GDPR · ART. 28
Who wework with.
Third-party service providers that process personal data on our behalf.
Last updated · July 7, 2026
This page is a defensible template maintained by MettaPay. It is not legal advice — consult qualified counsel before relying on it for production use.
01
Current subprocessors
| Provider | Purpose | Region |
|---|---|---|
| Lovable Cloud (Supabase) | Database, auth, file storage, email queue | United States / EU |
| Cloudflare Workers | Application runtime, CDN | Global |
| Mailgun (via Lovable Emails) | Transactional email delivery | United States / EU |
| Tatum | Blockchain infrastructure, webhooks | United States / EU |
| Alchemy / Base RPC | Ethereum & Base RPC access | United States |
| Pinata | IPFS pinning for evidence and metadata | United States |
| Changelly | Fiat on/off-ramp and swap partner | Czech Republic / EU |
| World ID (Worldcoin) | Optional proof-of-personhood | Global |
| Google (OAuth, reCAPTCHA) | Sign-in and bot protection | United States |
02
Changes
We will update this page when we add or remove a subprocessor. Customers with an executed DPA may subscribe to change notifications by emailing privacy@mettapays.com.
03
DPA
A signed Data Processing Addendum is available on request — see the DPA page.
