Sub-processor List
Last updated:
1. How to read this page
For each sub-processor we disclose: the company name, the function it performs for REtelligent, the processing location (relevant to cross-border disclosure), the categories of personal information it may process, and the transfer basis or data processing agreement relied on.
REtelligent Sync is built and hosted by Lovable Labs Incorporated, which engages Supabase and Amazon Web Services as onward sub-processors. The processing chain is REtelligent Pty Ltd to Lovable Labs Inc. to Supabase Inc. to AWS eu-central-1 (Frankfurt). Twilio, Resend, Cloudflare and Google (Sign-In and Gemini) operate on data in transit. All persistent personal information is stored in AWS eu-central-1 (Frankfurt, Germany); there is no Australian data domicile.
Customers may object to a new sub-processor on reasonable data-protection grounds within the 30-day advance notice period (per the applicable DPA). If the parties cannot agree on an alternative, the Customer may terminate the affected portion of the Service without penalty.
2. Tier 1 — Direct sub-processors (contracted by REtelligent)
Sub-processor | Function | Processing location | Personal information categories | Transfer basis / DPA |
|---|---|---|---|---|
Lovable Labs Incorporated (group parent Lovable Labs AB, Sweden) | Primary platform and hosting: builds, hosts and operates REtelligent Sync; provides the AI Gateway; engages the Tier 2 onward sub-processors | United States (corporate); production data hosted in Germany via the onward chain | All Customer Data categories handled by the platform | APP 8.2 safeguards; Lovable DPA incl. EU SCCs Module Two and the clause 7.5 flow-down. Contracting processor is the US entity per the executed deed. Encryption uses AWS-managed keys (AWS KMS); no customer-managed keys or BYOK |
Twilio Inc. | Telephony and messaging (in transit): inbound and outbound SMS, WhatsApp Business utility templates, voice intake, and delivery-status callbacks | AU1 sub-account for +61 voice and SMS; US1 for WhatsApp Business (Meta global infrastructure) | Phone numbers (+61 AU / +40 RO), message bodies, template variables, call audio and metadata | APP 8.2 safeguards; EU SCCs for EU egress. Twilio published DPA (9 April 2026) |
Resend (Plus Five Five, Inc.) | Transactional and authentication email (in transit, bidirectional): outbound email from the sending domain notify.app.retelligent.co; inbound email-to-ticket ingestion via a Svix-signed webhook | United States (US East) and EU | Recipient email and name, ticket content, message identifier, suppression and unsubscribe events | APP 8.2 safeguards; EU SCCs. Resend DPA (DocuSign-signed 8 June 2026, incl. SCCs) |
Cloudflare, Inc. | Edge and security (in transit): edge CDN, TLS termination, DNS, and DDoS/WAF fronting app.retelligent.co; Turnstile CAPTCHA on the public intake form | Global edge (Sydney point of presence for AU traffic) | IP address, user agent, URL paths, and cookies for all authenticated users; Turnstile challenge tokens | APP 8.2 safeguards; EU SCCs. Cloudflare DPA (standard) |
Google LLC (Sign-In / OAuth) | Identity provider (in transit): Google Sign-In is the default authentication method; receives email and profile claims at sign-in. Distinct from Gemini inference | United States | Email and profile claims at sign-in | APP 8.2 safeguards; EU SCCs. Google OAuth 2.0 Terms and Supabase Auth configuration |
Google LLC (Workspace) | Business email and collaboration (internal): staff email, calendar and documents; receives personal information only via correspondence to the support and privacy inboxes | United States; multi-region | Correspondence content sent to support and privacy inboxes | APP 8.2 safeguards; EU SCCs. Google Workspace DPA |
3. Tier 2 — Onward sub-processors (engaged by Lovable; reach REtelligent via the Lovable DPA)
Onward sub-processor | Engaged by | Function | Processing location | Basis / attestations |
|---|---|---|---|---|
Supabase, Inc. (via Lovable Cloud) | Lovable | Postgres database; Auth (GoTrue identity store: auth identifiers, hashed credentials, reset tokens); object storage in the buckets maintenance-photos and quote-attachments; Edge Functions; Realtime. Vendor proof-of-work photos have GPS EXIF extracted to proof_geo_data (jsonb) — location tied to a job address, treated as personal information under the APPs | Data resident in AWS eu-central-1 (Frankfurt, Germany); Supabase corporate United States | Via the Lovable DPA clause 7.5 flow-down (no direct REtelligent–Supabase contract). Supabase SOC 2 Type II and ISO/IEC 27001:2022 |
Amazon Web Services, Inc. | Lovable / Supabase | Underlying cloud infrastructure hosting the Supabase and Lovable stack. All persistent REtelligent production data resides here | Germany (eu-central-1, Frankfurt). No Australian (Sydney) data domicile | Within the EEA for EU data. For AU data this is the cross-border disclosure point (Australia to Germany) under APP 8.2. AWS DPA via the chain |
Google LLC — Gemini (via the Lovable AI Gateway) | Lovable | LLM inference: Gemini 2.5 Flash (ticket triage, call-intake) and Gemini 3 Flash (English-to-Romanian translation), plus feedback analysis. Free-text inputs only; no persistent storage by the model provider | United States | Lovable DPA clause 10.1 (AI inference); APP 8.2 safeguards; EU SCCs. Explicit no-training terms for both models |
No direct contractual relationship exists between REtelligent and the Tier 2 onward sub-processors. Reliance is established through the Lovable DPA clause 7.5 flow-down and, for AI inference, clause 10.1.
