Sub-Processors
Emily Politics — Sinatra AI Ltd
Last updated: 24 March 2026
Sinatra AI Ltd (“we”, “us”) uses the following third-party sub-processors to deliver the Emily Politics service. Each sub-processor is bound by a Data Processing Agreement (DPA) and processes data only as instructed by us and for the purposes described below.
We will update this list when sub-processors change and notify affected customers of material changes in accordance with our Privacy Policy.
Current Sub-Processors
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase Inc. | Database hosting, authentication, user management | Account data, conversations, engagements, documents, stakeholder records | EU |
| Vercel Inc. | Web application hosting, serverless functions, cron jobs | HTTP request logs, IP addresses (transient) | EU (London) |
| Amazon Web Services (AWS) | AI agent runtime (OpenClaw gateway), agent workspaces | Conversation history, agent memory, generated documents | EU (Stockholm) |
| Google LLC (Gemini API) | AI language model for chat, briefings, and document generation; text embeddings for semantic search | User prompts, parliamentary context data (not used for model training per Google API ToS) | EU/US |
| Stripe Inc. | Payment processing, subscription management | Payment card details (tokenised — we never see full card numbers), billing address, transaction history | EU/US (PCI-DSS Level 1) |
| Resend Inc. | Transactional email delivery (welcome, briefings, alerts, billing notifications) | Email address, email content | EU |
| Qdrant | Vector database for semantic search | Parliamentary data embeddings (public data only — no personal user data) | EU |
| Sentry (Functional Software Inc.) | Error tracking and application monitoring | Error stack traces, browser metadata, IP address (anonymised) | EU |
| PostHog Inc. | Product analytics (cookie-consent gated) | Pseudonymised usage events, page views (only with user consent) | EU (Frankfurt) |
| Tawk.to Inc. | Live chat support widget (marketing pages only) | Chat messages, visitor IP address, browser metadata | US/EU |
Data Transfer Safeguards
Where sub-processors are located outside the UK/EU, we ensure appropriate safeguards are in place:
- UK adequacy decisions — for transfers to countries/territories recognised by the UK Government
- Standard Contractual Clauses (SCCs) — incorporated into DPAs with US-based processors
- EU-US Data Privacy Framework — for certified US companies (Stripe, Google)
Changes to This List
We will update this page when we add or remove sub-processors. For material changes, we will notify customers via email at least 30 days in advance, giving you the opportunity to object.
Questions about our sub-processors? Contact us at [email protected]