Archaster regenerative intelligence

Strategic design and sourcing intelligence.

Sub-Processor List

Last Updated: Dec. 4, 2025

Overview

Archaster Labs uses carefully selected third-party service providers (“sub-processors”) to deliver our Services. This page explains:

  • Which providers we use

  • What they process

  • Where they process it

  • The safeguards in place

  • How changes are communicated

All sub-processors are bound by Data Processing Agreements (DPAs) and must comply with:

  • The General Data Protection Regulation (GDPR)

  • The Norwegian Personal Data Act

  • Applicable international data-transfer rules

Important Note on AI Processing

Our AI Gateway transmits your queries — and any associated context you choose to include — to third-party AI providers (such as Google Gemini) on a pass-through, real-time basis.

  • We do not control the physical processing location chosen by the AI provider.

  • We rely on SCCs, DPAs, and published privacy commitments to ensure lawful processing.

  • Providers state that prompts are not used to train public models.

Current Sub-Processors

Below is the full list of sub-processors currently used by Archaster Labs:

1. Lovable Cloud / Supabase

Purpose:
• Backend infrastructure
• Database management
• User authentication
• File storage (uploads)
• Vector embeddings storage
• Serverless functions
• Chat history storage

Data Processed:
• User account data
• Conversation history (for authenticated users)
• Uploaded documents & extracted text
• Vector embeddings
• Session/authentication tokens
• Project metadata

Processing Location:
United States (primary), United Kingdom (London), Belgium
(Location depends on the selected infrastructure region used by Lovable Cloud)

Privacy Policy:
(link to Supabase/Lovable policy)

2. Google Gemini AI (via Lovable AI Gateway)

Purpose:
• Natural language processing
• AI response generation
• Retrieval-augmented generation
• Content interpretation
• Query and context understanding

Data Processed:
• User prompts
• Conversation context
• Chat inputs
• Extracted text from uploaded documents (only what is included in the prompt)
• Geospatial metadata (if included in the prompt)

Processing Location:
Global (Google Cloud Platform regions — location determined by Google)

Privacy Policy:
(link to Gemini/GCP data protection terms)

3. Cloudflare

Purpose:
• CDN services
• DDoS protection
• Bot protection (Turnstile)
• Network-level security

Data Processed:
• IP addresses
• Request metadata
• Browser details
• Turnstile challenge interactions
• High-level routing and operational data

Processing Location:
Global network

Privacy Policy:
(link)

  1. Waitlist (getwaitlist.com)

Purpose:
• Waitlist sign-up management
• Email submissions
• Waitlist analytics (aggregate metrics)
• Referral link tracking (if enabled)

Data Processed:
• Email address
• IP address (via browser request logs)
• Referral link metadata (optional)
• Signup timestamp
• Device + browser information (basic)

Processing Location:
United States (primary), with global CDN distribution

Privacy Policy:
https://getwaitlist.com/privacy-policy

Notes:

  • We use Waitlist only for early-access signups before account creation.

  • Waitlist data is not merged into the Archaster platform until/unless a user converts to an active account.

Document Uploads & Derived Data

When you upload documents (such as PDFs, images, or text files), the file and its extracted text/embeddings may be processed by the following sub-processors:

Supabase / Lovable Cloud

  • for file storage

  • for extracted text storage

  • for embeddings storage

  • for associating the file with your chat

Google Gemini (Indirectly)

  • ONLY if you explicitly reference the uploaded content in a prompt or the system includes extracted text in the model input

  • Google does not receive the original file

  • Google only receives the text you choose to include or that is automatically included for context

When you delete a document or an entire chat, all associated files, extracted text, and embeddings are permanently deleted:

  • from production systems within 30 days,

  • from backups within 90 days.

Data Transfer Safeguards

When data is transferred internationally (outside Norway/EEA), we rely on:

  • Standard Contractual Clauses (SCCs)

  • Data Processing Agreements (DPAs)

  • Technical and organisational safeguards (encryption, access controls, audits)

  • Provider-published compliance commitments

We review all sub-processors before use.

Sub-Processor Changes

If we add, remove, or modify a sub-processor:

  1. We update this page

  2. We update the “Last Updated” date

  3. Enterprise customers receive advance notice as contractually required

We recommend checking this page periodically.

Data Minimization

We share only the minimum data necessary:

  • Cloudflare → only request metadata

  • Stripe → billing/payment data only

  • Google Gemini → only prompts + context needed for the response

  • Supabase → only data required to deliver the service

No sub-processor receives full access to all user data.

Your Rights

Under GDPR and Norwegian law, you may exercise all relevant data-subject rights over data processed by sub-processors, including:

  • access

  • rectification

  • deletion

  • restriction

  • portability

  • objection

Complaints:
Norwegian Data Protection Authority (Datatilsynet), www.datatilsynet.no

Questions or Concerns

If you have questions about our sub-processor relationships, you can email:

privacy@archasterlabs.earth

We will respond promptly.