4. Monitoring (no personal information processed)
These providers receive only endpoint URLs and timing or response metadata. They do not process customer personal data.
Sub-processor | Function | Processing location | Basis |
|---|---|---|---|
UptimeRobot s. r. o. | External uptime monitoring and keep-warm pings against public health endpoints | EU (Slovak Republic; IČO 561 73 067) | Standard terms; no personal data processed |
Catchpoint Systems, Inc. | Synthetic latency testing from a Sydney node for performance evidence (Vendor Risk Pack Item 9) | Global synthetic nodes (US entity) | Standard terms; no personal data processed |
5. Cross-border transfers
All persistent personal information is stored in AWS eu-central-1 (Frankfurt, Germany). There is no Australian data domicile.
AU-origin personal information is disclosed from Australia to Germany under APP 8.2 contractual safeguards (the Lovable DPA chain incl. EU SCCs Module Two and the clause 7.5 flow-down). REtelligent Pty Ltd remains accountable under section 16C of the Privacy Act 1988 (Cth).
EU-origin personal data is stored within the EEA, so no Chapter V transfer arises for storage. US-domiciled sub-processors with in-transit access (Lovable, Supabase, Twilio, Resend, Cloudflare, Google for Sign-In and Gemini) rely on GDPR Article 46(2)(c) Standard Contractual Clauses, with transfer impact assessments where required. The EU-US Data Privacy Framework is relied on where applicable.
Encryption at rest and in transit uses AWS-managed keys (AWS KMS). Customer-managed keys (CMK/BYOK) are not available on the current Lovable stack and are not represented as available.
6. Excluded — not sub-processors
The following are not considered sub-processors and are not listed above:
Third parties to which the Customer directly grants access (for example, the Customer's own integrations enabled via API).
Service providers that do not process personal information of data subjects (for example, the domain registrar, or internal-only tooling).
Sub-processors further down the chain than the direct and disclosed onward sub-processors above; REtelligent contractually requires its sub-processors to maintain their own sub-processor governance.
7. How to object to a new sub-processor
When REtelligent adds or replaces a sub-processor, it gives at least 30 days' advance notice to the notice contact on the Customer Order Form (email and in-Platform) and updates this page.
If the Customer objects on reasonable privacy or security grounds within the notice period, the Customer should email privacy@retelligent.co with the specific grounds (10 business-day response). REtelligent will discuss in good faith and seek a mutually acceptable alternative. If the parties cannot agree, the Customer may terminate the affected portion of the Service without penalty per the applicable DPA.
8. Change log
Version | Date | Summary |
|---|---|---|
V1.0 | 25 June 2026 | Aligned to Sub-processor Register V1.0. Added UptimeRobot, Catchpoint and Google OAuth; expanded Cloudflare scope; named Gemini versions (2.5 Flash and 3 Flash), Twilio AU1/US1 sub-accounts, the Resend sending domain, and the Supabase buckets and GPS proof_geo handling. Processing region confirmed as AWS eu-central-1 (Frankfurt), correcting an earlier us-east-1 entry. Principal processor named as Lovable Labs Incorporated (United States) per the executed agreements. |