Sub-Processors
Last updated: April 2026
Change Notification Policy
In accordance with GDPR Art. 28(2), we notify controllers of any intended changes to this sub-processor list — including additions and replacements — before those changes take effect.
- Notifications are sent by email to the controller’s designated privacy contact on record.
- Controllers have 30 business days from the notification date to raise a reasoned objection.
- If a controller objects and no mutually acceptable resolution can be reached, the controller may terminate the applicable DPA without penalty.
- To ensure you receive notifications, subscribe at privacy@thechatapp.chat.
Current Sub-Processors
Hetzner Online GmbH
Germany
Service: Cloud infrastructure hosting
Data processed: All server-side data (stored encrypted at rest; content is unreadable to Hetzner and to us)
DPA status: Data Processing Agreement with Technical and Organisational Measures (TOMs) annex; Hetzner is ISO 27001 certified
Transfer mechanism: Intra-EU — no international transfer mechanism required
Google LLC (Firebase Cloud Messaging)
USA
Service: Android push notifications
Data processed: Pseudonymous device tokens only — no message content. Push payloads contain opaque internal IDs; the app fetches content directly from your server on receipt.
DPA status: Firebase Data Processing and Security Terms
Transfer mechanism: EU–US Data Privacy Framework + Standard Contractual Clauses
Google LLC (Google Calendar API)
USA
Service: Calendar integration (optional; requires explicit user-initiated OAuth consent)
Data processed: Calendar metadata and OAuth tokens, scoped to the permissions granted by the user
DPA status: Google Cloud Data Processing Addendum
Transfer mechanism: EU–US Data Privacy Framework + Standard Contractual Clauses
Microsoft Corporation (Microsoft Graph Calendar API)
USA
Service: Calendar integration (optional; requires explicit user-initiated OAuth consent)
Data processed: Calendar metadata and OAuth tokens, scoped to the permissions granted by the user
DPA status: Microsoft Products and Services Data Protection Addendum; EU Data Boundary commitments
Transfer mechanism: EU–US Data Privacy Framework + Standard Contractual Clauses
Apple Inc. (Apple Push Notification service)
USA
Service: iOS push notifications
Data processed: Pseudonymous device tokens only — no message content. Push payloads contain opaque internal IDs; the app fetches content directly from your server on receipt.
DPA status: No standalone processor DPA available — see compliance note below. Governed by the Apple Developer Program License Agreement.
Transfer mechanism: Apple’s Global CBPR (Cross-Border Privacy Rules) certification
Brevo SAS (formerly Sendinblue)
France (EU)
Service: All email delivery for our cloud-hosted service. Transactional email for the Enterprise customer portal (account verification, password resets, receipts, admin notifications, maintenance reminders) and marketing-list management for the public website (launch waitlist, founding-partner form submissions).
Data processed: Email addresses and the bodies of emails we send. Standard delivery metadata. Not used for any content of customer conversations, voice/video streams, files, or calendar event bodies.
DPA status: Brevo Data Processing Agreement
Transfer mechanism: Intra-EU — Brevo SAS is a French processor with EU-based processing. No international transfer mechanism required.
Brevo — Scope
Brevo is our sole email provider. It covers two distinct flows on our cloud-hosted service: (1) transactional email sent from the Enterprise customer portal — account verification, password resets, portal receipts, maintenance reminders, and operational notifications; and (2) marketing-list management for our public website — the launch-waitlist segment and founding-partner form submissions.
Brevo never receives the content of customer conversations, voice or video streams, files, or calendar event bodies. It processes email addresses and the bodies of emails we send through it — nothing else.
Data residency. Brevo SAS is a French company and processes data within the European Economic Area. No international transfer mechanism is required. Email delivery was previously provided by Resend, Inc. (US); we migrated fully to Brevo on 2026-04-23 to keep email-related personal data within EU jurisdiction.
Apple APNs — Compliance Note
Apple does not offer a standalone data processor DPA for APNs. We have mitigated the compliance risk through the following technical and contractual controls:
- Payload sanitization: Push notifications dispatched through APNs contain zero personal data. Payloads carry only opaque internal identifiers; no names, message previews, or metadata are included.
- Pseudonymous device tokens: APNs device tokens are pseudonymous and rotate regularly; they cannot be linked back to a user identity without access to our internal mapping.
- CBPR certification: Apple’s participation in the Global CBPR framework provides a recognised international transfer mechanism for data flows outside the EU.
- Self-hosting alternative: Organisations that wish to eliminate Apple entirely as a data recipient can deploy a self-hosted push gateway, which removes the APNs dependency for all iOS clients on that deployment.
Self-Hosted Deployments
When you self-host TheChatApp on your own infrastructure, you are the sole data controller and we are not a processor of any personal data. The sub-processor relationships above apply only to our cloud-hosted Enterprise offering. The table below shows how each sub-processor’s role changes in a self-hosted context.
| Sub-Processor | Status in Self-Hosted Deployment |
|---|---|
| Hetzner Online GmbH | Not a sub-processor — you choose your own infrastructure provider |
| Google LLC (Firebase Cloud Messaging) | Involved only if you use the TheChatApp cloud push gateway; deploy a self-hosted push gateway to eliminate entirely |
| Apple Inc. (APNs) | Involved only if you use the TheChatApp cloud push gateway; deploy a self-hosted push gateway to eliminate entirely |
| Google LLC (Google Calendar API) | Involved only if individual users opt in to Google Calendar integration via OAuth consent |
| Microsoft Corporation (Microsoft Graph Calendar API) | Involved only if individual users opt in to Microsoft Calendar integration via OAuth consent |
| Brevo SAS | Not a sub-processor for self-hosted tenants. Brevo is used only by the cloud-hosted Enterprise portal and the public marketing website. Self-hosted deployments configure their own SMTP provider (or no email at all). |
A self-hosted deployment with a self-hosted push gateway results in zero personal data processed by TheChatApp or any of our sub-processors.
Change Log
| Date | Change |
|---|---|
| 2026-04-08 | Initial publication |
| 2026-04-23 | Added Resend, Inc. as a sub-processor scoped to marketing-list and public-form email only. Flagged planned migration to an EU-hosted provider. |
| 2026-04-23 | Replaced Resend, Inc. with Brevo SAS (France). All email delivery — transactional portal email and marketing-list management — migrated to an EU-based processor. Resend removed entirely from the stack. |
Contact
To receive sub-processor change notifications or to raise an objection to a proposed change, contact us at privacy@thechatapp.chat.
For general questions about this list, our data processing practices, or DPA Annex III (GDPR Art. 28(2)), contact privacy@thechatapp.chat.