Sub-processors
Last updated: 30 April 2026
Opnclo uses a small number of carefully vetted third-party providers ("sub-processors") to deliver the Service. Each provider is bound by a Data Processing Agreement (DPA) compliant with Article 28 of the GDPR and only processes personal data for the specific purposes listed below.
This page is updated whenever a sub-processor is added or removed. If you object to the addition of a new sub-processor, you may terminate your subscription before the change takes effect; the change will not be applied retroactively to data already processed under the previous list.
Active sub-processors
| Provider | Purpose | Data processed | Hosting region | DPA |
|---|---|---|---|---|
| Supabase | Database (PostgreSQL), authentication, file storage | Account data, restaurant data, menus, reservations, guest profiles, uploaded images | EU (Frankfurt, Ireland) | View DPA |
| Vercel | Application hosting, serverless functions, CDN | HTTP requests (logs include IP, user-agent), function execution | Global edge; functions pinned to EU regions | View DPA |
| Stripe | Payment processing, subscription management, deposit holds | Billing address, card details (handled exclusively by Stripe — Opnclo never sees card numbers), customer ID, subscription status | EU + US (PCI-DSS, SCCs in place) | View DPA |
| Resend | Transactional email delivery (signup, reservation confirmations, password resets, account deletion confirmations) | Recipient email, sender email, subject, HTML body | EU (Dublin) — region eu-west-1 | View DPA |
| Google (Gemini API) | AI vision for menu OCR, AI translation of menu items into multiple languages | Photos of menus you upload, menu text. Inputs are not used to train Google models per Gemini API Terms. | EU + US (SCCs in place) | View DPA |
| Anthropic (Claude API) | AI enrichment of menu items (descriptions, suggested categorization) | Menu text. Inputs are not used to train Anthropic models per Claude API Terms. | US (SCCs in place) | View DPA |
| Apify | Search engine scraping for restaurant onboarding (discovers your existing online presence) | Restaurant name, city, public website URLs | EU (Czech Republic) + US | Privacy |
| Google Maps Platform | Place autocomplete in restaurant address field, place details on onboarding | Restaurant address you type | EU + US (SCCs in place) | View DPA |
| Google My Business | Optional integration to sync your Google Business Profile (only when you connect it explicitly) | OAuth access token, business listing data, reviews | US (SCCs in place) | View DPA |
| Cloudflare (via providers above) | DNS, DDoS protection, edge caching as part of upstream providers' infrastructure | HTTP requests (caching, anti-abuse) | Global edge | View DPA |
DPA = Data Processing Agreement, the contract under which a sub-processor is bound by GDPR Article 28 obligations.
How we vet a new sub-processor
Before adding a new sub-processor we verify that it:
- publishes a public DPA compliant with GDPR Article 28;
- offers the strictest available regional / data-residency option (EU when available);
- commits to a no-training policy when AI is involved;
- has a credible security posture (SOC 2, ISO 27001 or equivalent, or strong public security documentation).
How we notify you of changes
When we add a new sub-processor or change the role of an existing one, we update this page and announce the change at least 30 days before it takes effect. Notifications go to the primary email address on each Opnclo account.
Subscribe to changes
You can request to be notified of any sub-processor change by emailing privacy@opnclo.com with the subject "Subscribe sub-processor changes". We keep this list under our retention policy and remove you on request.
Contact
Questions about this list, our sub-processors, or your data: privacy@opnclo.com.