Skip to content

Sub-processors

Effective 22 June 2026

OBJEKT is a small operation that runs on top of well-known infrastructure. This page lists every third party that processes customer data on our behalf, why, and where. We keep it short and we keep it current.

1Current sub-processors.

The third parties below process personal data on our behalf as processors (or sub-processors), under written contracts that include confidentiality, security, and (for transfers out of the EEA/UK) the European Commission’s Standard Contractual Clauses.

Supabase, Inc.

Their policy ↗
Purpose
Authentication, primary database (Postgres), object storage for uploads and outputs.
Data
Account data, profile and brand data, content data (Inputs and Outputs), operational data.
Location
United States / European Union (region pinned at project setup).

Vercel, Inc.

Their policy ↗
Purpose
Application hosting, edge compute, image optimisation, deployment infrastructure.
Data
IP address, user-agent, request metadata. No content stored at rest on Vercel.
Location
Global edge network; primary region in the United States.

Google LLC (Gemini API)

Their policy ↗
Purpose
Generative image inference (primary engine). Product references and prompts are transmitted only for the duration of a generation. Under Google's paid Gemini API terms, submitted content is not used to train Google's models.
Data
Uploaded product references, prompts, generation settings. Outputs are returned to OBJEKT and stored on Supabase, not retained by Google.
Location
United States.

OpenAI, L.L.C. (GPT-Image)

Their policy ↗
Purpose
Generative image inference (fallback engine, used when the primary is unavailable). Inputs are transmitted only for the duration of a generation. Under OpenAI's API terms, API content is not used to train OpenAI's models.
Data
Uploaded product references, prompts, generation settings. Outputs are returned to OBJEKT and stored on Supabase.
Location
United States.

Anthropic, PBC (Claude)

Their policy ↗
Purpose
Prompt direction (refining shot prompts) and internal operations automation. Under Anthropic's commercial API terms, inputs are not used to train Anthropic's models.
Data
Prompt text and brand/style descriptions, operational metadata. No payment data; no uploaded images retained.
Location
United States.

Inngest, Inc.

Their policy ↗
Purpose
Durable background job queue that runs image-generation tasks.
Data
Job metadata and render inputs — generation and user identifiers, prompts, a reference to the stored image. Image bytes live on Supabase, not in the queue.
Location
United States.

Upstash, Inc.

Their policy ↗
Purpose
Rate limiting and short-lived caching (Redis).
Data
IP address / hashed identifiers and request counters, held briefly. No content data.
Location
Region selected at setup.

Stripe, Inc.

Their policy ↗
Purpose
Payment processing, subscription management, billing portal, anti-fraud.
Data
Name, billing address, email, card last-four, country, charge history.
Location
United States / European Union.

Resend, Inc.

Their policy ↗
Purpose
Transactional email (sign-up confirmation, password reset, receipts).
Data
Email address, name, message body, delivery metadata.
Location
United States.

PostHog, Inc. (only if analytics consent given)

Their policy ↗
Purpose
Anonymous product analytics — feature usage, drop-off, error trends.
Data
Anonymous device identifier, route visited, feature events. No content data.
Location
European Union (EU cloud region).

Meta Platforms, Inc. (Meta Pixel — only if analytics consent given)

Their policy ↗
Purpose
Advertising measurement and conversion tracking on our marketing pages. Loads only after analytics cookies are accepted.
Data
Cookie / device identifiers, pages viewed, and conversion events (e.g. sign-up). No uploaded content.
Location
United States.

2How we add new sub-processors.

Before we subscribe a new sub-processor, we (a) check their security posture, (b) put a written contract in place with terms at least as protective as our own commitments to you, and (c) where the sub-processor will receive personal data of EEA/UK users, sign the EU Standard Contractual Clauses (and UK addendum where applicable).

3Notice of change.

When we add or replace a sub-processor that handles meaningful amounts of customer data, we will update this page and, for customers on business plans with an active DPA, email a notice at least 30 days before the change takes effect. If you have a reasonable, documented objection on data-protection grounds, you may raise it at privacy@objekt-ai.com within the notice window.

4Subscribe to updates.

Business-plan customers under a signed DPA receive sub-processor notices automatically. Any other user who wants to be notified can email privacy@objekt-ai.com with the subject “sub-processor updates” and we will add you to the notice list.