Subprocessors
Last updated: May 3, 2026
To deliver the Contexo Service we rely on a small set of third-party providers ("subprocessors"). Each acts on our instructions under written agreements that include the data-protection commitments required by applicable law (including GDPR Art. 28 where relevant).
1. Current subprocessors
| Provider | Purpose | Data processed | Region |
|---|---|---|---|
| Supabase Inc. supabase.com/privacy | Managed PostgreSQL, authentication, object storage, vector indexes. | Account credentials, customer content (documents, embeddings), chat sessions and messages, billing and quota records. | United States / Customer-selectable regions |
| Google LLC (Gemini API) ai.google.dev/terms | Large-language-model inference and embeddings for the RAG pipeline. | Visitor messages, retrieved context chunks, system prompts. Per Google's paid-API terms, this content is not used to train Google's foundation models. | United States / Multi-region |
| Lemon Squeezy LLC lemonsqueezy.com/privacy | Merchant of record: payments, subscription management, tax calculation, invoicing, refunds. | Customer email and billing details, payment instrument metadata, transaction history. Card data stays with their PCI-compliant processors and never reaches Contexo. | United States / EU |
| Render | Application hosting, networking, TLS termination, log aggregation. | All traffic to and from the Contexo dashboard, API, and widgets. | [REGION] |
| Brevo | Transactional email (account, billing, security notifications). | Recipient email address and message content. | [REGION] |
The placeholders above must be replaced with the providers actually used in production before this page is published.
2. Where data is processed
Personal data may be transferred to and processed in countries other than the one in which you live, including the United States. Where personal data is exported from the EU, EEA, UK, or Switzerland we rely on the European Commission's Standard Contractual Clauses (and the UK IDTA where relevant) supplemented by appropriate technical and organizational measures.
3. Notice of new subprocessors
We will publish updates to this list before engaging a new subprocessor. Customers on plans that include a Data Processing Addendum will receive at least 14 days' advance notice by email; if they object on reasonable data-protection grounds, they may terminate the affected subscription with a pro-rata refund of unused fees as their sole remedy.
4. Customer's own subprocessors
Customers who connect additional integrations (for example, by configuring webhooks to their own systems or pointing the widget at a CDN-served document) are responsible for those onward transfers. Those targets are not Contexo subprocessors.
5. Contact
For DPA requests or questions about this list email legal@contexo.ai.
