Last Updated: April 2026
38Hub uses a limited number of third-party service providers ("sub-processors") to help deliver, maintain, and improve our platform. Each sub-processor is carefully selected and contractually obligated to protect your data in accordance with applicable data protection laws, including GDPR.
Below is the current list of sub-processors, their purpose, the location of their data processing, and the categories of data they process on our behalf.
| Sub-Processor | Purpose | Location | Data Processed |
|---|---|---|---|
Supabase | Database, Authentication, File Storage | Singapore / United States | Account data, content, files, authentication tokens |
Stripe | Payment Processing | United States | Billing data, transaction records, payment method details |
Anthropic (Claude) | AI Content Generation | United States | Content sent for AI processing (scoring, writing, extraction) |
OpenAI (GPT-4o) | AI Content Generation | United States | Content sent for AI processing (scoring, writing, extraction) |
Google (Gemini, Analytics, Search Console) | AI Features, OAuth, YouTube API, Analytics + Search Console integrations | United States | Content for AI processing, authentication tokens, YouTube data, web analytics property metadata when admin connects integrations |
OpenRouter | AI Content Generation (alternate provider) | United States | Content sent for AI processing when OpenRouter is selected as the active provider in Settings |
Upstash (Redis) | Rate Limiting, Caching | Global (regional) | Hashed user identifiers and request counters for rate limiting; short-lived cache values |
Sentry | Error Monitoring | United States / EU | Application error stack traces, user identifier (anonymised), request metadata |
Vercel | Application Hosting, CDN | Global (Edge Network) | Application requests, server logs, deployment artifacts |
Database, Authentication, File Storage
Singapore / United States
Account data, content, files, authentication tokens
Payment Processing
United States
Billing data, transaction records, payment method details
AI Content Generation
United States
Content sent for AI processing (scoring, writing, extraction)
AI Content Generation
United States
Content sent for AI processing (scoring, writing, extraction)
AI Features, OAuth, YouTube API, Analytics + Search Console integrations
United States
Content for AI processing, authentication tokens, YouTube data, web analytics property metadata when admin connects integrations
AI Content Generation (alternate provider)
United States
Content sent for AI processing when OpenRouter is selected as the active provider in Settings
Rate Limiting, Caching
Global (regional)
Hashed user identifiers and request counters for rate limiting; short-lived cache values
Error Monitoring
United States / EU
Application error stack traces, user identifier (anonymised), request metadata
Application Hosting, CDN
Global (Edge Network)
Application requests, server logs, deployment artifacts
We will notify you of any changes to our sub-processors at least 30 days before the change takes effect. This notification will be sent via email to the address associated with your 38Hub account and will also be posted on this page.
If you have a Data Processing Agreement (DPA) with us, you may object to the addition of a new sub-processor within 14 days of receiving the notification. We will work with you in good faith to address any concerns. If we cannot resolve the objection, you may terminate your agreement in accordance with the DPA terms.
All sub-processors listed above are bound by contractual obligations that require them to: