Sub-processors
Version: 1.0.0 Last updated: 20 June 2026
This page lists the third parties that OMESTA SYSTEMS LLC (operating the Hyper Tracking service) engages to process personal data on behalf of its customers (the merchants) in providing the Service. It is the canonical list referenced by the Data Processing Agreement (Annex III) and the Privacy Policy.
Each sub-processor is bound by a written contract imposing data-protection obligations no less protective than those in our DPA, and Hyper Tracking remains liable to the merchant for each sub-processor's performance.
Current sub-processors
| Sub-processor | Purpose | Location of processing | Transfer mechanism |
|---|---|---|---|
| Cloudflare, Inc. | Edge compute (thin Worker, dispatch Worker, central API), KV, Durable Objects, R2 object storage, Analytics Engine, DNS, TLS termination | Global Cloudflare edge network; primary control plane in the U.S. | EU-U.S. DPF (with 2021 SCCs as fallback) |
| Supabase, Inc. | Managed Postgres database (canonical store of personal data), Supabase Auth (operator-side authentication only) | U.S. by default (AWS us-east-1). For merchants configured for EU residency, visitor personal data (sessions, identities, purchases, attribution, Halo matches) is stored in and read from a separate EU Supabase project physically located in the EU; account/config data and operator-side auth remain in the U.S. control plane regardless of region. |
2021 SCCs (Module 2 / Module 3) |
| Vercel, Inc. | Hosting of the merchant-facing dashboard | Global Vercel edge; primary U.S. | EU-U.S. DPF (with 2021 SCCs as fallback) |
| Stripe, Inc. | Hyper Tracking's own billing — payment processing for Hyper Tracking's fees to the merchant. Does not process the merchant's website visitors. | U.S. | EU-U.S. DPF (with 2021 SCCs as fallback) |
| Functional Software, Inc. (Sentry) | Error reporting from the Service's central API and Workers (sanitised — no customer personal data) | U.S. | 2021 SCCs |
Transfer-mechanism statuses (including DPF certification) can change. Hyper Tracking commits to maintaining a valid transfer mechanism for each restricted transfer at all times.
Not sub-processors: ad platforms as independent controllers
When a merchant authorises Hyper Tracking to push conversion events to an advertising platform, Hyper Tracking transmits hashed identifiers and conversion events to that platform on the merchant's instruction. These platforms are independent controllers of the data they receive for their own attribution and measurement purposes — they are not Hyper Tracking sub-processors.
| Recipient | Role | DPF status (as of last update) |
|---|---|---|
| Meta Platforms, Inc. | Independent controller | DPF-certified |
| Google LLC | Independent controller | DPF-certified |
| TikTok / ByteDance Ltd. | Independent controller | Not DPF-certified; relies on its own SCCs |
The merchant is responsible for selecting which platforms to enable, maintaining a lawful basis (typically consent) for each transfer, and disclosing these transfers in its own privacy notice.
Changes to this list
We will notify merchants of any intended addition or replacement of a sub-processor at least thirty (30) days before that sub-processor begins processing customer personal data, by updating this page and emailing the contact on file. A merchant may object on reasonable data-protection grounds as set out in DPA § 6.3.
Contact
Questions about this list: privacy@hypertracking.io.