🇬🇧 EN
Sub-processors of personal data
This page lists the third-party service providers (“sub-processors” under Art. 28 GDPR) that process personal data on behalf of Strenqo.
1. Foreword
Strenqo is published and operated by Andreas Mondo (Italian sole proprietorship, acting as data controller).
View company & tax details
Andreas Mondo (sole proprietorship) · Via Pianezza 16, 10040 Givoletto (TO), Italy · VAT IT13352600012 · Tax code MNDNRS05B17L219J · Email strenqo-support@strenqo.eu · PEC andreasmondo@ultracert.it
For each sub-processor we indicate: legal name, location, data hosting country, processing purpose, transfer safeguard for extra-EU transfers. The list reflects the state as of 2026-05-17. Any new sub-processors will be notified to users with reasonable advance notice.
2. Active sub-processors
2.1 Supabase
- Legal name: Supabase Inc.
- Location: United States (Delaware)
- Data hosting country: European Union (
eu-west-1) - Purpose: PostgreSQL database, authentication, file storage (Storage), Edge Functions execution, realtime sync
- Categories of data: all user data (profile, workouts, nutrition, body check-in, photos, AI Coach conversations)
- Transfer mechanism: no extra-EU transfer at rest. Support access by Supabase Inc. (USA) governed by DPA with SCC
- Site: supabase.com · Docs: privacy, terms
2.2 OpenAI
- Legal name: OpenAI, L.L.C. (USA) and OpenAI Ireland Ltd (EU)
- Location: United States / Ireland
- Data hosting country: United States, with initial processing in Dublin for EU users
- Purpose: AI Coach reply generation, food photo analysis, workout/nutrition plan generation
- Categories of data: AI Coach conversation text, food photos, user context (profile, recent workouts, weight) — only if you have given explicit consent to the AI Coach
- Transfer mechanism: EU-US Data Privacy Framework + SCC. OpenAI is on the DPF Participants List
- Site: openai.com · Docs: DPA, privacy
Note on coach-micro: as of 2026-05-17, the “micro hint” coach feature does not send data to OpenAI; the server-side function is not deployed and the app uses a local fallback template.
2.3 RevenueCat
- Legal name: RevenueCat, Inc.
- Location / hosting: United States
- Purpose: Pro subscription management (sync of subscription state between Apple App Store, Google Play and our servers). On account deletion, the RevenueCat subscriber is cascade-deleted via API
- Categories of data: user UUID, subscription state, product identifier, subscription lifecycle events
- Transfer mechanism: SCC in RevenueCat's DPA
- Notes: RevenueCat does not receive payment data nor health data
- Site: revenuecat.com · Docs: DPA, privacy
2.4 Resend
- Legal name: Resend, Inc.
- Location / hosting: United States
- Purpose: transactional emails — account deletion confirmation, policy update notifications. Not used for marketing
- Categories of data: recipient email address, content of transactional emails
- Transfer mechanism: EU-US DPF (+ UK Extension) + SCC. Resend is certified on the DPF Participants List
- Site: resend.com · Docs: DPA, GDPR
2.5 Sentry
- Legal name: Functional Software, Inc. (operating in the EU as Sentry GmbH)
- Location: United States (parent) / Germany (EU entity)
- Data hosting country: European Union — Germany (
ingest.de.sentry.io) - Purpose: crash reporting and error diagnostics — only with explicit consent
