To provide noobtopro (noobto.pro) we use a small number of trusted third-party providers. noobtopro, a sole proprietorship (Einzelunternehmen) under German law, is the controller of your personal data. The providers below act either as our processors (they process data on our instructions) or as independent controllers (they determine their own purposes for certain data). This list supplements our Privacy Policy.
1. Current sub-processors and recipients
| Provider | Role | Purpose | Personal data involved | Processing location | Transfer safeguard | DPA / legal terms |
|---|---|---|---|---|---|---|
| Supabase, Inc. | Processor | Database (Postgres), authentication, and storage | Account and authentication identifiers (email, Google OAuth subject), profile and grading data | USA (AWS us-east-1) | Standard Contractual Clauses (Module 2) + UK Addendum + Transfer Impact Assessment; ISO 27001 and SOC 2 | supabase.com/legal/dpa |
| Groq, Inc. | Processor | LLM inference / AI grading | Typed answers; photos of handwritten work; derived outputs | USA (Google Cloud) | Standard Contractual Clauses (Module 2) + Transfer Impact Assessment; we rely on Groq’s zero-data-retention setting and its no-training commitment | Groq DPA |
| Polar Software, Inc. | Independent controller (Merchant of Record) | Payments, billing, fraud prevention, tax/VAT, and invoicing | Name, email, and billing/transaction data (no full card numbers) | USA | Controller-to-controller under Polar’s own policy and safeguards (Stripe as sub-processor) | polar.sh/legal/privacy |
| Vercel, Inc. | Processor | Hosting / CDN, Web Analytics, and Speed Insights | Request, log, and IP-derived metadata; deployment data | USA (AWS; default US) | EU–US Data Privacy Framework (with UK and Swiss extensions); Standard Contractual Clauses as a fallback | vercel.com/legal/dpa |
| Resend, Inc. | Processor | Transactional email (e.g. the durable-medium acknowledgement we send after a withdrawal, and account-related notices) | Recipient email address and the message content (e.g. the withdrawal acknowledgement) | USA | Standard Contractual Clauses + Transfer Impact Assessment. Currently dormant— email is sent only once the provider is configured (an API key is set); until then no message is transmitted. | Resend DPA |
| Ahrefs (Ahrefs Pte. Ltd., Singapore) | Processor | Privacy-friendly, cookieless web analytics | Aggregated traffic metrics | USA (AWS EC2) | Standard Contractual Clauses (Modules 2/3) + Transfer Impact Assessment; data is transferred to and stored in the United States | Ahrefs DPA |
| Google LLC (Sign in with Google) | Independent controller | Federated authentication | Google account ID/email and authentication tokens | USA | EU–US Data Privacy Framework (Google LLC) and Google’s own safeguards | Google Privacy |
Additional sign-in providers (currently disabled). Our codebase also supports federated sign-in with GitHub and Discord, which would act as independent controllers in the same way as Google. These options are feature-flagged offand not in use today; if we enable them we will add them to this list and update the "Last updated" date.
2. Onward sub-processors
Some of our providers rely on their own infrastructure sub-processors. For information:
- Supabase→ Amazon Web Services (AWS)
- Groq→ Google Cloud (GCP)
- Polar→ Stripe, LLC (USA)
- Vercel→ Amazon Web Services (AWS)
- Ahrefs→ Amazon Web Services (AWS EC2)
3. International data transfers
Several of these providers are located outside the EEA/UK/Switzerland — principally in the United States (Ahrefs, although a Singapore entity, transfers and stores the analytics data on AWS infrastructure in the United States). Whenever we transfer your data there, we rely on an appropriate safeguard: EU–US Data Privacy Framework adequacy for certified recipients (Vercel, Google); or Standard Contractual Clausestogether with the UK Addendum, a Transfer Impact Assessment, and supplementary measures (encryption, data-minimisation, and reliance on zero-retention settings) for Supabase, Groq, Ahrefs, and Resend (the dormant transactional-email provider). For payments, Polar acts as Merchant of Record and independent controller under its own policy (with Stripe). You can request a copy of the relevant safeguards at [email protected].
The EU–US Data Privacy Framework is currently under appeal before the EU courts (Case C-703/25 P). We monitor this and maintain Standard Contractual Clauses as a fallback safeguard for the DPF-certified recipients above.
4. Changes to this list
We may add or replace sub-processors as the Service evolves. We will give at least 30 days’ advance noticeof a new sub-processor — by updating this page and, where appropriate, by email — so that you have an opportunity to object before the change takes effect. This list was last updated on 19 June 2026. For more on how we handle your data, see our Privacy Policy.
5. Contact
Questions about our sub-processors: [email protected] — noobtopro, Cologne (Köln), Germany.