Current Sub-processors
The following sub-processors are authorised to process personal data on behalf of Lokaly:
| Provider | Purpose | Data Processed | Location | Safeguards |
|---|---|---|---|---|
| Replit (Neon PostgreSQL) | Cloud hosting and database infrastructure | Account data, loyalty activity, authentication | US | SCCs, DPF |
| Stripe | Payment processing for merchant subscriptions | Merchant payment and billing information | US/UK | SCCs, DPF |
| SendGrid (Twilio) | Transactional and marketing emails | Email addresses, names | US | SCCs, DPF |
| Google Cloud Storage | Object storage for images and files | Profile photos, merchant logos | UK/EEA | UK Adequacy |
| Upstash (Redis) | Session management and caching | Session tokens, temporary data | UK/EEA | UK Adequacy |
| Sentry | Error monitoring and debugging | Technical logs, anonymised usage data | US | SCCs, DPF |
| Vercel | Website and API hosting | Request logs, IP addresses | US (edge worldwide) | SCCs, DPF |
| Apple (APNs) | iOS push notifications | Device tokens, notification content | US | SCCs, DPF |
| Google (Firebase Cloud Messaging) | Android push notifications | Device tokens, notification content | US | SCCs, DPF |
Safeguards Explained
- SCCs: Standard Contractual Clauses approved by the UK ICO
- DPF: EU-US / UK-US Data Privacy Framework certification
- UK Adequacy: Provider located in UK or country with UK adequacy decision
Changes to Sub-processors
We will update this page when we add or change sub-processors. Merchants who have signed our Data Processing Agreement will be notified of material changes in accordance with that agreement.
Questions
If you have questions about our sub-processors, please contact us at privacy@lokaly.co.uk.