Sub-processors
Version: v1.0 — launch · Last updated: 2026-05-20 · Effective: from public launch
This page lists all third-party service providers ("sub-processors") that may process personal data on Medelix's behalf. We maintain this page as the authoritative source — Privacy Policy §5 links here.
We notify signed-in users by email at least 14 days before adding, removing, or materially changing a sub-processor.
Infrastructure
| Provider | Role | Location | Data received |
|---|---|---|---|
| Supabase | Managed database, authentication, storage | EU (Frankfurt) | Account record, conversation history, consent flags |
| Railway | Backend hosting | EU (Amsterdam) | All request data in transit |
| Netlify | Frontend hosting and edge | EU edge of US-HQ provider | Page requests; no personal data persisted |
| Cloudflare | DNS, CDN, WAF, anti-DDoS | EU edge of US-HQ provider | IP addresses for security filtering |
AI processing
| Provider | Role | Location | Data received |
|---|---|---|---|
| Mistral AI | Language-model inference | France | Question text per request; no training on inputs |
| Jina AI | Text-embedding generation | Germany | Question text only |
Communications and identity
| Provider | Role | Location | Data received |
|---|---|---|---|
| Brevo | Transactional email (verification, password reset) | France | Email address, message content |
| Google (Google Ireland Ltd) | "Sign in with Google" authentication | EEA | Name and email if you choose this option |
| Apple (Apple Distribution International Ltd) | "Sign in with Apple" authentication | Ireland | Stable identifier; name and email on first sign-in |
Analytics
| Provider | Role | Location | Data received |
|---|---|---|---|
| Plausible | Cookieless aggregate analytics | Germany / EU | Aggregated pageviews; no user identifier |
Public literature APIs (not sub-processors for personal data)
The following APIs receive only anonymised query text (no account identifier, no IP) and no personal data about you. Listed here for transparency, not because they process personal data on our behalf:
| API | Role | Location |
|---|---|---|
| EuropePMC | Current source of evidence retrieval | UK |
Additional open-access literature APIs are planned and will be added to this list when integrated.
Transfer mechanisms
For US-headquartered providers (Cloudflare, Netlify), transfers rely on Standard Contractual Clauses (SCCs) under Commission Decision 2021/914, supplemented by the EU–US Data Privacy Framework where the provider is self-certified. Internal Transfer Impact Assessments are maintained and available to supervisory authorities on request.
Contact
Privacy questions: [email protected]
Change log
- 2026-05-20 — Initial publication.