Subprocessors
GreenSweep Pte. Ltd. engages the following processors to deliver the platform. Each is bound by a Data Processing Agreement; where data is transferred outside the EEA, by Standard Contractual Clauses. We notify users of material additions or substitutions via this page and via a privacy policy version bump.
Last revised: 2026-05-02. See also Privacy Policy and Security Policy.
| Provider | Purpose | Data location | Categories of data | Transfer mechanism | DPA / SCC status |
|---|---|---|---|---|---|
| Supabase | Database, authentication, storage | EU (Frankfurt, eu-central-1) | Account credentials, voting history, consent records, referral graph, aggregated event log | Intra-EEA | DPA in place |
| Vercel | Hosting, edge functions, CDN | Singapore (sin1) primary; global edge for static assets | Request logs (transient), IP addresses (transient, not persisted) | SCCs | DPA in place |
| Cloudflare | DNS, WAF, Access SSO, Turnstile bot challenge | Global edge (request handling) | Request metadata, IP addresses, Turnstile challenge tokens, JA3 fingerprints (transient) | SCCs | DPA in place |
| Upstash Redis | Rate limiting, queues, ephemeral session state | EU (Frankfurt, eu-central-1) | IP-bucketed counters, hashed session identifiers, queue payloads (sub-24h retention) | Intra-EEA | DPA in place |
| Google Analytics 4consent-gated | Anonymous usage analytics | United States | Cookie ID, page-view event payload, anonymised IP (last octet zeroed) | SCCs | DPA in place |
| PostHogconsent-gated | Product analytics, feature flags | EU (Frankfurt, EU cloud) | Anonymous user ID (UUID), event payload, session recording metadata | Intra-EEA | DPA in place |
| ManyChat | WhatsApp messaging operator | United States | Hashed phone identifier (SHA-256), message content, opt-in status | SCCs | DPA in place |
| Resend | Transactional email (magic links, receipts, notifications) | United States | Email address, message content, delivery status | SCCs | DPA in place |
About this list
This list is the canonical Article 13(1)(e) GDPR disclosure of the processors GreenSweep engages. We commit to updating this page within 30 days of any material change to the subprocessor set, including provider additions, substitutions, or removals.
“Consent-gated” processors are loaded only after a user affirmatively accepts analytics cookies via our consent banner. The banner currently runs in Germany, Austria, Malta, and Nigeria; visitors from those markets who have not granted consent generate zero requests to those providers. We are actively extending the consent gate to all EEA, UK, and Swiss visitors — see the “Open compliance work” note on the Privacy Policy.
Sub-subprocessors
Several processors above engage their own subprocessors (cloud-hosting providers, CDNs, monitoring tools). Each processor is contractually bound to maintain its own subprocessor list and to notify GreenSweep of changes. The current state of each processor’s subprocessor chain is available on the respective provider’s public trust page; we maintain an internal mirror as part of our annual vendor due-diligence cycle.
Reporting concerns
If you have questions about any subprocessor or wish to exercise your rights with respect to data shared with one, please contact [email protected]. We respond within 30 days per Article 12(3) GDPR.