Sub-processors
Last updated: 30 May 2026
Sufleur uses a small number of third-party services ("sub-processors") to operate our platform. This page lists each one, what they help us do, what personal data they handle, and where they're located.
If you have any questions, you can reach us at tom@sufleur.com.
Always-on sub-processors
These handle data for every account.
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| Hetzner Online | Cloud hosting (servers, object storage, backups) | All application data, including account details, workspaces, prompts, system logs, and database backups | Germany (EU) |
| Cloudflare | DNS, reverse proxy, SSL/TLS termination, Zero Trust access controls | IP addresses, request metadata, TLS handshakes | United States, with global edge locations |
| GitHub | OAuth identity provider for "Sign in with GitHub" | GitHub user identifier, username, email address, and avatar URL shared during the OAuth sign-in flow | United States |
| Polar | Payment processing and merchant of record for paid subscriptions | Billing contact information, transaction history, payment metadata. Card details are tokenised and never stored by Sufleur. | United States |
| Resend | Transactional email delivery (account verification, password resets, workspace invitations) | Recipient email addresses, names, message content, delivery logs | United States |
| PostHog | Product analytics — understanding how Sufleur is used so we can improve it | Pseudonymous user identifiers, IP addresses, behavioural events | Germany (EU Cloud) |
| Namecheap | Hosting our support inbox at tom@sufleur.com (PrivateEmail service) | Email correspondence from users who contact us for support | United States |
LLM inference providers
These only process data when your workspace has configured a provider's API key and a member runs a prompt against it. If your workspace has not connected an LLM provider, none of these process any of your data.
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| Anthropic | LLM inference (Claude models) when running prompts against a configured Anthropic key | Prompt content, system messages, and variable values submitted with the run request | United States |
| OpenAI | LLM inference (GPT models) when running prompts against a configured OpenAI key | Prompt content, system messages, and variable values submitted with the run request | United States |
| LLM inference (Gemini models) when running prompts against a configured Google key | Prompt content, system messages, and variable values submitted with the run request | United States |
The API call originates from Sufleur's backend using the API key your workspace has configured, and the provider you've chosen processes the request under its own terms. Sufleur also stores a record of each test run — the prompts sent, the variable values, and the model response — in your workspace, so you can review past runs.
International data transfers
Where personal data is transferred outside the United Kingdom and the European Economic Area — primarily to our United States-based sub-processors — we rely on appropriate safeguards as required by UK GDPR and EU GDPR. These typically include Standard Contractual Clauses (SCCs) and, where applicable, the UK Extension to the EU-US Data Privacy Framework.
Changes to this list
We'll update this page whenever we add, remove, or replace a sub-processor. For users with active paid subscriptions, we'll provide at least 30 days' notice by email before any new sub-processor begins processing personal data, giving you the opportunity to raise concerns or cancel your subscription if you object.
Contact
For any questions about how we handle data or about a specific sub-processor, please email us at tom@sufleur.com.