Last updated: February 2026

Sub-Processors

This page lists the third-party service providers (sub-processors) that process personal data on behalf of Food Signal Ltd to deliver the MyFoodFit service. We maintain appropriate contracts with all sub-processors to ensure GDPR compliance.

Current Sub-Processors

The following sub-processors are currently engaged to process personal data:

Supabase Inc.

Purpose: Database hosting, user authentication, and file storage

Data processed: User accounts, dietary preferences, saved products, usage data

Location: United States (with EU region available)

Transfer mechanism: Standard Contractual Clauses (SCCs)

Website: supabase.com

Privacy Policy: supabase.com/privacy

Stripe Inc.

Purpose: Payment processing and subscription management

Data processed: Name, email, payment card details (handled directly by Stripe), billing address, transaction history

Location: United States, Ireland

Transfer mechanism: Standard Contractual Clauses (SCCs), Stripe is certified under various compliance frameworks

Website: stripe.com

Privacy Policy: stripe.com/privacy

Apple Inc.

Purpose: Sign In with Apple authentication

Data processed: Apple ID identifier, email address (if shared by user)

Location: United States, Ireland

Transfer mechanism: Standard Contractual Clauses (SCCs)

Website: apple.com

Privacy Policy: apple.com/privacy

API Ninjas

Purpose: Food and nutrition database API

Data processed: Search queries for food items

Location: United States

Transfer mechanism: Standard Contractual Clauses (SCCs)

Website: api-ninjas.com

Privacy Policy: api-ninjas.com/privacy

Expo (650 Industries Inc.)

Purpose: Mobile app delivery and over-the-air updates, push notifications

Data processed: Device identifiers, push notification tokens, app version information

Location: United States

Transfer mechanism: Standard Contractual Clauses (SCCs)

Website: expo.dev

Privacy Policy: expo.dev/privacy

Data Processing Agreements

We have entered into Data Processing Agreements (DPAs) with all sub-processors listed above. These agreements ensure that:

• Personal data is processed only on our documented instructions
• Sub-processors implement appropriate technical and organisational security measures
• Sub-processors assist us in responding to data subject requests
• Personal data is deleted or returned upon termination of the service
• Sub-processors make available information necessary to demonstrate compliance

International Transfers

Several of our sub-processors are based in the United States. For transfers of personal data outside the UK/EEA, we rely on:

Standard Contractual Clauses (SCCs) — EU/UK Commission-approved contractual terms that provide appropriate safeguards for data transfers
Adequacy decisions — Where the destination country has been deemed to provide adequate data protection
Supplementary measures — Additional technical and organisational measures where required

Changes to Sub-Processors

We may update this list from time to time as we add or change sub-processors. Material changes will be reflected in the "Last updated" date at the top of this page.

If you have concerns about a specific sub-processor, please contact us at support@myfoodfit.co.uk.

Enterprise & DPA Requests

If you are an enterprise customer or health organisation that requires a signed Data Processing Agreement with Food Signal Ltd, please contact us at support@myfoodfit.co.uk to discuss your requirements.

Contact

For questions about our sub-processors or data processing practices:

Email: support@myfoodfit.co.uk