Sub-processors

This page lists every "sub-processor" — a third party that GoPresent Ltd uses to deliver the GoPresent Platform and that may process personal data on behalf of GoPresent or our customers.

We publish this list to comply with Article 28(2) of the UK General Data Protection Regulation (UK GDPR) and the equivalent requirements of the EU GDPR. Our Data Processing Agreement (DPA) at /legal/data-processing-agreement explains the contractual basis under which sub-processors are engaged.

We notify customers in writing (via email) at least 30 days before adding or replacing any sub-processor that processes personal data. Customers may object during that window in line with Section 7 of the DPA.

Vercel Inc. (USA) — Application hosting, edge network, deployment and build pipeline. Data: account identifiers, request metadata, IP addresses, cached pages. Region: global edge with US headquarters. Sub-processor of: Amazon Web Services (USA, EU). DPA available at https://vercel.com/legal/dpa.

Supabase Inc. (USA) — Primary database, file storage, authentication, real-time. Data: all platform data including account, project, deck, transcript, score, billing entitlement, audit log. Region: eu-west-1 (Ireland) for the production project (Atomic Live). Sub-processor of: Amazon Web Services (EU). DPA available at https://supabase.com/legal/dpa.

Cloudflare Inc. (USA) — DDoS protection, CDN, Turnstile bot detection on public forms. Data: request metadata, IP addresses, Turnstile challenge tokens. Region: global edge. DPA available at https://www.cloudflare.com/cloudflare-customer-dpa/.

Clerk Inc. (USA) — User authentication, session management, organization membership. Data: email, name, profile photo, MFA factors, session tokens, organization membership. Region: US-hosted with EU data-residency available on request. DPA available at https://clerk.com/legal/dpa.

Stripe Inc. (USA) and Stripe Payments UK Ltd (UK) — Payment processing, subscription management, invoicing, tax calculation (Stripe Tax). Data: billing name and address, VAT number, payment method tokens (we do not store card numbers), transaction history, invoice records. Region: global with UK Ltd contracting. DPA available at https://stripe.com/legal/dpa.

Anthropic PBC (USA) — Primary large-language-model provider for gap analysis, deck generation, conversational AI, fact-check, and presenter-script generation. Data: prompt content (which may include user-supplied deck content, transcripts, intake answers), model output, request metadata. We use Anthropic's enterprise tier with zero-retention configuration where contractually offered. Data is not used by Anthropic to train future models. DPA available at https://www.anthropic.com/legal/dpa.

Together Computer Inc. (USA) — Secondary (failover) large-language-model provider used when Anthropic returns 429 / 5xx responses. Powers the same surfaces as Anthropic when failover is invoked. Data: same as Anthropic. Region: US-hosted. DPA available on request.

OpenAI Inc. (USA) — Embedding-only provider for the founder portal's retrieval-augmented conversation feature. We send the text of project_corpus rows (excerpts from your uploaded materials) and your in-conversation messages used as retrieval queries; we receive 1536-dimensional vectors back. We do NOT use OpenAI for any chat completion, deck generation, or other generative output — those continue to route through Anthropic / Together. Per OpenAI's API terms, embeddings inputs are not retained beyond the request and are not used to train OpenAI models. DPA available at https://openai.com/policies/data-processing-addendum.

Deepgram Inc. (USA) — Voice-note transcription. Data: audio uploads from founders, transcribed text, request metadata. Region: US-hosted. DPA available at https://deepgram.com/legal/data-processing-agreement.

Firecrawl Ltd (USA / UK) — Public website extraction for competitive-intelligence enrichment. Data: URLs of competitor / portfolio sites the founder requests we scrape, scraped content, request metadata. Region: US-hosted. DPA available on request.

Resend Inc. (USA) — Transactional email delivery (sign-in links, billing notices, deletion confirmations, expiry warnings, marketing opt-ins). Data: recipient email address, email content, delivery and bounce telemetry. Region: US-hosted. DPA available at https://resend.com/legal/dpa.

PostHog Inc. (USA) — Product analytics, feature flags, error tracking. Data: anonymised event telemetry (gated by cookie consent), feature-flag evaluations, server-side error stack traces. Autocapture is disabled by default; only consented users contribute behavioural events. Region: US-hosted with EU data-residency option. DPA available at https://posthog.com/dpa.

Vercel Inc. (Vercel Analytics + Speed Insights) — First-party page-view and Web-Vitals telemetry, cookie-free. Data: pseudonymous request telemetry, no IP storage. Region: same as Vercel hosting. Covered by the Vercel DPA referenced above.

HubSpot Inc. (USA) — Internal CRM for the GoPresent consultant team's lead and deal pipeline. Data: lead names, emails, company names, conversation notes captured by consultants. Founder personal data is NOT pushed to HubSpot. Region: US / EU. DPA available at https://legal.hubspot.com/dpa.

Apify (Czech Republic) and Icypeas (France) — Public-data enrichment for outbound consultant prospecting (used at the consultant's discretion, never automatically against founder accounts). DPAs available on request.

Currently in-product support tickets only. Tickets are stored in our own Supabase database and surfaced to consultants via the consultant portal. We do not use a third-party help-desk product (e.g. Intercom, Zendesk) for customer support today. This list will be updated if that changes.

Several sub-processors above are headquartered outside the UK. Transfers of personal data outside the UK are made under the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, the EU-US Data Privacy Framework where the recipient is certified, and additional supplementary measures (encryption in transit and at rest) where appropriate.

If a sub-processor in this list ceases to be covered by an adequate transfer mechanism, we will replace it or implement supplementary measures within 30 days and update this page.

Questions about this list, including how to exercise your right to object to a new sub-processor, should be sent to privacy@gopresent.ai or by post to GoPresent Ltd, Bartle House, 9 Oxford Court, Manchester, England, M2 3WQ.