Sub-processors

Effective Date: March 6, 2026 | Version 3.0 | Last Reviewed: March 6, 2026

Controller: MC Conversions Ltd (Company No. 14019497), Pantycrai, Adfa, Newtown, Powys, SY16 3BX. Contact: Luke@mcconversions.uk

1. Introduction

1.1 Under GDPR Article 28(2), We are required to inform You of the Sub-Processors We engage to process Personal Data on Our behalf.

1.2 Each Sub-Processor is contractually bound to process Personal Data only in accordance with Our instructions, implement appropriate security measures, and comply with applicable data protection law.

2. Current Sub-Processors

Provider	Purpose	Data Processed	Location	Transfer Mechanism
Google Cloud Platform	Infrastructure, hosting, database (Firestore)	All Service data	EU (europe-west)	Adequacy / SCCs
Firebase (Google)	Authentication, Firestore database, hosting	Account data, Content	EU	Adequacy / SCCs
Google (Gemini API)	AI model inference	Prompts, Content (transient)	US / EU	SCCs + UK IDTA
Anthropic (Claude API)	AI model inference	Prompts, Content (transient)	US	SCCs + UK IDTA
OpenAI (GPT API)	AI model inference	Prompts, Content (transient)	US	SCCs + UK IDTA
Stripe, Inc.	Payment processing	Payment data, transaction records	US / EU	SCCs + EU-US DPF
Sentry (Functional Software)	Error monitoring, crash reporting	Technical data, error logs	US	SCCs
Google Analytics	Web analytics (anonymised)	Usage data (IP anonymised)	US / EU	SCCs + consent
Vercel (if applicable)	Web hosting, CDN	Technical data	US / EU	SCCs

3. AI Provider Data Handling

3.1 No Training. All AI providers (Google, Anthropic, OpenAI) are contractually required NOT to use Your Content or prompts to train, improve, or fine-tune their AI models.

3.2 Transient Processing. AI providers process prompts and Content transiently for the purpose of generating Output. Data is not retained by AI providers beyond the inference session.

3.3 BYOK Data. If You use BYOK (Your own API keys), data is sent directly to Your provider under Your own agreement. We are not a party to that processing.

4. Transfer Safeguards

4.1 All international transfers are protected by appropriate safeguards:

• Standard Contractual Clauses (SCCs): EU Commission Decision 2021/914

• UK International Data Transfer Agreement (IDTA): ICO-approved

• EU-US Data Privacy Framework (DPF): Where applicable (e.g., Stripe)

• Supplementary Measures: Encryption (TLS 1.2+ in transit, AES-256 at rest), access controls, pseudonymisation

4.2 Transfer Impact Assessments (TIAs) are conducted for all transfers to countries without adequacy decisions. TIA summaries available upon request.

5. Changes to Sub-Processors

5.1 We will update this page when Sub-Processors are added, removed, or changed.

5.2 For material changes, We will notify You by email at least fourteen (14) days before the new Sub-Processor begins processing Personal Data.

5.3 If You object to a new Sub-Processor, You may raise the objection in writing to Luke@mcconversions.uk within the fourteen (14) day notice period. We will work in good faith to address Your concerns.

6. Due Diligence

6.1 Before engaging a Sub-Processor, We assess: (a) data protection compliance; (b) security certifications (ISO 27001, SOC 2); (c) data processing location; (d) transfer mechanisms; and (e) data retention and deletion practices.

6.2 Sub-Processors are subject to periodic review and must maintain the security standards required by Our Data Processing Addendum.

7. Contact

Questions about Sub-Processors: Luke@mcconversions.uk

MC Conversions Ltd | Company No. 14019497 | Registered in England and Wales