Subprocessors
ZipOrder uses the following third-party services to deliver the product. We maintain this list for transparency under KVKK Article 8 and GDPR Article 28. The "Last updated" line in our Terms of Service is bumped whenever this list changes.
Data location: Primary application data (accounts, catalogs, orders) is processed inside the EU. AI extraction (Gemini) may run from any Google Cloud region; payload is held only for the duration of the request. US-hosted services operate under Standard Contractual Clauses (SCCs).
| Service | Vendor | Region | Data | Contract |
|---|---|---|---|---|
| Authentication | Supabase, Inc. | EU (Ireland — eu-west-1) | Email, session tokens, hashed password (when set) | Supabase DPA |
| Application database + hosting | Railway Corp. | EU | All application data: users, catalogs, items, orders, notifications, subscription state | Railway DPA |
| Object storage (R2) | Cloudflare, Inc. | EU | Uploaded source documents (flyers, PDFs, spreadsheets) and derived item images | Cloudflare DPA |
| AI extraction (Gemini) | Google LLC | Global (Google Cloud regions) | Source document content sent for processing (transient — not stored beyond the request) | Google AI Studio Terms |
| Push notifications | Expo (650 Industries, Inc.) | United States | Device push tokens, message payloads (notification text) | Expo Privacy Policy |
| Mobile + web product analytics | Google LLC (Firebase Analytics, Google Analytics 4) | Global (Google Cloud) | Anonymous usage events (screen views, button taps, error counts). Sent only after the user grants the on-device analytics opt-in (mobile) or accepts the cookie banner (web) | Google Analytics Terms |
| Subscription billing — mobile (Apple App Store / Google Play) | RevenueCat, Inc. | United States | App user id, platform receipt, subscription state | RevenueCat DPA |
| Subscription billing — web (ZipOrder Pro paid by card) | Stripe Payments Europe Ltd. / Stripe, Inc. | EU + United States | Email, billing name + address (collected by Stripe Checkout), Stripe Customer id, subscription status events. Card details are entered directly on Stripe's hosted checkout page (PCI-DSS Level 1) and never reach ZipOrder servers. Distinct from the per-supplier customer-payments Stripe entry below — this is the ZipOrder platform's own subscription billing. | Stripe Services Agreement |
| Web frontend hosting + CDN | Vercel Inc. | Global (edge — closest region to the visitor) | Static assets, server-rendered HTML for public catalog / profile / order pages, edge request logs (IP, user agent). No application data is stored on Vercel; the backend (Railway) is the source of truth. | Vercel DPA |
| Transactional email | Resend, Inc. | EU + United States | Recipient email, message content (subject + body) | Resend DPA |
| Error monitoring | Functional Software, Inc. (Sentry) | EU + United States | Error stack traces (PII redacted), runtime metadata (no message bodies) | Sentry DPA |
| Customer payments (when supplier opts in) | iyzi Ödeme ve Elektronik Para Hiz. A.Ş. (Iyzico) | Türkiye | Order id, amount, currency, payment status events. Card details NEVER reach ZipOrder — entered directly on Iyzico's hosted checkout page. | Iyzico Merchant Agreement (supplier-side) |
| Customer payments — global (when supplier opts in) | Stripe, Inc. / Stripe Payments Europe Ltd. | EU + United States | Order id, amount, currency, Checkout Session id, payment status events. Card details NEVER reach ZipOrder — entered directly on Stripe's hosted checkout page (PCI-DSS Level 1 compliant). | Stripe Services Agreement (supplier-side) |
| E-invoice / e-archive — Türkiye (when supplier connects it) | Nilvera Yazılım A.Ş. | Türkiye | To issue a fiscal e-invoice / e-archive document: the supplier's legal seller identity (tax id / VKN, tax office, address), the buyer's name and any tax id provided, and the order line items, amounts and tax rates. Sent only for orders where the supplier has connected Nilvera and enabled invoicing. | Nilvera KVKK Policy |
| Accounting / e-invoice — Türkiye (when supplier connects it) | Parasut Yazılım Hizmetleri A.Ş. (Paraşüt) | Türkiye | Same fiscal invoice fields (seller tax identity, buyer name + optional tax id, line items, amounts) forwarded to Paraşüt to create the invoice in the supplier's connected Paraşüt account. | Paraşüt KVKK Notice |
| Accounting / e-invoice — global (when supplier connects it) | Intuit Inc. (QuickBooks Online) | United States + global | Invoice fields (seller identity, customer name + optional tax id, line items, amounts) sent to create an invoice in the supplier's connected QuickBooks Online company. OAuth tokens are stored encrypted; no card data. | Intuit Global Privacy Statement |
| Accounting / e-invoice — global (when supplier connects it) | Xero Limited | Global (AU / EU / US regions) | Invoice fields (seller identity, customer name + optional tax id, line items, amounts) sent to create an invoice in the supplier's connected Xero organisation. OAuth tokens are stored encrypted; no card data. | Xero Data Processing |
Contact: Questions about this list? Write to legal@ziporder.io.