Every third party that processes customer data, what they do, and when we last checked their security documentation.
| Sub-processor | Purpose | Data involved | Location | Security docs | Last verified |
|---|---|---|---|---|---|
| Hetzner Online GmbH | Hosting and backup storage. | All customer data (databases, backups, files). | Germany (Nuremberg, Falkenstein). | Compliance | 2026-04-21 |
| Anthropic PBC | Claude Sonnet for the AI chat assistant and the photo-to-ingredient feature. | Recipe and ingredient content sent transiently during a request. Zero-retention terms. Not used to train any model. | United States. EU Standard Contractual Clauses (SCCs) in place. | Trust Center | 2026-04-21 |
| OpenAI, L.L.C. | Embedding API for ingredient search. | Ingredient names and short descriptions, sent transiently. Not used to train any model. | United States. EU SCCs in place. | Enterprise Privacy | 2026-04-21 |
| Stripe, Inc. | Subscription billing and payment processing. | Billing contact name, billing address, payment card token. No recipe or ingredient data. | United States. EU SCCs in place. | Security at Stripe | 2026-04-21 |
| Google LLC (Google Analytics 4) | Aggregated marketing-site analytics on public pages only. Loaded only after the visitor accepts the cookie banner. | Pseudonymous interaction data (page views, referrer, device, browser). No recipe, ingredient, or account data. | United States. EU SCCs in place. | Google Measurement Controller-Controller Data Protection Terms | 2026-05-16 |
| Microsoft Corporation (Microsoft Clarity) | Aggregated heatmaps and session replays on public marketing pages only, to surface usability issues. Loaded only after the visitor accepts the cookie banner. | Pseudonymous interaction signals (clicks, scrolls, masked session replay). No recipe, ingredient, or account data. | United States. EU SCCs in place. | Clarity Cookies · Microsoft Privacy Statement | 2026-05-16 |
We update this list whenever we add, change, or remove a processor of customer data. Changes are notified by email to the billing contact on each account. Each row's “last verified” date reflects the most recent time we checked the entry against the sub-processor's own current documentation.
Questions about this list? Email security@nibblr.co.uk.