Subprocessors
ZipOrder uses the following third-party services to deliver the product. We maintain this list for transparency under KVKK Article 8 and GDPR Article 28. The "Last updated" line in our Terms of Service is bumped whenever this list changes.
Data location: Primary application data (accounts, catalogs, orders) is processed inside the EU. AI extraction (Gemini) may run from any Google Cloud region; payload is held only for the duration of the request. US-hosted services operate under Standard Contractual Clauses (SCCs).
| Service | Vendor | Region | Data | Contract |
|---|---|---|---|---|
| Authentication | Supabase, Inc. | EU (Ireland — eu-west-1) | Email, session tokens, hashed password (when set) | Supabase DPA |
| Application database + hosting | Railway Corp. | EU | All application data: users, catalogs, items, orders, notifications, subscription state | Railway DPA |
| Object storage (R2) | Cloudflare, Inc. | EU | Uploaded source documents (flyers, PDFs, spreadsheets) and derived item images | Cloudflare DPA |
| AI extraction (Gemini) | Google LLC | Global (Google Cloud regions) | Source document content sent for processing (transient — not stored beyond the request) | Google AI Studio Terms |
| Push notifications | Expo (650 Industries, Inc.) | United States | Device push tokens, message payloads (notification text) | Expo Privacy Policy |
| Mobile + web product analytics | Google LLC (Firebase Analytics, Google Analytics 4) | Global (Google Cloud) | Anonymous usage events (screen views, button taps, error counts). Sent only after the user grants the on-device analytics opt-in (mobile) or accepts the cookie banner (web) | Google Analytics Terms |
| Subscription billing | RevenueCat, Inc. | United States | App user id, platform receipt, subscription state | RevenueCat DPA |
| Phone verification (OTP) | Twilio Inc. | United States | Supplier phone number (E.164), one-time codes, delivery status. Used only when the supplier opts into IBAN payments, PSP setup, or other OTP-gated security flows. | Twilio DPA |
| Web frontend hosting + CDN | Vercel Inc. | Global (edge — closest region to the visitor) | Static assets, server-rendered HTML for public catalog / profile / order pages, edge request logs (IP, user agent). No application data is stored on Vercel; the backend (Railway) is the source of truth. | Vercel DPA |
| Transactional email | Resend, Inc. | EU + United States | Recipient email, message content (subject + body) | Resend DPA |
| Error monitoring | Functional Software, Inc. (Sentry) | EU + United States | Error stack traces (PII redacted), runtime metadata (no message bodies) | Sentry DPA |
| Customer payments (when supplier opts in) | iyzi Ödeme ve Elektronik Para Hiz. A.Ş. (Iyzico) | Türkiye | Order id, amount, currency, payment status events. Card details NEVER reach ZipOrder — entered directly on Iyzico's hosted checkout page. | Iyzico Merchant Agreement (supplier-side) |
| Customer payments — global (when supplier opts in) | Stripe, Inc. / Stripe Payments Europe Ltd. | EU + United States | Order id, amount, currency, Checkout Session id, payment status events. Card details NEVER reach ZipOrder — entered directly on Stripe's hosted checkout page (PCI-DSS Level 1 compliant). | Stripe Services Agreement (supplier-side) |
Contact: Questions about this list? Write to legal@ziporder.io.