LEGAL
Sub-processors
Last updated: 11 May 2026
This page lists the third-party service providers (“sub-processors”) that we engage to deliver the Alivio service. Each sub-processor has been reviewed for its data protection and security practices and processes personal data on our behalf under contractual terms at least as protective as our own.
We update this page when we change sub-processors. Where reasonably possible we give 30 days’ notice. Customers can subscribe to changes by emailing privacy@alivio.org.uk.
Current sub-processors
| Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| Supabase | Database, authentication, file storage | EU (Frankfurt, eu-west-2) | UK GDPR–compliant region; DPA in place; data does not leave the EU |
| Cloudflare | DNS, CDN, security (WAF), email forwarding | Global, with EU data residency for cache | DPA in place; UK-approved transfer mechanisms |
| Vercel | Web and application hosting | United States (with EU edge regions) | DPA in place; EU-US Data Privacy Framework participant; UK International Data Transfer Agreement |
| Resend | Transactional email delivery (waitlist notifications) | EU (Ireland, eu-west-1) | DPA in place; data does not leave the EU |
| PostHog | Anonymous product analytics for the Alivio app (aggregated usage events only; no user profiles) | EU (Frankfurt) | DPA in place; no personal contact data collected; analytics are not linked to user identities |
| GitHub | Source code hosting (no customer data) | United States | No customer personal data processed; included for transparency |
How to be notified of changes
Email privacy@alivio.org.ukwith the subject line “Sub-processor change notifications” and we will add you to the notification list.
Questions
For any questions about our sub-processors or the safeguards in place, email privacy@alivio.org.uk.