·03 — Sub-processors
Sub-
processors.
Last updated · [Publication date TBD]
Seshman uses a small number of third-party services to run parts of the platform. This page lists each of them, what they do for us, where they're located, and the safeguard we rely on when personal data crosses borders. It's updated whenever the list changes.
About this page
A "sub-processor" is a third party that processes personal data on our behalf as part of delivering the Seshman service. Under UK GDPR (Article 28), where you're a trainer using Seshman to manage your clients' data — making you a data controller and Seshman your processor — you have the right to know who our sub-processors are and to object to material changes.
We notify trainers in-app at least 30 days before we add or replace a sub-processor that materially affects how your data is processed. If you reasonably object to a proposed change, you can terminate your subscription with effect from the date the change takes effect, in line with Schedule 1, clause 6 of the Terms of Service.
A separate change log is maintained at seshman.com/legal/changes.
Current sub-processors
The table below covers everything that processes personal data on our behalf today.
| Vendor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Hosting and infrastructure | |||
| AWS App Runner | Hosting the Seshman API | UK (eu-west-2, London) | UK-internal — no Chapter V transfer |
| AWS RDS (PostgreSQL) | Primary database — personal data at rest | UK (eu-west-2, London) | UK-internal — no Chapter V transfer |
| AWS Cognito | Authentication and identity | UK (eu-west-2, London) | UK-internal — no Chapter V transfer |
| AWS Amplify | Hosting for the seshman.com marketing site | UK (eu-west-2, London) | UK-internal — no Chapter V transfer |
| AWS CloudWatch | Application and access logs (may include IP addresses) | UK (eu-west-2, London) | UK-internal — no Chapter V transfer |
| Email delivery | |||
| AWS SES | Outbound transactional email (invoices, receipts, reminders, schedule confirmations, cancellations, summaries, welcome, account alerts) | UK (eu-west-2, London) | UK-internal — no Chapter V transfer |
| AWS SNS | SES bounce and complaint event delivery to our processors | UK (eu-west-2, London) | UK-internal — no Chapter V transfer |
| Push notifications | |||
| Apple Push Notification Service (APNs) | Delivery of push notifications to iOS devices | United States (Apple Inc.) | UK Extension to the EU-U.S. Data Privacy Framework |
| Google Firebase Cloud Messaging (FCM) | Delivery of push notifications to Android devices | United States (Google LLC) | UK Extension to the EU-U.S. Data Privacy Framework |
| Expo Push | Intermediary that hands push notifications to APNs and FCM | United States (650 Industries, Inc.) | UK Extension to the EU-U.S. Data Privacy Framework, supplemented by EU Standard Contractual Clauses (Module 2) incorporated by reference in Expo's Terms of Service |
| App distribution | |||
| Apple App Store and TestFlight | iOS app distribution; collects standard installation and crash data on Apple's terms | United States (Apple Inc.) | UK Extension to the EU-U.S. Data Privacy Framework |
| Google Play | Android app distribution; collects standard installation and crash data on Google's terms | United States (Google LLC) | UK Extension to the EU-U.S. Data Privacy Framework |
| Analytics | |||
| Plausible Analytics (Plausible Insights OÜ) | Aggregate visitor analytics for the seshman.com marketing site — cookieless, no cross-site tracking, no personal data stored | European Union (Estonia, with hosting in Germany) | EU-internal — no Chapter V transfer |
AWS is contracted via Amazon Web Services EMEA SARL where applicable; all storage and processing of customer data takes place in the AWS eu-west-2 region (London). The corporate parent (Amazon.com, Inc.) is U.S.-based and DPF-certified, providing a fallback safeguard for any incidental access by U.S.-based support personnel.
Future sub-processors
The following sub-processors are part of our planned roadmap. They are not active today and we are not transferring personal data to them. We will give 30 days' in-app notice before activating each one.
- Apple In-App Purchase — trainer subscription billing on iOS. United States (Apple Inc.). UK Extension to the EU-U.S. Data Privacy Framework.
- Google Play Billing — trainer subscription billing on Android. United States (Google LLC). UK Extension to the EU-U.S. Data Privacy Framework.
- RevenueCat — orchestration layer across Apple, Google, and web subscription billing. United States (RevenueCat, Inc.). Transfer mechanism to be confirmed before activation; expected to be UK Extension to the EU-U.S. Data Privacy Framework supplemented by SCCs.
- Stripe — payment processing for web-side trainer subscriptions, and (separately) Stripe Connect for client-to-trainer payments when that feature launches. United States (Stripe, Inc.) with EU and UK entities. UK Extension to the EU-U.S. Data Privacy Framework, with separate processor terms covering Stripe Connect when activated.
Other tools we use (not sub-processors)
These third-party tools are part of how we operate Seshman but do not process personal data on our behalf. We list them here for transparency.
- Google Search Console — we use this to understand how Seshman appears in Google search results. Search Console shows us aggregate data Google already holds about searches related to our domain. It does not process personal data of visitors to seshman.com and is therefore not a sub-processor under Article 28.
Changes to this list
Material additions or replacements (a new sub-processor in a different jurisdiction, a sub-processor handling a new category of data, a change to the transfer mechanism we rely on) are announced 30 days in advance via an in-app banner to all trainers and, where we have your email address, by email.
Minor changes (typos, clarifications, vendor renames that don't change the processing) are made silently and noted on the change log.
If you'd like to object to a proposed change, reply to the notification email or contact privacy@seshman.com. The objection mechanism is described in clause 6 of the Data Processing Agreement.
Contact
Questions about this page or any sub-processor: privacy@seshman.com.
Seshman is operated by Inca Labs Limited, 167-169 Great Portland Street, Fifth Floor, London, W1W 5PF, United Kingdom.