GDPR · ART. 28

Who wework with.

Third-party service providers that process personal data on our behalf.
Last updated · July 7, 2026
This page is a defensible template maintained by MettaPay. It is not legal advice — consult qualified counsel before relying on it for production use.
01

Current subprocessors

ProviderPurposeRegion
Lovable Cloud (Supabase)Database, auth, file storage, email queueUnited States / EU
Cloudflare WorkersApplication runtime, CDNGlobal
Mailgun (via Lovable Emails)Transactional email deliveryUnited States / EU
TatumBlockchain infrastructure, webhooksUnited States / EU
Alchemy / Base RPCEthereum & Base RPC accessUnited States
PinataIPFS pinning for evidence and metadataUnited States
ChangellyFiat on/off-ramp and swap partnerCzech Republic / EU
World ID (Worldcoin)Optional proof-of-personhoodGlobal
Google (OAuth, reCAPTCHA)Sign-in and bot protectionUnited States
02

Changes

We will update this page when we add or remove a subprocessor. Customers with an executed DPA may subscribe to change notifications by emailing privacy@mettapays.com.

03

DPA

A signed Data Processing Addendum is available on request — see the DPA page.

Questions? We reply.

Reach our legal, privacy, or compliance team.