Sub-processors
Last updated: 17 June 2026
This page lists every third party Warm AI Ltd engages to process customer or visitor data on our behalf. It supersedes any earlier or partial listing.
Want to be notified before this list changes? Email compliance@warmai.uk and we'll add you to our sub-processor change-notification list. We'll give 30 days' notice before adding a new sub-processor that processes personal data on your behalf.
Production sub-processors
| Sub-processor | Purpose | Data processed | Location | DPA / Privacy |
|---|---|---|---|---|
| Supabase, Inc. | Database, authentication, edge functions (our application backend) | All customer + visitor data (sessions, identifications, account state) | EU region (Frankfurt) | Privacy · DPA |
| Cloudflare, Inc. | DNS, CDN, edge compute (Workers), R2 object storage | Edge traffic, tracker delivery, asset hosting | EU edge nodes preferred | Privacy · DPA |
| Vercel, Inc. | App + docs site hosting | Application traffic logs | EU/US | Privacy · DPA |
| Stripe, Inc. | Subscription billing + payment processing | Customer billing details only (we never see card numbers) | EU + US | Privacy · DPA |
| Mandrill (Intuit Mailchimp) | Transactional email delivery | Customer email address + email content | US | Privacy · DPA |
| Retention.com, Inc. (RB2B) | US person-level visitor identification (white-label OEM). Geofenced to US visitors only — non-US visitors are not processed by this sub-processor. | US-located visitor IP, browser metadata; LinkedIn URL + name + title + business email returned on match | US | GDPR · DPA · Sub-processors · CCPA opt-out |
| Snitcher B.V. | Company-level identification (white-label "Radar" product, proxied via radar.warmai.uk so visitors see only a Warm AI domain) | Visitor IP, browser metadata; company name + firmographics returned on match | EU (Netherlands) | Privacy |
| Rewardful Inc. | Affiliate program tracking (only for visitors who arrive via an affiliate link) | Referral cookie identifier, customer email at conversion | US | Privacy |
- Sub-processor
- Supabase, Inc.
- Purpose
- Database, authentication, edge functions (our application backend)
- Data processed
- All customer + visitor data (sessions, identifications, account state)
- Location
- EU region (Frankfurt)
- Sub-processor
- Cloudflare, Inc.
- Purpose
- DNS, CDN, edge compute (Workers), R2 object storage
- Data processed
- Edge traffic, tracker delivery, asset hosting
- Location
- EU edge nodes preferred
- Sub-processor
- Vercel, Inc.
- Purpose
- App + docs site hosting
- Data processed
- Application traffic logs
- Location
- EU/US
- Sub-processor
- Stripe, Inc.
- Purpose
- Subscription billing + payment processing
- Data processed
- Customer billing details only (we never see card numbers)
- Location
- EU + US
- Sub-processor
- Mandrill (Intuit Mailchimp)
- Purpose
- Transactional email delivery
- Data processed
- Customer email address + email content
- Location
- US
- Sub-processor
- Retention.com, Inc. (RB2B)
- Purpose
- US person-level visitor identification (white-label OEM). Geofenced to US visitors only — non-US visitors are not processed by this sub-processor.
- Data processed
- US-located visitor IP, browser metadata; LinkedIn URL + name + title + business email returned on match
- Location
- US
- DPA / Privacy
- GDPR · DPA · Sub-processors · CCPA opt-out
- Sub-processor
- Snitcher B.V.
- Purpose
- Company-level identification (white-label "Radar" product, proxied via radar.warmai.uk so visitors see only a Warm AI domain)
- Data processed
- Visitor IP, browser metadata; company name + firmographics returned on match
- Location
- EU (Netherlands)
- DPA / Privacy
- Privacy
- Sub-processor
- Rewardful Inc.
- Purpose
- Affiliate program tracking (only for visitors who arrive via an affiliate link)
- Data processed
- Referral cookie identifier, customer email at conversion
- Location
- US
- DPA / Privacy
- Privacy
What we don't do
- We do not sell or share visitor data with third parties for advertising or marketing purposes.
- We do not enrich visitor profiles via data brokers beyond the sub-processors listed above.
- We do not transfer personal data to jurisdictions outside the EEA / UK / US without appropriate safeguards (Standard Contractual Clauses or adequacy decisions).
Conditional sub-processors
The following are engaged only when a customer opts into a specific feature:
| Sub-processor | Triggered by | Purpose |
|---|---|---|
| CANDDi Group Ltd | Customer enables CANDDi waterfall in their account settings | UK-focused IP-to-company identification (filling RB2B's UK coverage gap) |
- Sub-processor
- CANDDi Group Ltd
- Triggered by
- Customer enables CANDDi waterfall in their account settings
- Purpose
- UK-focused IP-to-company identification (filling RB2B's UK coverage gap)
To confirm whether your account has triggered a conditional sub-processor, email compliance@warmai.uk.
Sub-processor change policy
When we add a new sub-processor that processes personal data on behalf of customers:
- We'll update this page with the new entry and bump the "Last updated" date above.
- We'll email customers on the notification list at least 30 days before the new sub-processor goes live, unless the change is urgent for security or service-continuity reasons.
- Customers may object to a new sub-processor within 30 days. If we can't accommodate the objection by removing the sub-processor or providing an alternative, the customer may terminate the affected service.
Related
- GDPR & Privacy — how we approach data protection more broadly
- Data Processing Addendum (DPA) — signing-ready contractual template
- CCPA "Do Not Sell or Share" opt-out — for California visitors
- Cookies & Consent technical integration — per-CMP setup for customers