / TOS agreement)

Axiom, Inc.

Server log storage and search

Server logs (request metadata, application logs — PII-scrubbed before ingestion per audit §G.6)

EU SCCs Module 2 — Axiom's standard Terms of Service incorporate data-processing terms by reference. A separately-signed DPA is available on request via trust.axiom.co or support@axiom.co. Pre-launch deferred (minimal personal data given the scrubber); revisit at first paying customer.

Resend, Inc.

Transactional and (opt-in) marketing email delivery

Email address, name, email content, delivery metadata

EU SCCs Module 2 — DPA (binding upon TOS acceptance; executed version accessible from the Resend dashboard)

OpenAI, L.L.C.

LLM API for recipe parsing, shopping-list normalisation, meal scheduling

Recipe/meal-plan text; no account identifiers beyond a pseudonymous request ID

EU SCCs + API DPA — https://openai.com/policies/data-processing-addendum/ (opt-in via OpenAI platform settings; URL canonical, automated verification blocked by site WAF — verify in browser when opting in). OpenAI does not train on API inputs by default.

Anthropic, PBC

LLM API (fallback tier)

Same as OpenAI

EU SCCs Module 2 — Anthropic's Commercial Terms of Service include data-processing obligations by reference. A separately-signed DPA is available via Anthropic commercial sales or usersafety@anthropic.com. Pre-launch deferred (bounded LLM data, no account identifiers); revisit at first paying customer.

Google LLC (Gemini / AI Studio)

LLM API (primary tier per stack)

Same as OpenAI

EU SCCs Module 2 — Google Cloud DPA (incorporated by reference into the Google Cloud Agreement; no separate signature needed)

Google LLC (Google Fit OAuth)

Optional health-data source

Steps, weight, nutrition entries (only if user connects)

User's explicit OAuth consent + Google API terms; same DPA via Google Cloud Agreement applies

Edamam, Inc.

Recipe search + food-database search

Search-query text

EU SCCs — Edamam's standard API terms govern data processing. A separately-signed DPA is available via Edamam support / commercial contact. Pre-launch deferred (only search-query strings transit; no account identifiers); revisit at first paying customer. Note: Edamam contractually requires attribution adjacent to any displayed nutrition/recipe data — see audit row §E.1.

USDA FoodData Central

Public nutrition-reference API

Food-name queries only; no personal data

Public API, no personal data transferred — DPA not required.

Kroger

Grocery-pricing data (US market)

Product queries, optional ZIP code

API terms only; no public DPA. Document reliance on Kroger's standard API terms; revisit if processing personal data at scale.

Infrastructure and hosting summary

Primary data store: Supabase, EU region eu-west-2 (London). The Supabase organisation is incorporated in the US, but data resides in the London region per the prod project configuration.

Application hosting: Vercel (US) for web; Cloudflare Workers (global edge) for API.

Email: Resend (US).

LLM: multi-provider (Gemini, Anthropic, OpenAI) with automatic fallback.

Date

Change

2026-04-28

Initial publication. DPA URLs populated for Supabase, Cloudflare, Vercel, PostHog, Sentry, Resend, Google Cloud (incl. Gemini + Google Fit). Axiom / Anthropic / Edamam: request via support — no public DPA URL.