Last updated: 2026-05-16
Subprocessor List
This page lists every third party that processes personal data on behalf of Gila (operated by Sezen Soykut, sole-trader, Türkiye). Each provider acts as a data processor under a written data-processing agreement (DPA) and may only use your data on our instructions.
The Gila mobile app and the gila.coach website are operated by Gila as the controller. The providers below are subprocessors — they do not decide what to do with your data; we do.
If you want to understand exactly what each subprocessor receives and why, the per-activity detail is in our Records of Processing Activities (sections 3 and 4) and our Transfer Impact Assessment dated 2026-05-16.
Status legend
- DPA in place — Yes = signed DPA on file; Verify = procurement check pending before Phase 2 publish.
- DPF status — refers to certification under the EU-US Data Privacy Framework (and its UK Extension / Swiss-US version). Verify = listing must be re-checked at dataprivacyframework.gov/list before each publish.
- Last reviewed — the date our DPO last confirmed the subprocessor's status and DPA terms.
1. Core platform subprocessors
| Subprocessor | Role | Region | Data shared | DPA in place | DPF status | Last reviewed |
|---|---|---|---|---|---|---|
| Supabase Inc. | Database, authentication, file storage, edge functions, realtime — the core platform Gila is built on | United States — Ohio (us-east-2, AWS) |
All app and account data, including special-category health data (weight, medication, side effects, mood, food, journal, photos) | Yes — Verify signed copy | Verify | 2026-05-16 |
| Amazon Web Services, Inc. (AWS) | Underlying infrastructure host for Supabase (managed RDS, S3, EBS); sub-processor of Supabase | United States — Ohio | Same as Supabase, encrypted at rest by AWS-managed keys | Inherited via Supabase DPA | Yes (Google + AWS DPF-certified) — Verify | 2026-05-16 |
| Vercel Inc. | Hosts the gila.coach website + Next.js edge functions + middleware | United States primary, global edge | Request headers, transient IP, edge-function execution traces, form submissions in transit | Yes | Verify | 2026-05-16 |
| Cloudflare, Inc. | Bot protection (Turnstile) on public forms; CDN in front of Supabase project endpoints | Global edge | Browser challenge tokens, transient IP and request signals during challenge | Yes | Verify | 2026-05-16 |
2. Messaging and email subprocessors
| Subprocessor | Role | Region | Data shared | DPA in place | DPF status | Last reviewed |
|---|---|---|---|---|---|---|
| Google LLC (Firebase / FCM) | Push notifications to iOS and Android devices | United States | Device push token, generic push payload (intentionally non-revealing of health content) | Yes — Google DPA | Yes (Google DPF-certified) — Verify | 2026-05-16 |
| Apple Push Notification Service (Apple Inc.) | Onward push delivery to iOS devices; sub-processor of Firebase | United States | Push payload in transit | Inherited via Firebase | n/a (sub-processor) | 2026-05-16 |
| Resend, Inc. | Transactional email (welcome, deletion verification, password reset, milestone) and marketing email (with consent) | United States (EU region available — not in use) | Email address, first name, locale, template variables | Yes — Resend DPA | Verify | 2026-05-16 |
| Beehiiv, Inc. | Newsletter platform for subscribers (operated through the newsletter Supabase project + Beehiiv) | United States | Email, first name, signup source, UTM, custom fields, subscription status, opens/clicks | Yes — Beehiiv DPA — Verify | Verify | 2026-05-16 |
3. AI subprocessors
| Subprocessor | Role | Region | Data shared | DPA in place | DPF status | Last reviewed |
|---|---|---|---|---|---|---|
Google LLC (Gemini API, via @google/genai) |
Primary AI provider for 13 features: food vision, activity-goal AI, nutrition-goal AI, habit suggestions, onboarding "wow moment", weekly narrative report, health analysis, weekly briefing, habit-signal agent, community-submission safety review (habit + stack), journal embeddings (via embedding-001), QA evaluation judge, and as a co-provider in the Habit Lab playground | United States (Google global infrastructure with US primary) | Per-request contextual snapshot — profile excerpt, recent activity, optional images. No advertising data. Google's API terms state these prompts are not used to train Google's foundation models | Yes — Google Cloud DPA + Gemini API ToS with "no training" flag | Yes (Google DPF-certified) — Verify | 2026-05-16 |
| Anthropic, PBC (Claude API) | LLM provider for the Habit Lab playground (Haiku / Sonnet / Opus, user-facing inside lib/features/habit_playground/), the internal QA evaluation pipeline (eval-score, Sonnet judge — not user-facing), and as an A/B opt-in path inside food vision (provider param, default off in production) |
United States | Per-request prompts — contextual snippets, no user identifier transmitted. Anthropic's Commercial Terms commit that customer data submitted via the API is not used to train Anthropic's models | Yes — Anthropic Commercial Terms (online accept) + DPA available on request | Yes — Anthropic is DPF-certified (verify at dataprivacyframework.gov/list each cycle) | 2026-05-16 |
| OpenAI, L.L.C. (GPT API) | LLM provider for the food-vision A/B opt-in path only — server-controlled provider param, default off in production. We pre-disclose OpenAI as a conditional provider so any future default change is already covered. | United States | Per-request prompts — image + meal context, no user identifier transmitted. OpenAI's Business Terms (which govern API usage) commit that customer data is not used to train OpenAI's models by default | Yes — OpenAI Business Terms include DPA — Verify signed copy | Verify | 2026-05-16 |
