Data Processors and Sub-Processors

Last Updated: 29th January 2026

1. Introduction

This document lists all third-party service providers (“sub-processors”) that Carrott uses to process personal data. As required by GDPR Article 28 and other applicable data protection laws, we maintain transparency about who handles data on our behalf.

Data Controller:

Company Name: Carrott LTD
Contact: admin@carrott.io
Data Protection Officer: admin@carrott.io

2. Categories of Data Processors

Our sub-processors fall into the following categories:

Payment Processing
Email Services
SMS Services
Mobile Wallet Services
Cloud Infrastructure
Storage Services
Domain Services
Authentication Services
Analytics (if applicable)

3. List of Sub-Processors

3.1 Payment Processing

Processor	Service	Data Processed	Location	Privacy Policy
Stripe, Inc.	Payment processing, subscription billing, Connect payouts	Name, email, payment method details, billing address, transaction history, subscription data	United States, with EU data processing	stripe.com/privacy

Purpose: Process subscription payments for Business Users, handle agency payouts via Stripe Connect, manage billing events and invoicing.

Data Transferred:

Customer name and email
Payment method information
Billing address
Subscription plan details
Usage-based billing data

3.2 Email Services

Processor	Service	Data Processed	Location	Privacy Policy
Resend, Inc.	Transactional and marketing email delivery	Email addresses, email content, delivery metadata	United States	resend.com/legal/privacy-policy

Purpose: Deliver authentication emails (magic links, password resets), transactional notifications, subscription alerts, and marketing communications.

Data Transferred:

Recipient email addresses
Email content (subject, body)
Sender information
Delivery status and events

3.3 SMS Services

Processor	Service	Data Processed	Location	Privacy Policy
Twilio, Inc.	SMS delivery for OTP verification	Phone numbers, SMS content	United States	twilio.com/legal/privacy

Purpose: Send OTP verification codes during customer enrollment, phone number verification.

Data Transferred:

Recipient phone numbers (E.164 format)
SMS message content (verification codes)
Delivery status

3.4 Mobile Wallet Services

Processor	Service	Data Processed	Location	Privacy Policy
Apple Inc.	Apple Wallet pass distribution, push notifications	Pass data, device identifiers, push tokens, card serial numbers	United States	apple.com/legal/privacy
Google LLC	Google Wallet pass distribution	Pass data, object/class identifiers, loyalty card content	United States	policies.google.com/privacy

Purpose: Generate, distribute, and update digital loyalty cards in Apple Wallet and Google Wallet.

Data Transferred to Apple:

Pass content (card design, text fields, barcodes)
Device library identifiers
Push notification tokens
Pass serial numbers
Authentication tokens

Data Transferred to Google:

Loyalty object data (card content, balances)
Class identifiers
Object identifiers
Callback events (saves, deletions)

3.5 Cloud Infrastructure & Database

Processor	Service	Data Processed	Location	Privacy Policy
Convex, Inc.	Backend-as-a-Service, reactive database, serverless functions	All application data (users, agencies, customers, cards, transactions)	United States	convex.dev/privacy

Purpose: Host and process all application data, execute backend logic, provide real-time data synchronization.

Data Transferred:

User account data
Business configuration
Customer loyalty data
Transaction records
All platform data

3.6 Storage Services

Processor	Service	Data Processed	Location	Privacy Policy
Cloudflare, Inc. (R2)	Object storage for images and assets	Card template images, logos, branding assets, wallet pass images	Global (edge locations)	cloudflare.com/privacypolicy

Purpose: Store and serve card template images, business logos, wallet pass assets, and other media files.

Data Transferred:

Image files
Asset metadata
Storage keys/references

3.7 Domain & Routing Services

Processor	Service	Data Processed	Location	Privacy Policy
Approximated	Custom domain hosting, SSL provisioning	Domain names, DNS configuration, routing data	United States	Contact provider for details

Purpose: Enable white-label custom domains for agencies, manage SSL certificates, route traffic.

Data Transferred:

Domain names
DNS records
Virtual host configuration

3.8 Authentication Services

Processor	Service	Data Processed	Location	Privacy Policy
Better Auth	Authentication library (self-hosted)	Email, password hash, session tokens	Self-hosted (Convex)	N/A (library, not SaaS)

Purpose: Handle user authentication, session management, magic link verification.

