Data Processors and Sub-processors
Last updated: April 2026
In compliance with Article 28 of the GDPR, we publish the complete and up-to-date list of external providers involved in processing personal data on behalf of LongevityMap. A Data Processing Agreement (DPA) is in place with all of them, guaranteeing protection levels equivalent to those required by the GDPR.
For transfers outside the European Economic Area, we apply the Standard Contractual Clauses (SCC) approved by the European Commission, together with additional technical measures when necessary.
Providers
| Provider | Service provided | Data processed | Location | Safeguards |
|---|---|---|---|---|
| Supabase | Database and authentication | All platform data | EU (Frankfurt) | DPA + AES-256 encryption + PITR |
| Vercel | Hosting, CDN and serverless functions | Access logs, HTTP requests | EU / US (global CDN) | DPA + SCC |
| Resend | Transactional email delivery | Email and message content | US | DPA + SCC |
| Stripe Payments Europe | Payment processing | Email, amount, card token (we do not store card numbers) | Ireland (EU) | Native GDPR DPA + PCI-DSS |
| Cloudinary | Image storage and transformation | Images uploaded by clinics (logos, photos, before/after) | US | DPA + SCC |
| Sentry | Error monitoring | Error stack traces (personal data automatically redacted) | US | DPA + SCC + PII redaction |
| Google Analytics (GA4) | Website usage analytics | Anonymous usage (only after explicit consent in the cookie banner), anonymized IP | US | DPA + SCC + IP anonymization + Consent Mode v2 |
| Google OAuth | Optional OAuth authentication ("Sign in with Google") | Email and name (only if the user chooses this login method) | US | OAuth 2.0 standard + DPA |
| Anthropic (Claude) | AI recommendation engine (Claude API) for 'My Protocol' | Pseudonymized profile (goals, budget) — no directly identifying data; not used to train models | USA (Anthropic Ireland Ltd. as EU contracting entity) | DPA + Standard Contractual Clauses (SCC) · data minimization |
| Twilio | Transactional WhatsApp/SMS notifications (appointment reminders) | Phone number and appointment metadata (date, clinic, treatment) | USA | DPA + Standard Contractual Clauses (SCC) |
Updates to this list
If we add or replace any provider, we will update this page before the change takes effect. For greater transparency, we invite you to review it periodically. If you have questions about any provider, write to privacidad@longevitymap.co.