Sub-processors
MEPCalc engages the following third parties to process personal data on our behalf, in line with GDPR Art. 28. Each is contractually bound to the security and confidentiality obligations described in our Data Processing Agreement.
Our full privacy policy with collection, retention, and lawful basis is at /privacy.
Active sub-processors
| Processor | Purpose | Region | Personal data accessed |
|---|---|---|---|
| Vercel | Web hosting, API routing, edge functions, scheduled crons | Global / Singapore (sin1) runtime | Request bodies and authentication tokens passing through during request handling |
| Supabase (self-hosted) | Primary database, authentication, file storage | EU operator infrastructure | All user account data, project data, calculation history |
| Upstash (via Vercel KV) | Rate limiting on the waitlist form and key API endpoints | Singapore | IP address (transient — used for the rate-limit key only) |
| Resend | Transactional email — signup confirmation, password reset, waitlist confirmation, daily digest | EU | Email addresses and email content at the point of dispatch |
| Cloudflare Turnstile | Anti-bot challenge on the waitlist form | Global | Transient browser fingerprint and IP for challenge validation only |
| Cloudflare DNS | Domain Name System resolution for mepcalc.com | Global | None — DNS resolution does not see request bodies |
| PostHog (EU Cloud) | Product analytics, autocapture, session replay (input-masked), feature flags — consent-gated | Frankfurt, Germany | Pseudonymous distinct ID, email, email domain, company name, role, subscription tier; autocaptured DOM events with text masked; replays with all inputs masked |
| Google Analytics 4 | Site usage measurement — consent-gated | USA | Pseudonymous client ID, page views, anonymised events; IP truncated |
| Contentsquare | Session replay and heatmaps on landing and privacy pages only — consent-gated | EU / France | Session replays from public landing pages only (form inputs masked) |
| Mailchimp (Intuit) | Marketing email audience for users who opt in | USA | Email and discipline tags for waitlist users with marketing opt-in |
| Stripe | Payment processing | Global (Stripe-hosted; we do not see card data) | Email; payment data stays with Stripe |
| Google Workspace (Gmail + Drive) | Our internal mailbox infrastructure (support@, privacy@, etc.) and weekly waitlist CSV export destination (Drive) | USA / EU | Inbound and outbound email content for our team mailboxes; weekly waitlist CSV in a private Drive folder containing the full waitlist row data — email, name, job role, business type, country, engineering disciplines, modules of interest, free-text notes the user submitted, marketing opt-in flag, UTM/referrer attribution, signup timestamp |
| GitHub | Source code repository (private) | USA | None — repository contains application code only; no customer data is committed |
International transfers
Transfers from UK/EU to the USA (Vercel, Google Analytics, Mailchimp, Stripe, GitHub) rely on the EU-US Data Privacy Framework where applicable, otherwise on Standard Contractual Clauses. Our DPAs with each processor incorporate these safeguards.
Notification of changes
When we add or remove a sub-processor, we update this page, our privacy policy, and the cookie consent banner version (which re-prompts existing visitors). We also email any existing paying customers when changes are material.
Contact
Questions about a specific sub-processor or our DPA arrangements: privacy@mepcalc.com