Sub-processors | ChatIFA

Who we use to deliver the service

ChatIFA relies on the third-party services below to operate. Each one processes a specific, documented slice of data, and we don't share customer or visitor data with any party outside this list without telling you first.

If we add or change a sub-processor, we'll update this page and notify customers at least 14 days before the change takes effect, unless the change is required urgently for security or legal reasons.

Anthropic, PBC

Purpose: Generates AI responses for visitor chat. Conversation messages and the site's system prompt are sent to the Anthropic API for inference.
Data processed: Visitor messages, assistant replies, system prompt (including crawled website content).
Location: United States
Transfer basis: UK International Data Transfer Agreement (IDTA) incorporated into Anthropic's standard terms, plus their UK GDPR addendum.
Privacy policy: Anthropic, PBC privacy policy

OpenAI, Inc.

Purpose: Generates text embeddings of customer website content so the AI can find the most relevant pages to answer each visitor question.
Data processed: Public website content from the customer's site (crawled pages only).
Location: United States
Transfer basis: OpenAI's published UK GDPR addendum with UK IDTA/SCCs for international transfers.
Privacy policy: OpenAI, Inc. privacy policy

Stripe, Inc. (Stripe Payments UK Ltd)

Purpose: Billing and subscription management for customer accounts.
Data processed: Customer billing email, subscription plan, payment metadata. Card details are entered directly into Stripe and never touch ChatIFA's servers.
Location: United Kingdom (Stripe Payments UK Ltd), with US parent processing.
Transfer basis: Stripe's published UK DPA with Standard Contractual Clauses for transfers.
Privacy policy: Stripe, Inc. (Stripe Payments UK Ltd) privacy policy

Brevo (Sendinblue SAS)

Purpose: Transactional emails: sign-in magic links, lead-notification emails to customers, trial-limit notifications.
Data processed: Customer's email address, the recipient's email address, email content.
Location: European Union (France).
Transfer basis: UK adequacy regulations for the EEA cover transfers to France.
Privacy policy: Brevo (Sendinblue SAS) privacy policy

Chroma (self-hosted)

Purpose: Vector database storing embeddings of customer website content. Runs on the same infrastructure as the rest of ChatIFA, not a third-party service.
Data processed: Vector representations of customer website content.
Location: European Union (same VPS as the API).
Transfer basis: UK→EU transfer covered by UK adequacy regulations for the EEA.
Privacy policy: Chroma (self-hosted) privacy policy

Hetzner Online GmbH

Purpose: Hosts the ChatIFA API, database, and vector store.
Data processed: All ChatIFA data at rest: customer accounts, crawled content, visitor conversations, leads.
Location: European Union (Germany).
Transfer basis: UK→EU transfer covered by UK adequacy regulations for the EEA.
Privacy policy: Hetzner Online GmbH privacy policy

Plausible-compatible analytics (self-hosted)

Purpose: Privacy-friendly pageview analytics for the marketing site at chatifa.co.uk. Cookieless, does not track individual visitors.
Data processed: Aggregated pageview counts. No individual identifiers.
Location: European Union (self-hosted on the same Hetzner infrastructure).
Transfer basis: UK→EU transfer covered by UK adequacy regulations for the EEA.
Privacy policy: Plausible-compatible analytics (self-hosted) privacy policy

Questions or objections

If you have concerns about any sub-processor listed above (for example if your firm's compliance policy prohibits a specific provider), contact us at hello@chatifa.co.uk and we'll discuss options. See also our Privacy Policy and Cookie Policy.

Sub-processors.