- Categories of data: stack traces, breadcrumbs, app version, device model, OS, pseudonymous user identifier (UUID, not email). PII redacted via the
beforeSendfilter. Redaction is a mitigation, not a guarantee - Transfer mechanism: no extra-EU transfer for crash reporting
- Site: sentry.io · Docs: DPA, privacy
2.6 Apple
- Legal name: Apple Inc. (USA) / Apple Distribution International Ltd (Ireland, for EU users)
- Location: United States / Ireland
- Purpose: App Store distribution, in-app purchases (IAP), push notifications (APNs), HealthKit on-device, Sign in with Apple
- Categories of data: Apple ID (for IAP), push token, on-device health data (not transferred to Apple by Strenqo)
- Transfer mechanism: EU adequacy decision (Ireland) / DPF (Apple Inc. listed) + Apple Developer Program safeguards
- Site: apple.com · privacy
2.7 Google
- Legal name: Google LLC (USA) / Google Ireland Ltd (Ireland, for EU users)
- Location: United States / Ireland
- Purpose: Google Play distribution, IAP, push notifications (FCM), Health Connect on-device, Google Maps SDK Android (map tile rendering for outdoor cardio routes)
- Categories of data: Google Account (for IAP), push token, on-device health data, GPS coordinates (only if you use outdoor cardio routes)
- Transfer mechanism: EU-US DPF (Google LLC listed) + SCC
- Site: google.com · privacy
2.8 OpenFoodFacts
- Legal name: Open Food Facts (non-profit association)
- Location / hosting: France (EU)
- Purpose: public food database (text / barcode search)
- Categories of data: no personal data of the Strenqo user — search queries contain only free text or barcode, anonymised before sending
- Transfer mechanism: no extra-EU transfer
- Site: openfoodfacts.org
2.9 ipwho.is
- Location / hosting: United States
- Purpose: IP geolocation — primary fallback to derive country of residence when local fallbacks (profile, timezone, system language) are insufficient
- Categories of data: only the user's IP address. No user identifier, no health data, no cookies
- Transfer mechanism: provider standard SCC
- Site: ipwho.is
2.10 ipapi.co
- Legal name: Kickfire LLC
- Location / hosting: United States
- Purpose: IP geolocation — secondary fallback, used only if ipwho.is fails
- Categories of data: only the user's IP address
- Transfer mechanism: provider standard SCC
- Site: ipapi.co
2.11 Expo (EAS + Auth Proxy)
- Legal name: Expo, Inc.
- Location / hosting: United States
- Purpose:
- Auth Proxy: during “Sign in with Google”, the OAuth authorisation code transits through
auth.expo.iobefore being exchanged for the final token - Expo Application Services (EAS): app build and Over-The-Air updates infrastructure
- Auth Proxy: during “Sign in with Google”, the OAuth authorisation code transits through
- Categories of data (auth proxy): Google OAuth authorisation code in transit, refresh token in transit. No health data received. Final session managed directly by Supabase Auth
- Transfer mechanism: EU-US DPF + SCC
- Site: expo.dev
3. Third-party data sources via OAuth (independent controllers)
The providers listed below are not sub-processors of Strenqo under Art. 28 GDPR. They are autonomous data controllers of the data they collect from your wearable device. Upon your authorisation via OAuth, they transmit a subset of that data to our backend, where Strenqo becomes the controller of the imported copy. We list them here, alongside our sub-processors, for full transparency on the data flow.
3.1 Whoop
- Legal name: Whoop, Inc.
