Sub-processors
Effective Date: 9 October 2025
Last Updated: 9 October 2025
This page lists the third-party service providers that H1NTED engages as sub-processors to support the Platform solely where H1NTED acts as a data processor on behalf of business customers. For activities where H1NTED is a data controller (e.g., account, billing, website), see our Privacy Policy.
What a sub-processor is
A sub-processor is a third party engaged by H1NTED that may process personal data on our customers’ instructions to provide, secure, or support the Platform (hosting, storage, authentication, payments, support tooling, AI inference, etc.). We require each sub-processor to sign data-protection terms, implement appropriate technical and organisational measures, and to delete data within our retention windows or provide equivalent guarantees.
Current sub-processors (processor scope)
Scope below applies to processing where H1NTED is processor. Data is limited to the minimum necessary to perform the service.
| Provider | Service/Role | Typical Data Processed | Primary Processing Location(s) | Transfer Mechanism(s) | DPA / Info |
|---|---|---|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, storage, load balancing | Pseudonymous user IDs, ephemeral User Inputs/Outputs during inference, operational logs strictly necessary for delivery/security | EU (primary). Limited access from other regions for support if required | EU GDPR SCCs (if cross-border support access occurs) | aws.amazon.com/compliance |
| Supabase | Managed database & authentication for dashboard | Account identifiers, session tokens, minimal operational metadata | EU (primary). Limited support access from other regions if required | EU GDPR SCCs (if cross-border support access occurs) | supabase.com/privacy |
| Stripe | Payments & anti-fraud | Billing contact, business name, email, payment metadata (no full card numbers stored by H1NTED) | EU/US (depends on card network/region) | EU–US DPF and/or EU GDPR SCCs | stripe.com/privacy |
| Zoho | Email/support tooling (contact forms, ticketing) | Support messages, contact email, headers/metadata | EU/US (service-dependent) | EU GDPR SCCs and/or EU–US DPF | zoho.com/privacy |
| Third-party AI inference provider(s) | Model inference to generate Outputs from User Inputs | Ephemeral User Inputs strictly necessary to fulfil the request; transient safety/abuse-prevention features | Region depends on model/provider; selected to minimise transfers | EU GDPR SCCs and/or EU–US DPF (provider-dependent) | Listed in-product in the model picker |
Notes
- AI models: Third-party inference is used only for runtime processing; User Inputs/Outputs are not used to train, fine-tune, or improve models.
- Data minimisation: User Inputs/Outputs are designed to be ephemeral and automatically deleted within short windows after processing completion.
- Security: All sub-processors are contractually required to implement appropriate security (encryption in transit, access controls, least privilege, monitoring) and to support our deletion timelines.
Locations & international transfers
Where personal data is transferred from the EEA/UK to a country without an adequacy decision, H1NTED implements the EU Standard Contractual Clauses (2021/914) (and the UK IDTA/Addendum where relevant), plus additional technical and organisational measures. For certified US providers, we may rely on the EU–US Data Privacy Framework.
How we add or change sub-processors
- Advance notice: We will post updates to this page and, for affected customers with a signed DPA, provide email notice at least 30 days in advance of adding or replacing a sub-processor (except urgent changes required for security, continuity, or legal compliance; in such cases we will notify as soon as practicable).
- Subscribe to updates: Email hello@h1nted.com with the subject “Subscribe — Sub-processor updates” to receive change notifications.
- Enterprise objections: If your signed DPA includes an objection right, you may object on reasonable, documented data-protection grounds by emailing hello@h1nted.com within the notice period. We will work with you in good faith to provide a commercially reasonable alternative. If no alternative is feasible, remedies are as set out in the DPA.
Data retention (processor scope)
- User Inputs/Outputs: Ephemeral by design (auto-deletion within short windows after processing).
- Operational logs: Minimal logs retained only as necessary for integrity, security and legal obligations.
- Payments & billing: Retained as required for tax/audit compliance.
Security overview
We apply defence-in-depth measures across our stack and require equivalent commitments from sub-processors: encryption in transit, network/data segregation, role-based access with least privilege, audit logging and monitoring, secure key management, and prompt incident response. Providers’ independent certifications (e.g., ISO 27001, SOC 2) are available on their compliance pages.
Contact
Questions about this page or data transfers? Email hello@h1nted.com. EEA data subjects may also contact our EU Representative as listed in our Privacy Policy.