Sub-processors

Effective 18 May 2026

OBJEKT is a small operation that runs on top of well-known infrastructure. This page lists every third party that processes customer data on our behalf, why, and where. We keep it short and we keep it current.

1Current sub-processors.

The third parties below process personal data on our behalf as processors (or sub-processors), under written contracts that include confidentiality, security, and (for transfers out of the EEA/UK) the European Commission’s Standard Contractual Clauses.

Supabase, Inc.

Their policy ↗

Purpose: Authentication, primary database (Postgres), object storage for uploads and outputs.
Data: Account data, profile and brand data, content data (Inputs and Outputs), operational data.
Location: United States / European Union (region pinned at project setup).

Vercel, Inc.

Their policy ↗

Purpose: Application hosting, edge compute, image optimisation, deployment infrastructure.
Data: IP address, user-agent, request metadata. No content stored at rest on Vercel.
Location: Global edge network; primary region in the United States.

Stripe, Inc.

Their policy ↗

Purpose: Payment processing, subscription management, billing portal, anti-fraud.
Data: Name, billing address, email, card last-four, country, charge history.
Location: United States / European Union.

Generation provider (TBD at launch)

Their policy ↗

Purpose: Generative image inference. Inputs are transmitted only for the duration of the generation. Zero-data-retention contractual terms are in place wherever offered.
Data: Uploaded product references, prompts, and configuration. Outputs are returned to OBJEKT and stored on Supabase, not on the generation provider.
Location: United States.

Resend, Inc.

Their policy ↗

Purpose: Transactional email (sign-up confirmation, password reset, receipts).
Data: Email address, name, message body, delivery metadata.
Location: United States.

PostHog, Inc. (only if analytics consent given)

Their policy ↗

Purpose: Anonymous product analytics — feature usage, drop-off, error trends.
Data: Anonymous device identifier, route visited, feature events. No content data.
Location: European Union (EU cloud region).

2How we add new sub-processors.

Before we subscribe a new sub-processor, we (a) check their security posture, (b) put a written contract in place with terms at least as protective as our own commitments to you, and (c) where the sub-processor will receive personal data of EEA/UK users, sign the EU Standard Contractual Clauses (and UK addendum where applicable).

3Notice of change.

When we add or replace a sub-processor that handles meaningful amounts of customer data, we will update this page and, for customers on business plans with an active DPA, email a notice at least 30 days before the change takes effect. If you have a reasonable, documented objection on data-protection grounds, you may raise it at privacy@objekt-ai.com within the notice window.

4Subscribe to updates.

Business-plan customers under a signed DPA receive sub-processor notices automatically. Any other user who wants to be notified can email privacy@objekt-ai.com with the subject “sub-processor updates” and we will add you to the notice list.