01Active Subprocessors
Edwin Strong uses the following third-party service providers ("subprocessors") to deliver the Service. We update this list within 30 days of any material change.
| Subprocessor | Purpose | Data Categories | Region | Transfer Mechanism |
|---|---|---|---|---|
| Supabase, Inc. Delaware, US |
Database (Postgres), authentication, edge functions, storage | Account info (email, name), profile metadata, workout logs, subscription state. Health metrics (HRV, sleep, recovery) remain on-device by architecture — NOT stored here. | United States us-east-1 |
SCCs (Module 4) + supplementary technical measures (encryption at rest + in transit, RLS policies) |
| Stripe, Inc. Delaware, US |
Payment processing, subscription billing, tax calculation | Cardholder details (tokenized; we never see raw cards), billing address, transaction history | US + EEA/UK | Stripe is a self-certified Data Processor; SCCs incorporated into Stripe DPA at stripe.com/legal/dpa |
| Apple, Inc. California, US |
App Store distribution and iOS push notifications. Edwin Strong does not use in-app purchases — all subscriptions are processed via Stripe on edwinstrong.com. | Apple ID (anonymized to us, used for App Store download attribution and APNs push tokens). No payment data passes through Apple. | US + Ireland Cork for EEA users |
Apple Developer Agreement covers SCCs for app distribution. No subscription billing data is transferred to Apple. |
| WHOOP, Inc. Massachusetts, US |
Optional biometric integration (HRV, recovery, sleep, strain) — only if user opts in | OAuth refresh tokens (held in our VPS proxy server-side; no cardholder data) | United States | OAuth-based; raw biometric data flows from Whoop directly to user’s device, NOT to our servers |
| ConvertKit, Inc. Idaho, US (operating as Kit) |
Email marketing, transactional email, automation sequences | Email address, first/last name, lifecycle tags, behavioral metadata (opens, clicks) | United States | SCCs (Module 4) per Kit DPA at kit.com/dpa |
| HubSpot, Inc. Delaware, US |
CRM, lead pipeline, B2B outreach tracking | Org-level prospect data (NOT consumer member data); B2B contact info enriched from public sources | United States | SCCs per HubSpot DPA at legal.hubspot.com/dpa |
| DigitalOcean, Inc. New York, US |
VPS hosting (Whoop OAuth proxy, Telegram bot endpoints) | OAuth tokens (encrypted at rest), bot session metadata, NO consumer biometric data | United States NYC region |
SCCs per DigitalOcean DPA at digitalocean.com/legal/data-processing-agreement |
| Netlify, Inc. California, US |
Web hosting (edwinstrong.com, coach.edwinstrong.com), edge middleware | Site visitor IP (transient, ≤30 days analytics retention), no PII storage at the edge layer | US edge network | SCCs per Netlify DPA at netlify.com/dpa |
| GitHub, Inc. California, US (Microsoft subsidiary) |
Source code hosting, agent coordination workspace | Internal operational data only (no consumer member data is ever pushed here) | United States | SCCs per Microsoft Online Services Terms |
02NOT Subprocessors
The following appear in our public communications but are NOT data processors under GDPR — they receive zero Edwin Strong member data:
- Anthropic (Claude) — used by internal agent operations only; no member PII ever leaves the agent boundary.
- Google (Gmail API) — used by Edwin’s personal Gmail for member communication; outbound only, replies handled by Edwin directly.
- Apple HealthKit — runs entirely on the user’s device under Apple’s privacy framework; we never receive HealthKit data on our servers.
- Garmin / Hume Health — when integrated, designed to follow the same on-device-only pattern as Whoop.
03Notification of Changes
EU/UK members can subscribe to subprocessor change notifications by emailing privacy@edwinstrong.com with subject line "Subprocessor list — subscribe."
We will email you within 30 days of any addition, change, or removal. You retain the right to object to specific subprocessors per GDPR Art. 28(2).
04Internal Change Log
- 2026-04-29 — Initial list published (pre-EU launch readiness; aligns with privacy-policy §10 + §11)
05Related
For our full Privacy Policy, including international data transfers, GDPR rights, and contact for the acting DPO, see edwinstrong.com/privacy.