Subprocessors
A complete and current list of every third-party service ClauseClear relies on to deliver its product, including processing region and the personal data each one sees. We update this page whenever we add, change, or remove a subprocessor.
Last updated:
What this page is
ClauseClear is operated by PJ Consulting Group Ltd (the data controller). To deliver the product we use several third-party services that process personal data on our behalf — each of which is a “subprocessor” under UK GDPR Article 28. Listing them publicly is both a regulatory requirement and, in our view, a basic act of transparency.
Every subprocessor below has been assessed against the data-processing safeguards required by UK GDPR. We choose vendors that hold recognised security certifications (SOC 2, ISO 27001) and EU-region data residency wherever practicable.
Current subprocessor list
| Subprocessor | Purpose | Region | Data seen |
|---|---|---|---|
| Vercel Inc. | Web hosting, edge CDN, serverless function execution | Global edge with EU primary; Vercel is SOC 2 Type II + ISO 27001 certified | Public web traffic, request logs (IP, user-agent), cached HTTP responses |
| Supabase Inc. | Postgres database, authentication, row-level security | Frankfurt, Germany (EU) | Merchant account records (name, sector, contact email), audit results, hash-check history |
| Anthropic PBC | AI model inference for the Simpler Terms translator (Claude Haiku) | United States and United Kingdom (Anthropic operates UK and US data residency) | Submitted Terms & Conditions text (transient — Anthropic does not retain inference inputs for model training under our enterprise terms) |
| Resend Inc. | Transactional email delivery (welcome, change-detection alerts) | Ireland (eu-west-1) | Recipient email address, subject and body of transactional emails |
| GoDaddy.com LLC | Domain registrar (clauseclear.co.uk) and DNS hosting | United Kingdom | DNS records only — no user data |
| Microsoft Corporation | Inbound email at hello@clauseclear.co.uk and shiv@clauseclear.co.uk via Microsoft 365; SSO sign-in option | European Union (M365 data residency in EU) | Inbound email content; for SSO sign-in: name, email, profile photo |
| Google LLC | SSO sign-in option for merchant accounts (Google OAuth) | Global, with EU data residency | For SSO sign-in only: name, email address, profile photo |
What ClauseClear does NOT do
- We do not sell personal data to advertisers or third-party marketers.
- We do not use shopper or merchant data to train AI models.
- We do not transfer data to any subprocessor not listed above, except as required by UK / EU law (e.g. court order).
- We do not use shopper data outside of running the Simpler Terms translator.
Notification of changes
When we add a new subprocessor, replace one, or change the region a subprocessor operates in, we update this page and notify Enterprise customers under signed contract via the contact email on their account, at least 30 days before the change takes effect, in line with our Data Processing Agreement.
Self-serve customers can subscribe to changes by emailing hello@clauseclear.co.uk.
Questions
For data-protection questions about how a particular subprocessor handles your data, contact hello@clauseclear.co.uk.