Legal

Subprocessors

The third-party service providers Apiway uses to deliver the Service. Published in support of Privacy Policy §5L.1 and the transparency obligation under Article 28 GDPR. Last updated 2026-05-31.

How this list works

The list is categorical. Apiway may add, remove, substitute, or combine providers in any category at any time, prospectively, subject to maintaining contractual obligations consistent with the Privacy Policy. References to a specific named provider are illustrative and operational, not contractual. See Privacy Policy §5N.3 and Terms of Use §3A.9 for the binding framework.

The Privacy Policy distinguishes Publicly Published Creator Content (§5A.1 — marketplace listings, public storefront content, Instagram posts auto-imported from a connected creator account) from Private Content (§5A.2 — brand product uploads for own generation, account-internal assets, drafts, generation inputs not published). The two categories are routed to different subprocessors and used for different purposes; the list below identifies which.

Current categorical list

Cloud database & application hosting

Provider(s): Supabase, Inc.
Processed data: Account data, marketplace metadata, generation jobs, agent events, ledger, all relational records.
Location: European Union (eu-central-1)
Transfer mechanism: Intra-EU; no cross-border transfer.

Object storage (image bytes, generated outputs)

Provider(s): Amazon Web Services, Inc. (AWS S3, bucket apiwayimages)
Processed data: Uploaded reference photos, brand product photos, generated AI outputs, marketplace reference frames.
Location: European Union (eu-north-1)
Transfer mechanism: Intra-EU; no cross-border transfer for storage. AWS DPA + SCCs apply where Apiway accesses from US.

Compute infrastructure (generation worker)

Provider(s): Dedicated bare-metal server (Hetzner, single-tenant)
Processed data: Image bytes during generation processing (transient). No persistent storage beyond the job lifetime.
Location: Germany
Transfer mechanism: Intra-EU.

Generative AI providers (image generation, vision analysis, text)

Provider(s): Google LLC (Gemini, Imagen). Apiway may substitute equivalent or successor providers (e.g., OpenAI, Anthropic, Stability AI, Black Forest Labs) at its discretion under PP §5N.3 and ToS §3A.9.
Processed data: AI Inputs (uploaded photos, prompts, references) and AI Output. Where the provider offers a no-training tier and the User has not contributed Publicly Published Creator Content under PP §5C.4, Apiway configures the request on that tier.
Location: United States and other regions depending on provider routing.
Transfer mechanism: EU SCCs (Decision 2021/914) with applicable addenda. UK IDTA and Swiss-equivalent safeguards where required.

Payment processing

Provider(s): Stripe, Inc.
Processed data: Billing details, subscription status, payment events. Payment card data is processed directly by Stripe under its own privacy notice and is not retained by Apiway.
Location: United States.
Transfer mechanism: EU SCCs (Decision 2021/914). Stripe's own data-protection arrangements apply.

Authentication & email transactional

Provider(s): Resend, Inc. (transactional email); SMTP failover.
Processed data: Account email, password-reset tokens, transactional message content (sign-in codes, generation-completion notices, policy-update notifications).
Location: United States.
Transfer mechanism: EU SCCs.

Cross-platform distribution (Apiway-operated accounts on third-party platforms)

Provider(s): Pinterest, Inc. (Apiway-operated Pinterest Business account, currently active). Meta Platforms, Inc. (Instagram, Facebook), Google LLC (YouTube), TikTok Ltd., X Corp., LinkedIn Corp., and equivalent platforms may be activated under PP §5C.3 and §5N.3 without further notice. Content distributed under §5C.3 is Publicly Published Creator Content only.
Processed data: Public listing images (resized for the destination platform), title, caption, link back to the originating Creator's storefront. No Private Content as defined in PP §5A.2.
Location: United States and global per destination platform.
Transfer mechanism: Destination platforms' own terms apply once content is republished there. Each platform is itself a controller for content on its platform.

Instagram automated import (Meta Graph API)

Provider(s): Meta Platforms, Inc.
Processed data: Read-only access to the Creator's own Instagram media on the Creator's authorization. Used to retrieve newly published Instagram posts for ingestion as Publicly Published Creator Content under PP §5B.2.
Location: United States.
Transfer mechanism: Meta API; Meta is itself a controller for the Creator's IG account.

Brand e-commerce integration

Provider(s): Shopify Inc.
Processed data: Read-only product metadata (titles, descriptions, images, variants, inventory) from connected stores under the Creator's authorization. Used to populate the Brand Products surface and, where the User opts in, to power AI generation against product images.
Location: Canada and United States.
Transfer mechanism: EU SCCs where applicable.

Phone / SMS verification (where enabled)

Provider(s): Twilio Inc.
Processed data: Phone number, one-time verification codes (transient).
Location: United States.
Transfer mechanism: EU SCCs.

Background-removal ONNX runtime (client-side CDN)

Provider(s): jsDelivr (Prospect One sp. z o.o.) — public CDN delivering @imgly/background-removal.
Processed data: Client-side: image bytes that the User uploads to the in-browser background-removal tool never leave the User's browser; only the model weights are fetched from the CDN. No User content is transmitted to the CDN provider.
Location: Global CDN.
Transfer mechanism: No User Personal Data transferred.

Search & AI-engine discovery (no contractual processing)

Provider(s): Search engines (Google Search, Bing, DuckDuckGo, Yandex, Baidu), AI-engine crawlers (OpenAI, Anthropic, Perplexity, Google Gemini retrieval, Apple Intelligence), and similar.
Processed data: Public surfaces of the Service (storefronts, marketplace listings, blog, docs, sitemap, JSON feeds, llms.txt, ai.txt). These crawlers operate under their own terms; Apiway does not control them and cannot revoke their copies or caches once made (see PP §5E.3 and §5N.5(c)).
Location: Global.
Transfer mechanism: None — public-internet crawl.

Changes; how to be notified

Apiway publishes material additions or replacements on this page and in the public changelog. Where mandatory applicable law requires individual notice (e.g., to an EEA controller customer under a data-processing agreement), Apiway notifies the affected counterparty by email to the address on file no fewer than thirty (30) calendar days before the change takes effect, subject to the objection mechanism in the applicable agreement.

Inquiries: [email protected] — please include the subject line “Subprocessor inquiry” so the message is routed to the data-protection desk.