Skip to content
Legal

Sub-processors

Last updated: 10 July 2026

Clubstance uses a small set of vetted third-party services ("sub-processors") to run the platform. Each processes personal data only for the purpose listed below and is bound by data protection obligations consistent with our Data Processing Terms. We update this page at least 15 days before adding or replacing a sub-processor that touches customer personal data.

Sub-processorPurposeData involvedLocation
SupabaseDatabase, authentication, and file storage — the platform's primary data storeAll platform data: accounts, member records, photos, payments, attendanceManaged cloud (AWS), region pinned per project
CloudflareWeb hosting, content delivery, and network securityTraffic metadata (IP addresses, request logs)Global edge network
RazorpayPayment processing for subscriptions and gym member paymentsPayment details (card/UPI handled by Razorpay directly), payer name, contactIndia
Meta Platforms (WhatsApp Cloud API)Delivery of WhatsApp messages sent by gyms (reminders, receipts, broadcasts)Member phone numbers and message contentGlobal (Meta infrastructure)
ResendTransactional email deliveryRecipient email addresses and email contentUnited States
Sentry (Functional Software, Inc.)Error monitoring and sampled session replay (typed text masked)Technical telemetry: browser/device info, IP, stack traces, masked session recordingsEuropean Union
GoogleOptional “Sign in with Google” authenticationGoogle account identifier, name, email (only if you choose Google sign-in)Global

Not a sub-processor: biometric devices

Fingerprint and face templates are processed by the gym's own biometric hardware and the on-premise bridge software inside the gym's local network. They never reach Clubstance's cloud or any sub-processor above — our servers receive only check-in events and device-user mappings.

Questions

Write to [email protected] to be notified of sub-processor changes by email.