FitFocus uses the following subprocessors to operate the coaching platform, the marketing website, and internal business systems. Each vendor is bound by contractual data-protection terms; standard contractual clauses or equivalent transfer mechanisms are in place where personal data crosses borders.
No third-party analytics, advertising, or session-replay vendors are used on the marketing website in v1.
Core infrastructure
| Vendor | Purpose | Personal data processed | Primary location |
|---|---|---|---|
| Supabase | Managed Postgres database, authentication, storage, realtime, and edge functions for the coach, client, and admin applications. | Account identifiers, credentials, coaching content, health data, messaging, file uploads, audit logs. | Region selected at workspace provisioning. |
| Vercel / Cloudflare | Hosting, CDN, and edge networking for the marketing site and application front ends. | IP addresses, request logs, user agents, technical diagnostics. | Global edge network. |
Billing
| Vendor | Purpose | Personal data processed | Primary location |
|---|---|---|---|
| Stripe | Subscription billing, invoicing, tax, and payment processing. Source of truth for subscription status. | Billing contact details, tax identifiers, payment metadata. Cardholder data is held entirely by Stripe (PCI DSS Level 1). | United States / European Union. |
Transactional email and newsletter
| Vendor | Purpose | Personal data processed | Primary location |
|---|---|---|---|
| Resend | Transactional email (invitations, password resets, notifications) and newsletter delivery. Hosts the audience that powers marketing-site subscription forms and handles unsubscribes. | Recipient email addresses, names, message contents, delivery metadata. | United States / European Union. |
Lead capture and bookings
| Vendor | Purpose | Personal data processed | Primary location |
|---|---|---|---|
| Basin | Source of truth for marketing-website form submissions (contact, newsletter, guide downloads, general demo requests). Handles spam filtering and Slack/email notifications. Syncs newsletter subscribers into Resend via Basin's native integration. | Submission contents (name, email, form fields), IP address, user agent, UTM parameters. | United States. |
| Cal.com | Source of truth for demo bookings. Handles scheduling, reminders, attendee emails, and calendar sync. | Attendee name, email, timezone, booking metadata. | European Union. |
Internal operations
| Vendor | Purpose | Personal data processed | Primary location |
|---|---|---|---|
| Slack | Internal team collaboration. Receives form-submission and booking notifications so the team can respond quickly. | Notification payloads (name, email, form summary) routed to internal channels; no customer credentials. | United States. |
Notification of changes
Enterprise customers with an executed Data Processing Addendum can request advance notification of changes to this list. A change log is maintained internally and reflected on this page within a reasonable period after a change takes effect.
Contact
Questions about subprocessors should be directed to privacy@fitfocus.io.