Legal
Sub-processors
Last updated: 19 May 2026
nlit relies on a small set of trusted third parties ("sub-processors") to deliver the service. This page lists every external system that may handle personal data on our behalf, why it's used, and the contractual safeguard in place for the transfer. We commit in our Data Processing Agreement to notify customers at least 30 days before adding or replacing a sub-processor whose engagement affects how we process your personal data.
Anthropic
United States- Purpose
- AI auto-translate (Claude API)
- Data
- Source strings, optional context (description, screenshot caption) submitted to the translate endpoint
- Transfer
- EU-US Data Privacy Framework (DPF) + signed DPA
- Links
- Privacy policyDPA
Stripe
United States / Ireland- Purpose
- Subscription billing, one-time charges, invoicing, VAT
- Data
- Billing name, billing address, payment method (handled directly by Stripe — we store only a customer ID), VAT ID, invoice history
- Transfer
- EU-US Data Privacy Framework (DPF) + Stripe DPA
- Links
- Privacy policyDPA
Fly.io
European Union (region: arn — Stockholm)- Purpose
- Application server hosting (API + background jobs)
- Data
- All customer content passes through Fly machines in transit; ephemeral request logs
- Transfer
- EU-based processing; Fly DPA
- Links
- Privacy policyDPA
Neon
European Union (aws-eu-central-1, Frankfurt)- Purpose
- Managed PostgreSQL database
- Data
- All persistent customer data: accounts, projects, modules, translations, audit logs
- Transfer
- EU-based processing; Neon DPA
- Links
- Privacy policyDPA
Cloudflare (R2)
European Union region- Purpose
- Object storage for context images uploaded to translation keys
- Data
- Image files only — no account or translation content
- Transfer
- EU-based processing; Cloudflare DPA + SCCs
- Links
- Privacy policyDPA
Cloudflare (DNS)
Global edge network- Purpose
- DNS resolution and edge protection for nlit.app
- Data
- DNS queries only — no account or translation content
- Transfer
- Standard Contractual Clauses (SCCs) via Cloudflare DPA
- Links
- Privacy policy
Vercel
United States / global edge network- Purpose
- Frontend (Next.js) hosting + Vercel Analytics
- Data
- IP address, request URL, user agent (standard web logs); aggregated, anonymised page-visit counts
- Transfer
- EU-US Data Privacy Framework (DPF) + Vercel DPA
- Links
- Privacy policyDPA
Resend
United States- Purpose
- Transactional email delivery (sign-up verification, password reset, org invites)
- Data
- Recipient email address, email subject and body, delivery metadata
- Transfer
- EU-US Data Privacy Framework (DPF) + Resend DPA
- Links
- Privacy policyDPA
Sentry
United States- Purpose
- Error tracking + crash reporting
- Data
- Stack traces, request URLs, user ID, IP address, user agent at the moment an error is captured
- Transfer
- Standard Contractual Clauses (SCCs) via Sentry DPA
- Links
- Privacy policyDPA
Axiom
United States- Purpose
- Backend log aggregation
- Data
- Application logs (may include user IDs, request paths, error messages — never passwords or payment data)
- Transfer
- Standard Contractual Clauses (SCCs) via Axiom DPA
- Links
- Privacy policy
Google (OAuth + Workspace)
United States / European Union- Purpose
- OAuth sign-in for users who choose "Continue with Google"; Google Workspace for company email
- Data
- OAuth: email, name, provider account ID. Workspace: only marcus@nlit.app inbox (does not process customer data)
- Transfer
- EU-US Data Privacy Framework (DPF) + Google Cloud DPA
- Links
- Privacy policyDPA
Microsoft
United States / European Union- Purpose
- OAuth sign-in for users who choose "Continue with Microsoft"
- Data
- OAuth: email, name, provider account ID
- Transfer
- EU-US Data Privacy Framework (DPF) + Microsoft DPA
- Links
- Privacy policyDPA
Questions or DPA requests
For a copy of any sub-processor's DPA, to subscribe to change notifications, or to sign our customer-facing DPA, contact support@nlit.app.
Also see our Privacy Policy and Terms of Service.