Seshman
Features Solutions Journal Contact Join waitlist →
Features Solutions Journal Contact Join waitlist →

·03 — Sub-processors

Sub-
processors.

Last updated · [Publication date TBD]

Seshman uses a small number of third-party services to run parts of the platform. This page lists each of them, what they do for us, where they're located, and the safeguard we rely on when personal data crosses borders. It's updated whenever the list changes.

About this page

A "sub-processor" is a third party that processes personal data on our behalf as part of delivering the Seshman service. Under UK GDPR (Article 28), where you're a trainer using Seshman to manage your clients' data — making you a data controller and Seshman your processor — you have the right to know who our sub-processors are and to object to material changes.

We notify trainers in-app at least 30 days before we add or replace a sub-processor that materially affects how your data is processed. If you reasonably object to a proposed change, you can terminate your subscription with effect from the date the change takes effect, in line with Schedule 1, clause 6 of the Terms of Service.

A separate change log is maintained at seshman.com/legal/changes.

Current sub-processors

The table below covers everything that processes personal data on our behalf today.

Vendor Purpose Location Transfer mechanism
Hosting and infrastructure
AWS App Runner Hosting the Seshman API UK (eu-west-2, London) UK-internal — no Chapter V transfer
AWS RDS (PostgreSQL) Primary database — personal data at rest UK (eu-west-2, London) UK-internal — no Chapter V transfer
AWS Cognito Authentication and identity UK (eu-west-2, London) UK-internal — no Chapter V transfer
AWS Amplify Hosting for the seshman.com marketing site UK (eu-west-2, London) UK-internal — no Chapter V transfer
AWS CloudWatch Application and access logs (may include IP addresses) UK (eu-west-2, London) UK-internal — no Chapter V transfer
Email delivery
AWS SES Outbound transactional email (invoices, receipts, reminders, schedule confirmations, cancellations, summaries, welcome, account alerts) UK (eu-west-2, London) UK-internal — no Chapter V transfer
AWS SNS SES bounce and complaint event delivery to our processors UK (eu-west-2, London) UK-internal — no Chapter V transfer
Push notifications
Apple Push Notification Service (APNs) Delivery of push notifications to iOS devices United States (Apple Inc.) UK Extension to the EU-U.S. Data Privacy Framework
Google Firebase Cloud Messaging (FCM) Delivery of push notifications to Android devices United States (Google LLC) UK Extension to the EU-U.S. Data Privacy Framework
Expo Push Intermediary that hands push notifications to APNs and FCM United States (650 Industries, Inc.) UK Extension to the EU-U.S. Data Privacy Framework, supplemented by EU Standard Contractual Clauses (Module 2) incorporated by reference in Expo's Terms of Service
App distribution
Apple App Store and TestFlight iOS app distribution; collects standard installation and crash data on Apple's terms United States (Apple Inc.) UK Extension to the EU-U.S. Data Privacy Framework
Google Play Android app distribution; collects standard installation and crash data on Google's terms United States (Google LLC) UK Extension to the EU-U.S. Data Privacy Framework
Analytics
Plausible Analytics (Plausible Insights OÜ) Aggregate visitor analytics for the seshman.com marketing site — cookieless, no cross-site tracking, no personal data stored European Union (Estonia, with hosting in Germany) EU-internal — no Chapter V transfer

AWS is contracted via Amazon Web Services EMEA SARL where applicable; all storage and processing of customer data takes place in the AWS eu-west-2 region (London). The corporate parent (Amazon.com, Inc.) is U.S.-based and DPF-certified, providing a fallback safeguard for any incidental access by U.S.-based support personnel.

Future sub-processors

The following sub-processors are part of our planned roadmap. They are not active today and we are not transferring personal data to them. We will give 30 days' in-app notice before activating each one.

  • Apple In-App Purchase — trainer subscription billing on iOS. United States (Apple Inc.). UK Extension to the EU-U.S. Data Privacy Framework.
  • Google Play Billing — trainer subscription billing on Android. United States (Google LLC). UK Extension to the EU-U.S. Data Privacy Framework.
  • RevenueCat — orchestration layer across Apple, Google, and web subscription billing. United States (RevenueCat, Inc.). Transfer mechanism to be confirmed before activation; expected to be UK Extension to the EU-U.S. Data Privacy Framework supplemented by SCCs.
  • Stripe — payment processing for web-side trainer subscriptions, and (separately) Stripe Connect for client-to-trainer payments when that feature launches. United States (Stripe, Inc.) with EU and UK entities. UK Extension to the EU-U.S. Data Privacy Framework, with separate processor terms covering Stripe Connect when activated.

Other tools we use (not sub-processors)

These third-party tools are part of how we operate Seshman but do not process personal data on our behalf. We list them here for transparency.

  • Google Search Console — we use this to understand how Seshman appears in Google search results. Search Console shows us aggregate data Google already holds about searches related to our domain. It does not process personal data of visitors to seshman.com and is therefore not a sub-processor under Article 28.

Changes to this list

Material additions or replacements (a new sub-processor in a different jurisdiction, a sub-processor handling a new category of data, a change to the transfer mechanism we rely on) are announced 30 days in advance via an in-app banner to all trainers and, where we have your email address, by email.

Minor changes (typos, clarifications, vendor renames that don't change the processing) are made silently and noted on the change log.

If you'd like to object to a proposed change, reply to the notification email or contact privacy@seshman.com. The objection mechanism is described in clause 6 of the Data Processing Agreement.

Contact

Questions about this page or any sub-processor: privacy@seshman.com.

Seshman is operated by Inca Labs Limited, 167-169 Great Portland Street, Fifth Floor, London, W1W 5PF, United Kingdom.

Seshman

Sessions, classes and payments for independent coaches.

Product

Features Solutions Journal

Support

Contact

Legal

Privacy Policy Deleting your account Consumer health data Terms of Service Sub-processors Change log

Seshman is operated by Inca Labs Limited, a company registered in England and Wales (no. 14731709, VAT GB438261686), registered office 167-169 Great Portland Street, Fifth Floor, London, W1W 5PF, United Kingdom.

© 2026 Inca Labs Limited. All rights reserved.