Sub-processors
Last updated: 25 May 2026
This page lists every third-party supplier ("sub-processor") that helps us run the BYBU Aesthetics & Wellness website and the connected services. We list each one, what it does for us, what personal data it processes, where it operates, and the legal safeguard for any transfer of your data outside Gibraltar.
This page is referenced from our Privacy Policy. If we add a new sub-processor we will update this page and the "Last updated" date above. Material additions also trigger an update to the Privacy Policy.
Current sub-processors
| Supplier | What they do for us | Data shared | Where | Transfer safeguard |
|---|---|---|---|---|
| Stripe Privacy | Payment processing for wellness packs and class bookings. | Name, email, billing address, payment metadata. Card details go directly to Stripe and never reach us. | Ireland (EEA) and United States | EU/EEA adequacy; Standard Contractual Clauses for US transfers; Stripe Data Processing Agreement. |
| Twilio SendGrid Privacy | Sends transactional and marketing emails (booking confirmations, password resets, receipts, opt-in newsletters). | Recipient name, email address, message content. | United States | Standard Contractual Clauses; Twilio Data Processing Addendum. |
| Supabase Privacy | Hosted Postgres database and authentication for the website and account system. | All account data — name, contact, hashed password, bookings, transactional records. | European Union (Frankfurt) | EU/EEA adequacy; Supabase Data Processing Agreement. |
| Vercel Privacy | Hosts the website, runs the serverless functions, edge routing, and request-level logs. | IP address, request metadata, browser headers, page paths. | United States (primary), global edge network | Standard Contractual Clauses; Vercel Data Processing Addendum. |
| PostHog Privacy | Privacy-friendly product analytics — what pages people use and where the site breaks. Only loaded after you consent. No advertising. | Anonymised events, truncated IP, page paths, browser type. | European Union (Frankfurt) | EU/EEA adequacy; PostHog Data Processing Agreement. |
| Fresha Privacy | External booking system for aesthetic treatments. We link out to it; Fresha is the controller for what you submit to them. | Whatever you submit to the Fresha booking form (name, contact, treatment chosen). | United Kingdom | UK adequacy decision recognised by Gibraltar. |
| Meta Platforms (WhatsApp Business, Instagram, Facebook) Privacy | Customer messaging. If you message us on WhatsApp, Instagram, or Facebook, Meta handles the transit and storage of the message. | Phone number (WhatsApp), social profile, message content you send us. | United States and global infrastructure | Standard Contractual Clauses; Meta data processing terms. |
| Hetzner Privacy | Internal operations server — content scheduling and back-office tools. Does not store website visitor data. | None for site visitors. Internal operations data only. | Germany (EU) | EU/EEA adequacy. |
Sub-processors we do not use
To be explicit: we do not use Google Analytics, Google Ads, Meta Pixel, TikTok Pixel, Hotjar, or any other advertising, retargeting, or behavioural-tracking network. We do not share data with data brokers or list-rental services.
Asking us about a sub-processor
If you want a copy of the data-processing agreement we have signed with any of the suppliers above, or to ask a specific question about how a sub-processor handles your data, email info@bybuaesthetics.com.