Sub-processors
This page lists the third-party companies (sub-processors) that handle StudySec personal information on our behalf. We use only the providers we strictly need to deliver the service to you. Each one is bound by a written agreement that requires them to handle your information only on our instructions, to protect it with appropriate security, and to comply with UK and EU data protection law.
We give you at least 30 days' notice by email before adding any new sub-processor that handles your personal information. If you do not want your data processed by a new sub-processor, you can close your account before the change takes effect.
If you have any questions about this list or our use of any sub-processor, email privacy@studysec.app.
At launch
Supabase
What they dohosts our database, file storage, authentication, and realtime services.
Where they are basedEuropean Union (Frankfurt, Germany).
What they seeeverything stored in StudySec, because they host it. They cannot access it without the keys we hold.
Legal basis for transferwithin the EU; no restricted transfer.
Agreement in placeSupabase Data Processing Addendum, incorporated into the Supabase Terms of Service.
Vercel
What they dohosts the StudySec web application and runs the server functions that power it.
Where they are basedglobally distributed edge network, with EU primary regions configured for processing personal data.
What they seerequests and responses passing through our application — not the contents of our database.
Legal basis for transferEU Standard Contractual Clauses (2021) and UK Addendum where US edges are involved.
Agreement in placeVercel Data Processing Addendum.
Trigger.dev
What they doruns background jobs for document processing (file extraction, OCR, note generation).
Where they are basedEU-proximate execution.
What they seedocument text and intermediate outputs during job execution.
Legal basis for transferwithin the EU.
Agreement in placeTrigger.dev Data Processing Addendum.
AWS Textract
What they doextracts text from scanned PDFs and image files that we cannot read directly.
Where they are basedEU (Ireland — eu-west-1).
What they seethe image pages of scanned documents we send for OCR.
Legal basis for transferwithin the EU; AWS GDPR DPA and SCCs in place.
Agreement in placeAWS GDPR Data Processing Addendum.
Anthropic (Claude)
What they dopowers StudySec's AI agents (onboarding, document organisation, note generation, research synthesis, planning, quiz generation).
Where they are basedUnited States.
What they seeprompts and context we send to generate AI responses — excerpts of your documents, your notes, your queries, and the relevant context for the task. They do not see your raw stored files.
Legal basis for transferEU-US Data Privacy Framework (where Anthropic is certified) and EU Standard Contractual Clauses (2021) with UK Addendum as a back-up. We also maintain a Transfer Impact Assessment.
Agreement in placeAnthropic Commercial Terms with Data Processing Agreement.
RetentionAnthropic retains inputs and outputs of our API requests on their backend systems for a short standard period — at the time of this page, 30 days — after which they are deleted. Content is not used to train AI models.
Note on safety retention: Anthropic may retain content for up to 2 years if their automated safety systems flag it as a possible policy violation or if they are legally compelled. This is an industry-standard safety provision that applies to all uses of their service. We disclose it here for transparency.
Perplexity
What they dopowers the web search component of the research feature.
Where they are basedUnited States.
What they seeyour research query (the text of what you ask). They do not see your notes — your notes are never sent to Perplexity.
Legal basis for transferEU-US Data Privacy Framework and SCCs.
Agreement in placePerplexity API Data Processing Addendum. Zero Data Retention is in place for the Sonar API.
Voyage AI
What they doconverts your notes into numerical embeddings to enable semantic search.
Where they are basedUnited States.
What they seethe text of each note when it is sent to be embedded. They return a vector and do not retain the original text.
Legal basis for transferEU Standard Contractual Clauses.
Agreement in placeVoyage AI standard processor terms.
Stripe
What they doprocesses subscription payments.
Where they are basedglobally, with EU processing for EU customers.
What they seeyour email address, your card details (which they collect directly from you on their hosted checkout form — we never see them), and your subscription history.
Legal basis for transferEU-US Data Privacy Framework, SCCs, and Stripe's standard architecture for EU customers.
Agreement in placeStripe Data Processing Agreement.
Resend
What they dosends transactional and marketing emails.
Where they are basedglobally distributed; primarily United States.
What they seeyour email address and the contents of any email we send you.
Legal basis for transferEU Standard Contractual Clauses.
Agreement in placeResend Data Processing Addendum.
Plausible
What they doprovides cookieless, privacy-respecting website analytics for studysec.app.
Where they are basedEuropean Union (Germany).
What they seeanonymous, aggregate metrics only — page visited, referrer, approximate country, and device type. No cookies are set. No fingerprinting. No data that can identify an individual.
Legal basis for transferwithin the EU; no restricted transfer.
Agreement in placePlausible Data Processing Agreement.
Post-beta (when the Google integrations launch)
Google (Calendar and Drive)
What they dooptional integrations — Google Calendar (read at all tiers, write on Pro with per-session approval) and Google Drive (file import using the narrow drive.file OAuth scope).
Where they are basedglobally, with EU regions configured.
What they seedepending on the scope you authorise. We use the narrowest possible scopes.
Legal basis for transferGoogle's standard data processing terms; SCCs.
Agreement in placeGoogle Cloud Data Processing Addendum, auto-incorporated when we set up the OAuth project.
Our EU representative
Because Microflow Enablement Ltd is established in the United Kingdom but offers services to data subjects in the European Union, we have appointed an EU representative under Article 27 of the EU GDPR.
Representative: iuro Rechtsanwälte GmbH (trading as Prighter)
EU address: Schellinggasse 3, 1010 Vienna, Austria
How to contact them: EU data subjects can submit a data subject request or raise a data protection concern directly via Prighter’s portal at app.prighter.com/portal/12978750567, or contact us directly at privacy@studysec.app.
How we choose sub-processors
We add a sub-processor only when:
- We genuinely need to (not for convenience or marginal value).
- They have a published, current data processing agreement that complies with UK and EU GDPR.
- They have appropriate security certifications (SOC 2, ISO 27001) or equivalent.
- Where they operate outside the UK and EU, they have a recognised legal mechanism for international transfers in place.
- Their use does not introduce material new risks to our users' personal information.
We document each decision internally in our Record of Processing Activities.
Questions? Email privacy@studysec.app. We aim to respond within five working days.
This page should be read alongside our Privacy Policy.