Privacy Request Back to vaicat
📅 Last Updated: January 20, 2026 🔒 GDPR Article 28

Subprocessor List

Third-party service providers who process personal data on our behalf. This list is maintained in accordance with GDPR Article 28 transparency requirements.

🔒
Privacy-First Architecture: We minimize the use of third-party processors. Our mobile apps process most data on-device, and our analytics are session-based without persistent user tracking.
Key Points
  • All subprocessors have signed Data Processing Agreements
  • We notify users of material subprocessor changes
  • Most processors are EU-based or have EU data centers
  • You can object to new subprocessors
Contents

1. Infrastructure & Hosting

Our primary infrastructure providers who host and process data:

Provider Location Purpose Data Processed
Hosting Provider
(Self-managed EU infrastructure)		 Netherlands / EU Web hosting, database, application servers All platform data
🇪🇺
EU Data Residency: All primary data is stored and processed within the European Union. We do not transfer primary user data outside the EU/EEA.

2. Apple Services

Our iOS applications integrate with Apple's services for core functionality:

Service Location Purpose Data Processed
Apple Push Notification Service (APNs) Global (Apple data centers) Deliver push notifications to iOS devices Device tokens, notification content
App Attest Global (Apple data centers) Device integrity verification for security Device attestation data (anonymous)
Sign in with Apple Global (Apple data centers) User authentication Email (can be hidden), user identifier
StoreKit (In-App Purchases) Global (Apple data centers) Process in-app purchases Transaction data, purchase receipts
Apple Foundation Models On-device only CathAI assistant (mEUvy) None (processed locally)

Apple Privacy: Apple Privacy Policy

🔒
On-Device Processing: CathAI uses Apple Foundation Models which run entirely on your device. No AI processing data is sent to Apple or vaicat servers.

3. CDN & Asset Delivery

Content delivery networks used to efficiently serve static assets:

Provider Location Purpose Data Processed
Google Fonts
Google LLC		 Global CDN (EU nodes available) Web font delivery IP address, user agent (for font optimization)
Cloudflare
Cloudflare, Inc.		 Global CDN (EU nodes available) JavaScript library delivery (GSAP) IP address, request metadata
jsDelivr
Prospect One		 Global CDN Open-source library delivery IP address, request metadata

Privacy Policies:

4. Email Services

Email delivery for transactional and service communications:

Provider Location Purpose Data Processed
SMTP Provider
(Configured via hosting)		 EU Transactional email delivery Email addresses, message content

Email Types Sent:

  • Authentication emails (magic links, verification)
  • GDPR request confirmations
  • Account notifications
  • Security alerts

5. Security Services

Services that help protect our platform and users:

Service Location Purpose Data Processed
SSL/TLS Certificates EU Encrypt data in transit None (encryption only)
Internal Error Logging EU (self-hosted) Application error tracking Error details, stack traces (no PII)

6. Changes & Notification

6.1 Notification of Changes

We will notify you of material changes to our subprocessor list:

  • New subprocessors: 30 days advance notice before engagement
  • Removal of subprocessors: Updated on this page
  • Change of purpose: 30 days advance notice

6.2 How We Notify

  • Update to this page with "Last Updated" date
  • Email notification to subscribed users (optional)
  • In-app notification for material changes

6.3 Your Right to Object

Under GDPR, you may object to new subprocessors. To object:

  • Contact us within 30 days of notification
  • We will work to address your concerns
  • If we cannot resolve the objection, you may terminate your account

6.4 Subscribe to Updates

To receive notifications about subprocessor changes, email privacy@vaicat.com with subject "Subscribe to Subprocessor Updates".

7. International Data Transfers

7.1 EU Data Residency

Our primary data processing occurs within the EU. We prioritize:

  • EU-based infrastructure and hosting
  • Subprocessors with EU data centers
  • On-device processing where possible

7.2 Transfer Mechanisms

Where data is transferred outside the EU/EEA (e.g., CDN requests to global networks), we rely on:

  • EU-US Data Privacy Framework – For US-based providers certified under the framework
  • Standard Contractual Clauses (SCCs) – EU Commission-approved data transfer agreements
  • Adequacy decisions – Where the EU has determined adequate protection exists

7.3 Transfer Impact Assessments

We conduct Transfer Impact Assessments (TIAs) for transfers to countries without adequacy decisions, evaluating:

  • Local laws and government access
  • Supplementary measures in place
  • Risk to data subjects

8. Services We Do NOT Use

For transparency, we explicitly do not use the following common services:

Category Services NOT Used
Analytics Google Analytics, Mixpanel, Amplitude, Heap
Advertising Google Ads, Facebook Pixel, AdMob, any ad networks
Attribution AppsFlyer, Adjust, Branch
Third-Party Auth Auth0, Firebase Auth, Okta (we use Apple Sign-In only)
Cloud AI OpenAI, Google AI, AWS AI (CathAI is on-device only)
External CRM Salesforce, HubSpot, Intercom
Third-Party Crash Reporting Firebase Crashlytics, Sentry, Bugsnag (we use internal logging)
Subprocessor Inquiries
Privacy & Data Protection privacy@vaicat.com
General Support support@vaicat.com