Subprocessor List
Last updated: 9 May 2026
What Are Subprocessors?
When Clothink Ltd processes your personal data to deliver the Service, we engage certain third-party companies (subprocessors) to assist us. Each subprocessor acts only on our instructions and is contractually required to protect your data and use it solely for the purposes we specify.
For more information about how we use your data and your rights, please see our Privacy Policy.
Current Subprocessors
The table below lists the third-party subprocessors we currently engage, together with the purpose, the categories of personal data processed, the country where processing typically takes place, and a summary of how long categories of data tend to be retained (exact periods depend on vendor defaults, our configuration, and legal obligations — follow each vendor reference for authoritative detail).
| Provider | Purpose | Data processed | Location | Retention (summary) |
|---|---|---|---|---|
| Supabase | Database, authentication, and file storage | Account data, user content, metadata, authentication tokens | United States | Retained while your account is active; deleted or anonymised after closure subject to backups and legal holds per Supabase platform terms. |
| Google (AI Services) | AI content generation (design concepts, mockups, tech packs) | Text prompts, images uploaded for generation | United States | Processing for inference is largely transient; logs and billing metadata may be retained per Google Cloud terms and configuration. |
| Stripe | Payment processing and subscription management | Billing address, payment method details, subscription status | United States / Global | Payment and customer records retained per Stripe obligations and legal requirements (often multi-year for tax and fraud prevention). |
| Vercel | Application hosting and web analytics | Usage data, page views, performance metrics, IP address | United States | Hosting logs and Web Analytics metrics per plan and product settings (analytics reporting windows vary by plan; see Vercel docs). |
| Sentry | Error and performance monitoring | Error logs, stack traces, session replays when errors occur (with text and input masking). No PII intentionally sent. | United States | Issues, replays, and performance data retained per plan and org settings (commonly 30–90 days for errors on paid tiers; verify in Sentry). |
| SendGrid | Transactional email delivery | Email addresses, email message content (e.g. workspace invitations) | United States | Message metadata and delivery records retained per Twilio/SendGrid practices for deliverability, abuse prevention, and legal compliance. |
| Recraft | AI-powered pattern and graphic generation | Text prompts for pattern and graphic generation | United States | Prompts and outputs processed to deliver generation; retained per Recraft policy and product settings. |
| Upstash | Rate limiting and abuse prevention | Hashed request identifiers. No personally identifiable information is stored. | United States | Short-lived counters/TTL-based data for rate limiting; not used as a long-term personal data store. |
| Sanity | Marketing CMS (SEO metadata and optional page copy when configured) | Public marketing content and SEO fields served to browsers; Sanity Studio is operator-only | United States / Global (confirm region in Sanity project settings) | Published marketing content until removed or replaced in CMS; see Sanity privacy notice for platform retention. |
| Provider | Purpose / Data | Retention |
|---|---|---|
| Supabase | Database, authentication, and file storage Account data, user content, metadata, authentication tokens United States | Retained while your account is active; deleted or anonymised after closure subject to backups and legal holds per Supabase platform terms. |
| Google (AI Services) | AI content generation (design concepts, mockups, tech packs) Text prompts, images uploaded for generation United States | Processing for inference is largely transient; logs and billing metadata may be retained per Google Cloud terms and configuration. |
| Stripe | Payment processing and subscription management Billing address, payment method details, subscription status United States / Global | Payment and customer records retained per Stripe obligations and legal requirements (often multi-year for tax and fraud prevention). |
| Vercel | Application hosting and web analytics Usage data, page views, performance metrics, IP address United States | Hosting logs and Web Analytics metrics per plan and product settings (analytics reporting windows vary by plan; see Vercel docs). |
| Sentry | Error and performance monitoring Error logs, stack traces, session replays when errors occur (with text and input masking). No PII intentionally sent. United States | Issues, replays, and performance data retained per plan and org settings (commonly 30–90 days for errors on paid tiers; verify in Sentry). |
| SendGrid | Transactional email delivery Email addresses, email message content (e.g. workspace invitations) United States | Message metadata and delivery records retained per Twilio/SendGrid practices for deliverability, abuse prevention, and legal compliance. |
| Recraft | AI-powered pattern and graphic generation Text prompts for pattern and graphic generation United States | Prompts and outputs processed to deliver generation; retained per Recraft policy and product settings. |
| Upstash | Rate limiting and abuse prevention Hashed request identifiers. No personally identifiable information is stored. United States | Short-lived counters/TTL-based data for rate limiting; not used as a long-term personal data store. |
| Sanity | Marketing CMS (SEO metadata and optional page copy when configured) Public marketing content and SEO fields served to browsers; Sanity Studio is operator-only United States / Global (confirm region in Sanity project settings) | Published marketing content until removed or replaced in CMS; see Sanity privacy notice for platform retention. |
Supabase
Purpose: Database, authentication, and file storage
Data processed: Account data, user content, metadata, authentication tokens
Location: United States
Retention (summary)
Retained while your account is active; deleted or anonymised after closure subject to backups and legal holds per Supabase platform terms.
