Sub-processors
Last updated: June 1, 2026
To provide Investeren, we rely on the third-party service providers ("sub-processors") listed below. Each processes personal data on our behalf under a data processing agreement, and only to the extent needed to deliver its service. This list complements our Privacy Policy and is kept reasonably current; providers may change as the product evolves.
Several providers are located in the United States or process data globally. Where personal data is transferred outside the EEA, we rely on appropriate safeguards under GDPR Chapter V — primarily Standard Contractual Clauses (SCCs) and, where available, the provider's certification under the EU-US Data Privacy Framework.
| Provider | Purpose | Data processed | Location / transfer basis |
|---|---|---|---|
| Supabase | Database, authentication, file storage, edge functions | Account data, portfolio/watchlist/alerts, chat history, uploaded images | EU (with US parent) — DPA + SCCs |
| Vercel | Web hosting, CDN, edge network | Request metadata, IP addresses (transient) | Global edge / US — SCCs |
| Vercel AI Gateway | Routing AI requests to LLM and embedding providers | Chat content, images, extracted facts, embedding inputs | US — SCCs |
| Anthropic (Claude) | Large language model that generates Morgann's responses | Chat content, images, and personalisation context you provide | US — SCCs |
| OpenAI | Large language models and text embeddings | Chat content and text used to generate vector embeddings | US — SCCs |
| Google (Gemini) | Large language model (selectable model option) | Chat content and images when a Google model is selected | US — SCCs / EU-US Data Privacy Framework |
| Twilio | WhatsApp messaging delivery (inbound/outbound) | Phone number, message content, images sent via WhatsApp | US — SCCs |
| Microsoft Clarity | Product analytics (session replay, heatmaps) — consent-gated | Behavioural/usage data, masked page content | US — SCCs |
| Google AdSense | Advertising delivery and measurement — consent-gated | Ad/tracking identifiers, cross-site browsing signals | US — SCCs / EU-US Data Privacy Framework |
| Tavily | Live web search used by Morgann tools | Search queries derived from your request | US — SCCs |
| DeepL | Translation of educational content | Text submitted for translation | EU |
| ScrapingBee | Fetching public educational/reference web pages | Target URLs (no personal data) | EU/US — SCCs |
| Financial Modeling Prep (FMP) | Market and company financial data | Tickers/symbols from your queries (no personal data) | US |
| CoinGecko | Cryptocurrency market data | Coin identifiers from your queries (no personal data) | Global |
We also use keyless public data sources (for example SEC EDGAR, FRED, GLEIF, KBO/BCE, Alternative.me and similar) that receive only non-personal query parameters such as tickers or company identifiers.
Questions
For questions about our sub-processors or to request our data processing terms, contact privacy@investeren.org.