Sub-processors & Data Sharing

Last updated: January 15, 2025

Data Processing Transparency

This page lists all third-party service providers (sub-processors) that process personal data on behalf of SabaiFit. We ensure all sub-processors meet our security and privacy standards.

1. Core Service Providers

Supabase (Supabase Inc.)

Purpose: Database hosting, authentication, real-time features

Data Types: User profiles, session data, messages, notifications

Location: United States (AWS infrastructure)

Legal Basis: Legitimate interest, contract performance

Retention: As specified in our Privacy Policy

Security: SOC 2 Type II certified, GDPR compliant

Privacy Policy | Security Information

Stripe (Stripe Inc.)

Purpose: Payment processing, fraud prevention, payouts

Data Types: Payment information, transaction data, bank details

Location: United States, European Union

Legal Basis: Contract performance, legal obligation

Retention: 7 years for financial records

Security: PCI DSS Level 1, SOC 2 Type II

Privacy Policy | Security Information

Vercel (Vercel Inc.)

Purpose: Website hosting, CDN, performance monitoring

Data Types: Website usage data, performance metrics, error logs

Location: Global CDN (multiple regions)

Legal Basis: Legitimate interest

Retention: 30 days for logs, indefinite for analytics

Security: SOC 2 Type II, ISO 27001

Privacy Policy | Security Information

Resend (Resend Inc.)

Purpose: Email delivery, transactional emails

Data Types: Email addresses, email content, delivery status

Location: United States

Legal Basis: Contract performance

Retention: 30 days for delivery logs

Security: SOC 2 Type II compliant

Privacy Policy

2. Analytics and Monitoring

Google Analytics (Google LLC)

Purpose: Website analytics, user behavior tracking

Data Types: IP addresses, page views, user interactions

Location: United States

Legal Basis: Consent (can be withdrawn)

Retention: 26 months (configurable)

Security: Google Cloud security standards

Privacy Policy | Opt-out

3. Data Processing Agreements

We have Data Processing Agreements (DPAs) in place with all sub-processors that include:

  • Data protection and security requirements
  • Limitations on data use and processing
  • Data breach notification procedures
  • Right to audit and compliance verification
  • Data deletion and return procedures
  • Sub-processor notification requirements

4. International Data Transfers

Some of our sub-processors are located outside Thailand. We ensure appropriate safeguards for international transfers:

  • Standard Contractual Clauses (SCCs): EU-approved data transfer mechanisms
  • Adequacy Decisions: Countries with adequate data protection
  • Certification Schemes: Privacy Shield successors and similar frameworks
  • Binding Corporate Rules: Internal data protection policies

5. Sub-processor Changes

We may add or change sub-processors from time to time. When we do:

  • We will update this page within 30 days
  • We will notify users of material changes
  • We will ensure new sub-processors meet our standards
  • Users can object to changes affecting their data

6. Your Rights

You have the right to:

  • Know which sub-processors handle your data
  • Request information about data processing activities
  • Object to processing by specific sub-processors
  • Request data portability or deletion
  • Lodge complaints with supervisory authorities

7. Contact Information

For questions about our sub-processors or data processing:
Data Protection Officer: dpo@sabaifit.com
General Privacy Inquiries: privacy@sabaifit.com
Address: [Company Address - To be updated]
Phone: [Contact Number - To be updated]

This Sub-processors page is part of our Privacy Policy and complies with Thailand's Personal Data Protection Act (PDPA).