Effective date: April 20, 2026
Lovex AB uses the following categories of sub-processors to deliver the Service. We describe each by role, jurisdiction, and transfer safeguard rather than by vendor name so that this list remains stable when we change providers for equivalent functionality. Customers with a signed order form who require the specific vendor identities may request them at hello@lovex.dev under a confidentiality undertaking.
Notice of changes
We give at least 30 days’ notice before adding or replacing a sub-processor by updating this page. Customers on a paid plan may subscribe to change notices by emailing hello@lovex.dev. Objections on reasonable data protection grounds can be raised within the notice period as described in our Data Processing Agreement.
Current sub-processors
- Application hosting and edge delivery — serves the web application and API. Location: United States, with EU edge regions for static and cached content. Transfer safeguard: EU-U.S. Data Privacy Framework certification plus Standard Contractual Clauses. Data: request metadata, content in transit, build artifacts.
- Managed database and authentication — primary datastore for account data, team and project content, attachments, and session tokens. Location: European Union (primary), with encrypted backups in an EU region. Transfer safeguard: EU primary; Standard Contractual Clauses for any support access outside the EEA. Data: all application data at rest.
- AI inference provider — large language model inference for chat and generation features. Location: United States. Transfer safeguard: EU-U.S. Data Privacy Framework certification plus Standard Contractual Clauses. Contractual zero-retention for model training. Data: messages and context submitted to AI features, retained by the provider for up to 30 days for abuse monitoring then deleted.
- Product analytics — measures feature usage, funnels, and retention. Fires only after the user accepts cookies. Location: European Union (Frankfurt region). Transfer safeguard: EU-hosted; no data transfer outside the EEA in normal operation. Data: pseudonymous event stream, page views, clicks.
- Transactional email delivery — sends account emails (sign-in, invitations, receipts, system notifications). Location: European Union and United States, depending on recipient region. Transfer safeguard: EU-U.S. Data Privacy Framework certification plus Standard Contractual Clauses. Data: recipient email addresses and message content.
- Payment processor — handles card and SEPA payments on paid plans. Location: Ireland (EU headquarters) with global processing infrastructure. Transfer safeguard: Standard Contractual Clauses; PCI-DSS Level 1 certified. Data: billing name, email, country, tax ID, last four digits of card; full card data never reaches our systems.
- Identity federation providers — optional sign-in with third-party identity providers when the user chooses to connect them. Location: United States. Transfer safeguard: EU-U.S. Data Privacy Framework certification. Data:profile claims (name, email, avatar) returned by the provider after the user consents on the provider’s side. No data is sent to these providers unless the user initiates sign-in.
- Error monitoring — records application errors and traces for debugging. Location: European Union. Transfer safeguard: EU-hosted. Data: stack traces, request metadata, and account identifier; user content is redacted before transmission.
Internal processing
Lovex AB staff and contractors process Personal Data only as necessary to provide support, security, and service operations, under confidentiality obligations and with least-privilege access. This is not sub-processing within the meaning of Article 28; it is processing by the controller of its own personnel.
Contact
Questions about sub-processors, notice subscriptions, or objections: hello@lovex.dev.