- Location: United States (Boston, Massachusetts)
- Their data hosting country: United States
- Their role: independent data controller (collects data from your Whoop strap under their own privacy policy)
- Data we receive after your OAuth consent: raw HRV (RMSSD), resting heart rate, sleep stages (deep/REM/light/awake/in_bed/asleep durations), wrist temperature deviation, per-workout heart-rate samples (where exposed by their API), workout start/end timestamps and sport type
- Data we deliberately do NOT receive: Whoop recovery score, strain score (0–21), sleep performance score, day strain — i.e. any of their proprietary derived metrics
- Transfer mechanism (provider → Strenqo): SCC in the Whoop API data-sharing agreement; the imported copy is then stored in our Supabase backend (EU)
- Revocation: Profile → Connected health → Disconnect (revokes the refresh token both on our backend and at Whoop); also revocable from your Whoop account dashboard
- Site: whoop.com · Provider's policy: whoop.com/legal/privacy
3.2 Oura
- Legal name: Ōura Health Oy
- Location: Finland (Oulu) — European Union
- Their data hosting country: European Union (Finland)
- Their role: independent data controller
- Data we receive after your OAuth consent: raw HRV, resting heart rate, sleep stages, SpO₂ readings, workout metadata, wrist temperature deviation
- Data we deliberately do NOT receive: Oura readiness score, sleep score, activity score
- Transfer mechanism: intra-EU (Oura is an EU controller). Our copy is hosted in Supabase EU
- Revocation: Profile → Connected health → Disconnect; also revocable from your Oura account dashboard
- Site: ouraring.com · Provider's policy: ouraring.com/privacy
3.3 Template clause — future cloud-wearable providers
Strenqo may, in the future, integrate further cloud-wearable platforms under the same OAuth-based model (examples include Garmin Connect, Polar Flow, Fitbit / Google Fit, Suunto, Coros, Withings, Samsung Health). When this happens:
- The provider will be added to this section with the same level of detail (legal name, location, data hosting country, data we receive, data we do not receive, transfer mechanism, revocation path).
- Users will be notified in advance via the
notify-policy-updateEdge Function and/or in-app. - The same principle applies: Strenqo imports only the raw biometrics strictly necessary for its own algorithms; we do not import the provider's proprietary scores.
- Each provider remains an autonomous controller. They are not Art. 28 sub-processors.
4. Sub-processors we do NOT use
For transparency, Strenqo does not use:
- Third-party advertising SDKs (AdMob, Meta Audience Network, Unity Ads, AppLovin, IronSource)
- Third-party analytics SDKs (Google Analytics for Firebase, Mixpanel, Amplitude, PostHog, Heap)
- Attribution / mobile measurement SDKs (AppsFlyer, Adjust, Branch, Singular)
- Behavioural trackers (Facebook SDK, TikTok SDK)
- Cross-context profiling services for marketing purposes
5. Summary by data type
| Data type | Sub-processors that see it | Notes |
|---|---|---|
| Profile, workouts, nutrition, weight, photos | Supabase (EU) | Full hosting |
| AI Coach conversations + user context | Supabase (EU) + OpenAI (USA) | OpenAI only if “AI data consent” toggle is on (default on) |
| User identifier for subscription | Supabase (EU) + RevenueCat (USA) | Pro subscribers only; cascade-deleted on deletion |
| Transactional emails | Resend (USA) | Localised in 8 languages |
| Crash reports | Sentry (EU/Germany) | Only if toggle on; geo-differentiated default |
| Push tokens | Apple (USA) / Google (USA) | Only if notifications enabled |
| GPS coordinates (outdoor cardio) | Google Maps SDK (USA) | GPS Clip 200m may be applied |
| Food search | OpenFoodFacts (FR) | No user PII transmitted |
| IP address (market geolocation) | ipwho.is, ipapi.co (USA) | Only if local fallbacks insufficient |
| OAuth code (Sign in with Google) | Expo Auth Proxy (USA) | Only during Google login |
| Raw biometrics from cloud wearables (HRV, sleep stages, HR samples) | Whoop (USA), Oura (EU) — see §3 | Independent controllers; data flows in only after explicit OAuth consent; provider's proprietary scores are NOT imported |
6. Notification of changes
We will add, remove or replace sub-processors only for legitimate operational needs. The date at the top will be updated. For material changes (e.g. new sub-processor in a third country, new extra-EU transfer, new type of data shared), users will be notified by email via the notify-policy-update Edge Function and/or in-app. You can always revoke consent to optional processing or delete the account.
7. Contacts
- Controller: Andreas Mondo (sole proprietorship) — Via Pianezza 16, 10040 Givoletto (TO), Italy
- Email: strenqo-support@strenqo.eu
- PEC: andreasmondo@ultracert.it
- DPO: not designated (see Privacy Policy §1 for the rationale)