Sub-Processors Policy
Last updated: 14 June 2026 · Trades Office Limited (No. 17181500), trading as PlateProof · ICO: ZC133896
This policy lists the third-party providers PlateProof (a trading name of Trades Office Limited) uses to operate the Service. Each is engaged under a contract that includes data-protection obligations consistent with UK GDPR Article 28. PlateProof deliberately keeps this list short.
Current Sub-Processors
| Sub-processor | Purpose | Location | Transfer basis |
|---|---|---|---|
| Anthropic PBC | AI-assisted allergen identification and ingredient-image analysis | USA | UK IDTA / EU SCCs |
| Supabase Inc. | Database, authentication and file/evidence storage; transactional auth email | USA company — data hosted in the EU | UK IDTA / EU SCCs |
| Vercel Inc. | Application hosting and deployment | USA company — EU region (Dublin) | UK IDTA / EU SCCs |
What Each Provider Receives
Anthropic — uploaded images of packaging/dishes and dish names submitted for allergen identification. Data submitted is not used to train general-purpose AI models.
Supabase — account data, allergen and operational records, uploaded evidence images, and authentication. Database and storage are hosted in an EU region.
Vercel — hosts and serves the application; processes request/network data incidental to serving the Service. Functions run in the EU (Dublin) region, co-located with the database.
International Transfers
Where personal data is processed outside the UK/EU, PlateProof relies on appropriate safeguards:
- UK International Data Transfer Agreements (IDTAs)
- EU Standard Contractual Clauses (SCCs) where the EU GDPR applies
- or an equivalent lawful transfer mechanism
Changes
We will update this page when we add or remove a sub-processor. Where a change involves a new transfer of personal data to a third country, we will provide at least 30 days’ notice before it takes effect.
Contact
privacy@plateproof.io · Trades Office Limited, trading as PlateProof · Company No. 17181500 · ICO Registration ZC133896.
PlateProof’s stack is intentionally lean — three sub-processors, EU-hosted data, one AI provider. Fewer parties means a smaller transfer surface and a simpler answer for a customer’s data-protection team.