| Perplexity AI, Inc. | Source-grounded research (sonar-pro) used by the habit-signal agent for habit citations and as a research fallback path inside food vision for ambiguous foods | United States | Anonymised topical queries only — no user identifier passed by design | Verify | Verify | 2026-05-16 |
4. Nutrition data subprocessor
| Subprocessor | Role | Region | Data shared | DPA in place | DPF status | Last reviewed |
|---|---|---|---|---|---|---|
| FatSecret (Secret Industries Pty Ltd) | Nutrition database lookups for food search and barcode scan | United States | Food search query strings only — no user identifier passed (OAuth 1.0 HMAC-SHA1) | Yes — Premier Free tier terms | Verify | 2026-05-16 |
5. Observability subprocessors
| Subprocessor | Role | Region | Data shared | DPA in place | DPF status | Last reviewed |
|---|---|---|---|---|---|---|
| PostHog Inc. | Product analytics — screen views, event names, feature-flag exposure | United States (EU region available — under evaluation) | Hashed user identifier; screen and event names; device + OS + locale + app version. Health data, medication strings, calorie values, journal text, email, and name are excluded by design | Yes — PostHog DPA | Verify | 2026-05-16 |
| Functional Software, Inc. (Sentry) | Error tracking and performance monitoring | United States (EU region available — under evaluation) | Hashed user identifier; error message and stack trace; PII-scrubbed breadcrumbs; performance traces. Email, name, and Article 9 attributes are scrubbed | Yes — Sentry DPA — Verify | Verify | 2026-05-16 |
6. Commercial subprocessors
| Subprocessor | Role | Region | Data shared | DPA in place | DPF status | Last reviewed |
|---|---|---|---|---|---|---|
| RevenueCat, Inc. | Subscription management — disclosed conditionally because the paywall has not shipped to production yet. Will become an active subprocessor when the in-app paywall enables (see decision-log item #17) | United States | Hashed app_user_id; subscription tier, status, dates; store-side transaction identifiers (App Store transaction id, Play Store purchase token). Payment card data is never sent — Apple and Google handle payment |
Yes — RevenueCat DPA — Verify | Verify | 2026-05-16 |
7. On-device data sources (not subprocessors of Gila)
These platforms hold the data on your device until you grant Gila permission to read specific aggregates. They are not processors of Gila data and are listed here for transparency.
| Provider | Role | Data scope |
|---|---|---|
| Apple HealthKit (Apple Inc.) | iOS health data store | Steps, active minutes, sleep, heart rate, weight — only the per-day aggregate is uploaded to Gila, with your explicit consent |
| Health Connect (Google) | Android health data store | Same as HealthKit, on Android |
8. When we add or remove a subprocessor
We commit to telling you at least 30 days before any material change to this list — that means before a new subprocessor receives data, or before we move an existing one to a new region.
Notice channels:
- In-app banner the next time you sign in;
- Email notice to every account holder (using the email on file, regardless of marketing opt-in — this is a service-critical disclosure);
- A change-log entry at the bottom of this page.
If you object to a new subprocessor during the 30-day notice period, you can delete your account at /delete-account before the change takes effect and your data will be removed (subject to the 30-day backup rollover described in the Privacy Policy).
We will follow the same notice procedure when we remove a subprocessor from the list.
9. Cross-border transfer mechanism
Every subprocessor above is reached through the transfer mechanism summarised in section 5 of the Privacy Policy:
- EU / EEA users — Standard Contractual Clauses (SCC) Module 2 + EU-US Data Privacy Framework (where the provider is certified) + supplementary measures (encryption in transit and at rest, row-level security, data minimisation per request, hashed identifiers in telemetry).
- UK users — UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs.
- Swiss users — Swiss-US DPF where the provider is certified, otherwise revFADP-compatible SCCs.
- Türkiye users — explicit consent under KVKK Article 9, captured at onboarding and recorded in our consent log. We cannot serve the app without this consent because the data must travel to the US to run.
- Brazil users — LGPD Article 33 with specific consent and ANPD-aligned SCCs.
- Canada users — PIPEDA accountability transfer; we remain liable.
- Australia users — APP 8 cross-border disclosure with reasonable-steps obligation discharged via the subprocessor DPAs and the Transfer Impact Assessment.
Full per-importer analysis (FISA §702 / CLOUD Act exposure, European Essential Guarantees, supplementary measures, residual risk verdict) is in our internal Transfer Impact Assessment dated 2026-05-16.
10. Questions
If a service is listed on the gila.coach website or in the Gila mobile app that does not appear on this page, please tell us — write to dpo@gila.coach and we will either add it or remove it from the product.
Change log
| Version | Date | Summary |
|---|---|---|
| 1.0 | 2026-05-16 | Initial publication. Covers 13 active subprocessors plus AWS (sub-processor of Supabase), Apple Push (sub-processor of Firebase), and the two on-device health platforms. Conditional disclosure for RevenueCat (active when paywall ships). 30-day change-notice commitment established. |
| 1.1 | 2026-05-16 | Phase 6 wrap-up (decision-log #18). Added Anthropic Claude as a user-facing AI subprocessor (Habit Lab + QA judge + food-vision A/B opt-in) and OpenAI as a conditional AI subprocessor (food-vision A/B opt-in only, default off). Expanded Gemini row to enumerate the 13 features it powers. No subprocessor was added to the active default data flow — Claude is active in Habit Lab; OpenAI remains off-by-default. |