Sub-processors

Last updated: May 6, 2026

We rely on the sub-processors listed below to deliver the Service. Each operates under a written data-processing agreement. We will provide at least 30 days’ written notice of any new sub-processor; Customers on a paid plan may object by emailing privacy@whofollowsme.app within those 30 days, and we will give the Customer the opportunity to terminate without penalty for the unused portion of the term if we cannot resolve the objection.

Sub-processorPurposeLocationTransfer mechanism (EEA/UK)
Vercel, Inc.Application hosting, deploy logsUnited StatesEU-U.S. DPF (Vercel-certified); SCCs Module 2 fallback
Convex, Inc.Database, serverless functionsUnited StatesSCCs Module 2
Clerk Inc.AuthenticationUnited StatesEU-U.S. DPF (Clerk-certified); SCCs Module 2 fallback
Stripe, Inc.Payments, recurring billingUnited States, EUEU-U.S. DPF (Stripe-certified); SCCs Modules 1/2 as applicable
Resend Inc.Transactional emailUnited StatesSCCs Module 2
HikerAPIPublic Instagram profile dataUnited StatesSCCs Module 2
Apify Technologies s.r.o.Public profile data fetching (multi-platform)European UnionNo transfer (EU-based)
TwitterAPI.ioPublic X / Twitter profile dataUnited StatesSCCs Module 2
TokAPIPublic TikTok profile dataUnited StatesSCCs Module 2
RapidAPI Inc.Aggregator routing for aboveUnited StatesSCCs Module 2
Anthropic, PBCLLM classification (default; only provider for EEA/UK/Swiss data)United StatesEU-U.S. DPF (Anthropic-certified); SCCs Module 2 fallback
Moonshot AI Ltd.LLM classification (alternative; non-EEA data only)ChinaNot used for EEA/UK/Swiss data; SCCs and documented risk acceptance for other regions
PostHog, Inc.Product analytics (no session replay)United StatesSCCs Module 2
Cloudflare, Inc.CDN, DDoS mitigationGlobal edgeEU-U.S. DPF (Cloudflare-certified); SCCs Module 2 fallback

Cross-references: Privacy Policy §5 (sub-processors), §6 (international transfers), §7 (sharing).