Subprocessors
Last updated 2026-04-18.
Convexly uses the third-party providers listed below to deliver the service. Each subprocessor is contractually bound by a Data Processing Addendum, listed where public. Subprocessors process personal data only on Convexly's documented instructions and are subject to confidentiality and security obligations comparable to those in Convexly's own privacy policy.
We update this page whenever we add, remove, or materially change a subprocessor. If you have signed a DPA with Convexly, you will receive advance notice of material changes per that agreement.
| Subprocessor | Purpose | Data shared | Region | DPA |
|---|---|---|---|---|
| Supabase, Inc. | Managed PostgreSQL database, authentication, and row-level security. Primary application data store. | Account data (email, display name, plan type), decisions, outcomes, calibration scores, wallet analyses. | US (AWS us-east-1) | View → |
| Stripe, Inc. | Payment processing, subscription management, and invoicing. | Billing email, payment method (tokenized by Stripe; card numbers never touch Convexly), subscription history, invoices. | Global (primarily US) | View → |
| Vercel, Inc. | Hosting for the Convexly web application and API edge routes. CDN and DDoS protection. | Web request metadata (IP address, user agent), response bodies. No persistent data storage on Vercel. | Global edge (primarily US) | View → |
| Railway Corporation | Hosting for the Convexly FastAPI backend and background workers. | Request metadata and ephemeral compute. Persistent storage is in Supabase; Railway does not retain application data. | US | View → |
| OpenAI, L.L.C. | Large language model inference for AI-assisted decision structuring and coaching features. | Decision text and probabilistic reasoning context, submitted at the user's request when they use AI features. Not used for model training per OpenAI API terms. | US | View → |
| Resend (Resend Technologies, Inc.) | Transactional email delivery (weekly digest, onboarding sequence, resolution reminders). | Email address, display name, email content. | US | View → |
| PostHog, Inc. | Product analytics for funnel measurement and feature adoption. | Pseudonymous event data (page views, feature usage, calibration quiz completion). User identification limited to internal user IDs for signed-in users. | US (PostHog Cloud US) | View → |
Data not shared with any subprocessor
Polymarket wallet addresses submitted to the public wallet analyzer are not persisted or shared beyond the analysis round-trip, which queries only public on-chain data. Stripe card numbers never touch Convexly servers; Stripe tokenizes them client-side.
Contact
For security diligence, DPA requests, or questions about this list: research@convexly.app.