DRAFT — pending legal review. This document has been authored in good faith but has not yet been reviewed by counsel. Content may change before the platform exits beta.
Legal
Subprocessors
The third parties that process FitTrainr data on our behalf, what we share with them, and where they operate.
- Version
- v0.1
- Effective
- 2026-04-26
- Last updated
- 2026-04-26
A subprocessor is a third-party service provider that processes personal data on our behalf in order to deliver part of the FitTrainr Service. Examples include the cloud platform we host on, the payment processor we use to take card details, and the email provider we use to send sign-in links and receipts. Subprocessors are bound by contract — typically a data processing addendum — to handle data only on our instructions and to appropriate security and confidentiality standards.
We list our subprocessors publicly so you can see exactly who has access to which categories of data, and where each one operates. Sharing data with a subprocessor does not mean the subprocessor can use that data for its own purposes — its use is restricted by our agreement with it and by the privacy notices published below.
Notice of changes. We will provide at least thirty (30) days notice on this page (and, where appropriate, by email to administrators) before adding a new subprocessor with access to personal data. If you are a coach operating in a jurisdiction that requires a right to object to new subprocessors, you may write to us at support@fittrainr.com within the notice window.
Current subprocessors
| Subprocessor | Purpose | Data categories | Region | Privacy policy |
|---|---|---|---|---|
| Google Cloud Platform | Hosting, database, object storage | All platform data | us-central1 (Iowa, USA) | View policy |
| Firebase (Google) | Authentication, push notifications | Auth identifiers, device tokens | Global | View policy |
| Stripe Inc. | Payment processing | Payment method, billing address, transaction history | Global | View policy |
| Resend | Transactional email delivery | Email addresses, message contents | USA | View policy |
| USDA FoodData Central | Public nutrition database (data source, no PII shared) | None | USA | View policy |
| Vertex AI / Gemini (Google) | AI assistant features | Prompts and AI conversation contents | us-central1 | View policy |
How we choose subprocessors
Before engaging a subprocessor we evaluate its security posture, privacy programme, data residency, sub-processing chain, and contractual commitments. We prefer providers with mature compliance programmes (SOC 2 Type II, ISO 27001, or equivalent) and clear data processing terms. We minimise the data shared with each — for example, the USDA FoodData Central source receives no personal data, and our payment processor receives only the data necessary to take payment and prevent fraud.
How we minimise data shared
We follow data minimisation in our integrations. We do not pass full account data to third-party analytics tools, do not embed third-party advertising or tracking scripts on the Service, and do not share message contents with subprocessors other than the infrastructure providers strictly required to deliver and store them. See our Privacy Notice for the full picture.
Questions
For questions about our subprocessors, email support@fittrainr.com.