Sub-processors
Last updated: May 9, 2026
What is a sub-processor?
A sub-processor is a third-party service Heeo uses to operate. When you use Heeo, some of your data passes through these services so they can do their part. Each one has its own privacy policy and security practices, linked below.
Current sub-processors
| Vendor | Purpose | Region | Policy |
|---|---|---|---|
| Anthropic | AI model inference (the language model behind builds, chat, and agents). | United States | Policy |
| Vercel | Hosting for heeo.io and customer subdomains; serverless functions. | United States, global edge | Policy |
| Supabase | Primary database (Postgres) and authentication storage. | United States | Policy |
| Stripe | Payment processing, subscriptions, and Connect Standard for customer payouts. | United States, EU | Policy |
| Resend | Transactional email (verification, receipts, support replies). | United States | Policy |
| Sentry | Error monitoring and performance traces. | United States, EU | Policy |
| Apify | Web scraping actors for competitor and market research, where used. | European Union | Policy |
| Upstash | Redis cache, scheduled jobs (QStash), and rate-limiting state. | United States, EU | Policy |
| Railway | Background worker for long-running build pipelines. | United States | Policy |
| Google Workspace | Heeo's own business email at heeo.io. | United States, global | Policy |
International transfers
Some sub-processors are based in the United States. Where personal data of EU/UK users is transferred outside the EEA, we rely on the EU Commission's Standard Contractual Clauses or a relevant adequacy decision (where applicable) for that transfer.
Questions or objections
Email support@heeo.io with the subject “Sub-processor question.” Customers on a Data Processing Agreement (DPA) have separate rights to object to a new sub-processor; those rights are described in the DPA itself.
See also: Privacy Policy · Terms of Service · DMCA & abuse