Subprocessors
Last updated: 9 July 2026
ReclaimHQ Ltd uses a small number of third-party service providers (subprocessors) to deliver the service. This page lists each subprocessor, what it does for us, what personal data it receives, and where the data is processed. It forms the authorised subprocessor list referenced by our Data Processing Agreement.
Current subprocessors
| Subprocessor | Purpose | Personal data received | Region and transfer mechanism |
|---|---|---|---|
| Supabase | Database, authentication, and file storage (our primary data store) | All application data: account details, Amazon marketplace data, support case content, and uploaded images. Commercially sensitive financial fields are stored as AES-256-GCM ciphertext. | EU region project (we confirm the exact hosting region on request). Provider DPA incorporating UK GDPR safeguards. |
| Vercel | Application hosting, serverless compute, and edge network | Request data in transit, including IP address and derived country. | US/global. Provider DPA incorporating SCCs and the UK Addendum. |
| Stripe | Subscription billing and payment processing | Name, email address, and subscription state. Card details are entered directly with Stripe; we never see or store card numbers. | US/global. Provider DPA incorporating SCCs and the UK Addendum. |
| Anthropic | AI assistant (claims drafting and support) | Conversation content plus the case and order context needed to draft a claim, which can include names or addresses quoted inside Amazon case transcripts. Anthropic's API terms exclude training on customer data. | US. Provider DPA incorporating SCCs and the UK Addendum. |
| Resend | Transactional and marketing email delivery | Email address, first name, and email content. | US. Provider DPA incorporating SCCs and the UK Addendum. |
| Upstash | Rate limiting and abuse protection (Redis) | IP addresses, hashed email identifiers, and user IDs used as rate-limit keys. | US/global. Provider DPA incorporating SCCs and the UK Addendum. |
| Discord | Customer support channel and notifications | Discord user ID, display name, and support conversation content. | US. Provider DPA incorporating SCCs and the UK Addendum. |
| Trustpilot | Review invitations | Name and email address, sent only to invite a review. | EU (Denmark) / US. Provider DPA incorporating UK GDPR safeguards. |
| Ship24 | Parcel tracking (delivery estimates for dispatched stock) | Tracking numbers and courier codes only. No names or addresses. | EU (France). Provider terms incorporating UK GDPR safeguards. |
| UPS | Parcel tracking for UPS parcels | Tracking numbers only. No names or addresses. | US. Provider developer terms incorporating UK GDPR safeguards. |
| Amazon (Selling Partner API) | Marketplace integration you connect. Amazon acts on your own authorisation as the data source for your seller account. | Report and data requests for your own seller account. | US/global. Governed by Amazon's terms; you authorise access directly. |
| eBay | Optional marketplace integration you connect for resale listings. eBay acts on your own authorisation. | Listing content and order data for your own eBay account. | US/global. Governed by eBay's terms; you authorise access directly. |
International transfers
Where a subprocessor processes personal data outside the UK, transfers are made under UK GDPR safeguards: the provider's data processing agreement incorporating the EU Standard Contractual Clauses with the UK Addendum, the UK International Data Transfer Agreement (IDTA), or another lawful transfer mechanism recognised under UK GDPR.
Changes to this list
When we plan to add or replace a subprocessor that will process personal data, we will update this page and notify customers by email at least 30 days before the new subprocessor begins processing, giving you the opportunity to raise a reasonable objection. Minor changes that do not involve personal data (for example, a tooling change with no data access) may be made without notice.
Questions about any subprocessor? Email hello@reclaimhq.uk.