Data Subprocessors
Last updated: April 2026
Who they are and why we list them
To deliver our services we use a set of external providers ("subprocessors") that handle personal data on our behalf. This page lists them transparently, in accordance with Article 28 GDPR and the principle of transparency (Article 5(1)(a)). We have a Data Processing Agreement (DPA) signed with each provider, and they apply the security measures described below.
How to read the table
- Tier indicates the sensitivity level of the data the provider handles: Critical (mental health content or biometric data), High (identifiable PII or hosting), Medium (transient data or with scrubbing), Low (no significant identifiable PII).
- Mechanism describes the legal basis for international transfers when the provider is outside the EEA: DPF (EU-US Data Privacy Framework, Adequacy Decision), SCCs (European Commission Standard Contractual Clauses, Decision 2021/914), or both.
- All providers encrypt data in transit (TLS 1.3). Encryption at rest and other supplementary measures are documented in our internal Transfer Impact Assessment.
| Provider | Purpose | Data processed | Location | Mechanism | Tier |
|---|---|---|---|---|---|
| Supabase | Shared database, authentication, storage, Edge Functions | All user PII (accounts, profiles, encrypted messages, leads, newsletter, audit log) | EU (eu-*) | SCCs | High |
| Vercel | Hosting for the applications (megrowth, backoffice, landing) | PII in server logs, request headers | US (serverless functions in Frankfurt) | DPF + SCCs | High |
| Groq | Primary LLM for text and voice chat | Chat text content (special category — mental health) | US | SCCs | Critical |
| Cerebras | Secondary LLM (fallback) for text and voice chat | Chat text content (special category — mental health) | US | SCCs | Critical |
| Fireworks AI | Tertiary LLM (fallback) | Chat text content (special category) | US | SCCs | High |
| ElevenLabs | Text-to-Speech (TTS) and Speech-to-Text (Scribe v2) for the avatar | User voice audio (potentially biometric data) and transcriptions | US (EU residency available on higher plans) | DPF + SCCs | Critical |
| Deepgram | Speech-to-Text (fallback for ElevenLabs Scribe) | Audio + transcriptions (potentially biometric data) | US (EU endpoint available) | SCCs | High |
| HeyGen LiveAvatar | 3D avatar rendering (LITE mode) | Prompt text (no direct PII) and synthesized avatar audio | US | DPF + SCCs | Critical |
| Google (Gemini) | Primary embeddings for RAG | Text chunks from messages (special category when from mental-health chat) | US with global regions | DPF + SCCs | High |
| OpenAI | Embeddings (fallback for Gemini) | Text chunks in fallback | US | DPF + SCCs | High |
| HubSpot | Lead CRM (sync from landing) | Lead PII (email, name, interests, company) | US | DPF + SCCs | High |
| Resend | Transactional email delivery | Email + name + email body | US | DPF + SCCs | Medium |
| Sentry | Error monitoring | Stack traces and breadcrumbs (with automatic scrubbing of sensitive fields) | US (EU plan available) | SCCs | Medium |
| Upstash (Redis) | Rate limiting and ephemeral TTS cache | Hashed IP and synthetic TTS audio (no PII) | US (EU regions available) | SCCs | Medium |
| Cloudflare (Turnstile) | Anti-bot protection on forms | Validation tokens, browser fingerprints (no direct PII) | US global | DPF + SCCs | Low |
| PostHog | Web analytics (gated by cookie consent) | Usage events, click streams, user UUID, browser/device | US | SCCs | Medium |
| isEazy | Embedded course platform | Course progress, completion timestamps | To be verified | To be verified | Medium |
Changes and notification
We keep this page updated whenever we add or remove a subprocessor. Material changes are notified to registered users at least 30 days in advance. Users may object to new subprocessors by exercising their right to object (Article 21 GDPR) at any time.
Your rights
You may exercise your rights of access, rectification, erasure, objection, restriction, and portability at any time. For more information see our Privacy Policy or contact us at:
Email: info@megrowthes.com
You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at agpd.es.