Google (AI Services)
Purpose: AI content generation (design concepts, mockups, tech packs)
Data processed: Text prompts, images uploaded for generation
Location: United States
Retention (summary)
Processing for inference is largely transient; logs and billing metadata may be retained per Google Cloud terms and configuration.
Stripe
Purpose: Payment processing and subscription management
Data processed: Billing address, payment method details, subscription status
Location: United States / Global
Retention (summary)
Payment and customer records retained per Stripe obligations and legal requirements (often multi-year for tax and fraud prevention).
Vercel
Purpose: Application hosting and web analytics
Data processed: Usage data, page views, performance metrics, IP address
Location: United States
Retention (summary)
Hosting logs and Web Analytics metrics per plan and product settings (analytics reporting windows vary by plan; see Vercel docs).
Sentry
Purpose: Error and performance monitoring
Data processed: Error logs, stack traces, session replays when errors occur (with text and input masking). No PII intentionally sent.
Location: United States
Retention (summary)
Issues, replays, and performance data retained per plan and org settings (commonly 30–90 days for errors on paid tiers; verify in Sentry).
SendGrid
Purpose: Transactional email delivery
Data processed: Email addresses, email message content (e.g. workspace invitations)
Location: United States
Retention (summary)
Message metadata and delivery records retained per Twilio/SendGrid practices for deliverability, abuse prevention, and legal compliance.
Recraft
Purpose: AI-powered pattern and graphic generation
Data processed: Text prompts for pattern and graphic generation
Location: United States
Retention (summary)
Prompts and outputs processed to deliver generation; retained per Recraft policy and product settings.
Upstash
Purpose: Rate limiting and abuse prevention
Data processed: Hashed request identifiers. No personally identifiable information is stored.
Location: United States
Retention (summary)
Short-lived counters/TTL-based data for rate limiting; not used as a long-term personal data store.
Sanity
Purpose: Marketing CMS (SEO metadata and optional page copy when configured)
Data processed: Public marketing content and SEO fields served to browsers; Sanity Studio is operator-only
Location: United States / Global (confirm region in Sanity project settings)
Retention (summary)
Published marketing content until removed or replaced in CMS; see Sanity privacy notice for platform retention.
International Transfers
All subprocessors listed above are currently based in or process data in the United States. Where personal data is transferred outside the UK or EEA, we rely on one or more of the following safeguards:
- UK SCCs / IDTAs:UK-approved Standard Contractual Clauses or International Data Transfer Agreements (IDTAs) approved by the Information Commissioner's Office (ICO), for transfers affecting UK residents.
- EU SCCs: Standard Contractual Clauses adopted by the European Commission (2021/914), for transfers affecting EU/EEA residents.
- Adequacy decisions by the UK government or European Commission where applicable.
Each subprocessor named above maintains its own Data Processing Agreement (DPA) covering the relevant transfer mechanisms. Links to their privacy and DPA documentation are included in the retention column above.
Changes to This List
We review and update this list whenever we add or remove a subprocessor. The “Last updated” date at the top of this page reflects the most recent revision. If you have questions about a specific subprocessor, please contact us through our contact page.
This list is provided for transparency purposes in accordance with UK GDPR and GDPR Article 13/14 requirements. Return to Privacy Policy.