This Subprocessor Disclosure lists the third-party service providers engaged by MARIOS GAITANIS & SONS MECHANICAL WORKS LIMITED, a company incorporated in the Republic of Cyprus under registration number HE185185, trading as DineChat, in connection with the DineChat service.
This Disclosure is incorporated by reference into our Data Processing Agreement and Privacy Policy.
Third-party providers are grouped into two categories:
A. Subprocessors of End-User Data (Section 3) — third parties that Process End-User Data on behalf of our Clients. DineChat acts as a Processor and the third party acts as a Sub-processor within the meaning of Article 28 GDPR.
B. Our Own Service Providers (Section 4) — third parties that Process Client, Authorized User, Visitor, or billing data on behalf of DineChat itself. DineChat acts as a Controller and the third party acts as DineChat's Processor.
We do not sell or share Personal Data with any third party for advertising or marketing purposes.
| Subprocessor | Service Provided | Data Processed | Location |
|---|---|---|---|
| Vercel, Inc. (USA) | Application hosting, serverless compute, cron jobs | Transient processing of all data flowing through the application layer | United States (with edge locations globally) |
| Supabase, Inc. (USA) | Managed PostgreSQL database, row-level security | End-User messages, conversation history, reservation records, knowledge base | United States (AWS) |
| Subprocessor | Service Provided | Data Processed | Location |
|---|---|---|---|
| Meta Platforms, Inc. (USA) — WhatsApp Business Platform | Delivery and receipt of WhatsApp messages; WABA management | End-User phone numbers, profile names, message content (text and audio), message IDs, status information | Global |
| Subprocessor | Service Provided | Data Processed | Location |
|---|---|---|---|
| OpenRouter, Inc. (USA) | API routing layer for LLM requests | End-User message content, conversation context, system prompts, Knowledge Base excerpts | United States |
| Anthropic, PBC (USA) — via OpenRouter | Large language model inference (current default model) | Same as OpenRouter above | United States |
| OpenAI, OpCo, LLC (USA) — via OpenRouter | Large language model inference (may be used for specific models) | Same | United States |
| Google LLC (USA) — via OpenRouter | Large language model inference (may be used for specific models) | Same | United States |
| Groq, Inc. (USA) | Voice message transcription using Whisper model (Professional and Enterprise tiers only) | Voice message audio; transcribed text | United States |
No training on your data. We route AI requests exclusively to endpoints whose providers commit not to train AI models on input data.
Short-term abuse-monitoring logs. AI providers may temporarily log input/output payloads (typically up to 30 days) strictly for abuse detection and safety monitoring. Such logs are not used for training.
Audio transcription. Groq processes audio transiently to produce a text transcript. DineChat does not retain the audio after transcription.
Provider changes. The specific model may change as we optimise for quality, latency, and cost; such changes occur within the set of providers meeting our no-training requirement. Material additions will be notified per Section 6.
These providers Process Personal Data about our Clients, website Visitors, and billing counterparties on our behalf. They are listed here for transparency.
| Service Provider | Service Provided | Data Processed | Location |
|---|---|---|---|
| Clerk, Inc. (USA) | Authentication, session management, MFA | Account credentials (hashed), email addresses, session tokens, authentication-event metadata | United States |
| Service Provider | Service Provided | Data Processed | Location |
|---|---|---|---|
| Stripe, Inc. (USA) | Subscription billing, payment processing | Client billing details, subscription metadata, payment card data (stored by Stripe, not by DineChat) | United States and EU |
Stripe is certified as a PCI-DSS Level 1 service provider. DineChat does not collect or store payment card numbers.
| Service Provider | Service Provided | Data Processed | Location |
|---|---|---|---|
| Resend, Inc. (USA) | Delivery of transactional emails to Clients | Client email addresses and notification message content | United States |
| Service Provider | Service Provided | Data Processed | Location |
|---|---|---|---|
| Firecrawl (USA) | On-demand crawling of the Client's own public website | Client-provided website URL; publicly available web-page content | United States |
Reservation providers are not Subprocessors or Service Providers of DineChat. They are third-party services to which data is transmitted at the Client's direction:
| Provider | Role |
|---|---|
| SevenRooms, Inc. | Reservation-management platform. Used only where the Client has an account and has connected the integration. |
| Eat App | Reservation-management platform. Used only where the Client has an account and has connected the integration. |
| ServMe | Reservation-management platform. (Integration roadmap — subject to availability.) |
DineChat acts solely as a technical conduit; DineChat's responsibility for End-User Data ceases upon successful transmission to the reservation provider's API.
6.1 Notice of Changes. Clients will be notified of material changes at least thirty (30) days before the change takes effect, by posting the updated Disclosure and, where practicable, by email.
6.2 Right to Object. A Client may object on reasonable data-protection grounds within the 30-day notice period by writing to privacy@dinechat.io. Where the Client objects and the parties cannot agree, the Client may terminate the affected Services and receive a pro-rata refund.
6.3 Expedited Changes. Where a change is required urgently (confirmed security incident, regulatory order, or serious risk to service continuity), the change may take effect before expiry of the 30-day notice period, with notification as soon as reasonably practicable.
Most providers listed above are located in the United States. Where personal data is transferred outside the EEA, we rely on: (a) the EU–US Data Privacy Framework; (b) an adequacy decision; (c) the EU Standard Contractual Clauses; or (d) other valid transfer mechanisms. Equivalent safeguards apply under the UAE PDPL. Copies of applicable transfer safeguards can be requested at privacy@dinechat.io.
Questions regarding this Subprocessor Disclosure may be addressed to:
MARIOS GAITANIS & SONS MECHANICAL WORKS LIMITED
Attn: DineChat Privacy Team
3 Prodikou, Kato Polemidia 4154, Cyprus
Email: privacy@dinechat.io
End of Subprocessor Disclosure