Sub-processors — Subnotice

Processor: MINISAGE TECH LTD
URL: https://subnotice.com/sub-processors
Version: 1.4 · 5 July 2026 — supersedes v1.3 (4 July 2026)

Notify merchants 30 days before adding a new sub-processor. Update this file and the DPA Annex 2 simultaneously.


Current sub-processors

Sub-processor Service Location Data processed
Neon Tech Inc. PostgreSQL database (encrypted at rest) EU — Frankfurt region Shopify session data (user ID, name, email, encrypted access token); shop operational record (billing, plan, DPA acceptance, report quota); customer subscription snapshot (name, email, contract reference, product title, renewal date, billing amount/currency) and reminder audit trail; WooCommerce site record (site URL, hashed token, jurisdiction, reply-to email) and reminder audit trail, once the paid Woo tier is released
Vercel Inc. Application + website hosting, serverless functions (compute, TLS termination) US (region per project config) Same as database, in transit; policy text submitted to the audit API (processed in memory, not stored); standard platform HTTP request logs (IP, path, timestamp)
Resend Inc. Transactional reminder email delivery, delivery/open-event webhooks US Customer name, email address, reminder email content (sent at dispatch time, not persisted by Resend); delivery/bounce/open events
Shopify Inc. Platform OAuth, API, webhooks, App billing Canada / global Merchant staff session via OAuth; Shopify acts as independent controller for its own platform data
Freemius Inc. WooCommerce plugin licensing/billing (paid "Compliance Complete" tier only, not yet released for purchase) US Merchant site URL, hashed API token, declared jurisdiction, reply-to email (once released)

Removed / never used

Sub-processor Reason
Fly.io Not selected
Supabase Inc. Not selected; using Neon instead
Render Services Inc. Listed in v1.1 in error / superseded — hosting is Vercel; never processed production data

Change log

Date Change
2026-05-19 Initial skeleton v1.0
2026-05-26 v1.1 — filled in MINISAGE TECH LTD; confirmed Neon EU + Render US; removed unused Fly/Supabase; moved Resend to planned
2026-07-02 v1.2 — corrected hosting: Render → Vercel Inc. (actual host of app.subnotice.com, subnotice.com, and the /api/audit endpoint); added policy-text-in-transit + platform request logs to Vercel data column (checker/Woo plugin flows). 0 live merchants at time of change — no 30-day notice cycle triggered
2026-07-04 v1.3 — Resend Inc. moved from "planned" to current/active (reminder-email + delivery/open-tracking features shipped and live); this file was stale relative to Privacy Policy v1.2 §4 and DPA v1.1 Annex 2, which already listed Resend as current. 0 live merchants at time of change — no 30-day notice cycle triggered
2026-07-05 v1.4 — added Freemius Inc. (WooCommerce paid-tier licensing/billing, not yet released for purchase — added now so this file and DPA Annex 2 aren't stale relative to Privacy Policy v1.4 the moment it published); corrected Neon's data column to include the customer subscription snapshot and WooCommerce site record (both were already disclosed in Privacy Policy/DPA but missing here); corrected stale "read live, not persisted" framing on Resend's row (customer data is persisted upstream in Neon; Resend itself still doesn't persist it, wording just clarified). 0 live merchants at time of change — no 30-day notice cycle triggered