Note: Better Auth is a library running within our Convex backend, not an external service. Authentication data is processed within our infrastructure.

3.9 Customer Support & Feedback

Processor	Service	Data Processed	Location	Privacy Policy
Featurebase	Customer support, feedback, and feature requests	User name, email, support tickets, feedback submissions, feature requests	United States / EU	featurebase.app/privacy

Purpose: Provide in-app customer support, collect user feedback, manage feature requests and bug reports.

Data Transferred:

User name and email address
Support ticket content and attachments
Feature request and feedback submissions
User interaction metadata

3.10 Location Services

Processor	Service	Data Processed	Location	Privacy Policy
Google LLC (Maps/Places API)	Address autocomplete, place details	Search queries, place IDs, geographic coordinates	United States	policies.google.com/privacy

Purpose: Provide address autocomplete for business location entry, validate addresses.

Data Transferred:

Address search queries
Selected place IDs
Geographic coordinates

4. Data Flow Summary

User Input
    │
    ▼
┌─────────────────────────────────────────────────────┐
│                 Carrott                      │
│              (Convex Backend)                        │
│                                                      │
│  ┌─────────┐  ┌─────────┐  ┌─────────┐             │
│  │ Users   │  │Agencies │  │Customers│             │
│  └────┬────┘  └────┬────┘  └────┬────┘             │
└───────┼────────────┼────────────┼───────────────────┘
        │            │            │
        ▼            ▼            ▼
   ┌─────────────────────────────────────────────┐
   │           Third-Party Processors            │
   │                                             │
   │  ┌────────┐  ┌────────┐  ┌────────┐        │
   │  │ Stripe │  │ Resend │  │ Twilio │        │
   │  │Payment │  │ Email  │  │  SMS   │        │
   │  └────────┘  └────────┘  └────────┘        │
   │                                             │
   │  ┌────────┐  ┌────────┐  ┌────────┐        │
   │  │ Apple  │  │ Google │  │Cloud-  │        │
   │  │ Wallet │  │ Wallet │  │ flare  │        │
   │  └────────┘  └────────┘  └────────┘        │
   └─────────────────────────────────────────────┘

5. Security and Compliance

5.1 Processor Requirements

All sub-processors are required to:

Implement appropriate technical and organizational security measures
Process data only according to our documented instructions
Ensure personnel are bound by confidentiality obligations
Assist with data subject requests
Delete or return data upon termination
Make available information for compliance audits
Notify us of data breaches without undue delay

5.2 Data Processing Agreements

We maintain Data Processing Agreements (DPAs) or equivalent contractual protections with all sub-processors, including:

Standard Contractual Clauses (SCCs) for international transfers
Security requirements and audit rights
Sub-processor notification procedures
Breach notification obligations

5.3 Certifications and Compliance

Processor	Certifications/Compliance
Stripe	PCI DSS Level 1, SOC 1 & 2, GDPR
Resend	SOC 2, GDPR
Twilio	SOC 2, ISO 27001, GDPR
Apple	ISO 27001, SOC 2
Google	ISO 27001, SOC 2, GDPR
Convex	SOC 2 Type II
Cloudflare	SOC 2, ISO 27001, PCI DSS
Featurebase	GDPR

6. Changes to Sub-Processors

6.1 Notification

We will notify Business Users of any intended changes to sub-processors at least 30 days before the change takes effect, via:

Email notification to account administrators
Update to this document

6.2 Objection Process

Business Users may object to a new sub-processor by contacting us at admin@carrott.io within 14 days of notification. We will work to address concerns or provide alternatives where possible.

6.3 Change Log

Date	Change	Details
23rd January 2026	Initial publication	Document created
29th January 2026	Added Featurebase	Customer support and feedback processor added

7. Contact Information

For questions about our sub-processors or to request Data Processing Agreements:

Carrott LTD

Email: admin@carrott.io
Address: Piccadilly Business Centre, Blackett Street, Manchester, M12 6AE

This Sub-Processors list is effective as of 29th January 2026.