Sub-Processor List

Last Updated: Dec. 4, 2025

Overview

Archaster Labs uses carefully selected third-party service providers (“sub-processors”) to deliver our Services. This page explains:

  • Which providers we use

  • What they process

  • Where they process it

  • The safeguards in place

  • How changes are communicated

All sub-processors are bound by Data Processing Agreements (DPAs) and must comply with:

  • The General Data Protection Regulation (GDPR)

  • The Norwegian Personal Data Act

  • Applicable international data-transfer rules

Important Note on AI Processing

Our AI Gateway transmits your queries — and any associated context you choose to include — to third-party AI providers (such as Google Gemini) on a pass-through, real-time basis.

  • We do not control the physical processing location chosen by the AI provider.

  • We rely on SCCs, DPAs, and published privacy commitments to ensure lawful processing.

  • Providers state that prompts are not used to train public models.

Current Sub-Processors

Below is the full list of sub-processors currently used by Archaster Labs:

1. Lovable Cloud / Supabase

Purpose:
• Backend infrastructure
• Database management
• User authentication
• File storage (uploads)
• Vector embeddings storage
• Serverless functions
• Chat history storage

Data Processed:
• User account data
• Conversation history (for authenticated users)
• Uploaded documents & extracted text
• Vector embeddings
• Session/authentication tokens
• Project metadata

Processing Location:
United States (primary), United Kingdom (London), Belgium
(Location depends on the selected infrastructure region used by Lovable Cloud)

Privacy Policy:
(link to Supabase/Lovable policy)

2. Google Gemini AI (via Lovable AI Gateway)

Purpose:
• Natural language processing
• AI response generation
• Retrieval-augmented generation
• Content interpretation
• Query and context understanding

Data Processed:
• User prompts
• Conversation context
• Chat inputs
• Extracted text from uploaded documents (only what is included in the prompt)
• Geospatial metadata (if included in the prompt)

Processing Location:
Global (Google Cloud Platform regions — location determined by Google)

Privacy Policy:
(link to Gemini/GCP data protection terms)

3. Cloudflare

Purpose:
• CDN services
• DDoS protection
• Bot protection (Turnstile)
• Network-level security

Data Processed:
• IP addresses
• Request metadata
• Browser details
• Turnstile challenge interactions
• High-level routing and operational data

Processing Location:
Global network

Privacy Policy:
(link)

  1. Waitlist (getwaitlist.com)

Purpose:
• Waitlist sign-up management
• Email submissions
• Waitlist analytics (aggregate metrics)
• Referral link tracking (if enabled)

Data Processed:
• Email address
• IP address (via browser request logs)
• Referral link metadata (optional)
• Signup timestamp
• Device + browser information (basic)

Processing Location:
United States (primary), with global CDN distribution

Privacy Policy:
https://getwaitlist.com/privacy-policy

Notes:

  • We use Waitlist only for early-access signups before account creation.

  • Waitlist data is not merged into the Archaster platform until/unless a user converts to an active account.

Document Uploads & Derived Data

When you upload documents (such as PDFs, images, or text files), the file and its extracted text/embeddings may be processed by the following sub-processors:

Supabase / Lovable Cloud

  • for file storage

  • for extracted text storage

  • for embeddings storage

  • for associating the file with your chat

Google Gemini (Indirectly)

  • ONLY if you explicitly reference the uploaded content in a prompt or the system includes extracted text in the model input

  • Google does not receive the original file

  • Google only receives the text you choose to include or that is automatically included for context

When you delete a document or an entire chat, all associated files, extracted text, and embeddings are permanently deleted:

  • from production systems within 30 days,

  • from backups within 90 days.

Data Transfer Safeguards

When data is transferred internationally (outside Norway/EEA), we rely on:

  • Standard Contractual Clauses (SCCs)

  • Data Processing Agreements (DPAs)

  • Technical and organisational safeguards (encryption, access controls, audits)

  • Provider-published compliance commitments

We review all sub-processors before use.

Sub-Processor Changes

If we add, remove, or modify a sub-processor:

  1. We update this page

  2. We update the “Last Updated” date

  3. Enterprise customers receive advance notice as contractually required

We recommend checking this page periodically.

Data Minimization

We share only the minimum data necessary:

  • Cloudflare → only request metadata

  • Stripe → billing/payment data only

  • Google Gemini → only prompts + context needed for the response

  • Supabase → only data required to deliver the service

No sub-processor receives full access to all user data.

Your Rights

Under GDPR and Norwegian law, you may exercise all relevant data-subject rights over data processed by sub-processors, including:

  • access

  • rectification

  • deletion

  • restriction

  • portability

  • objection

Complaints:
Norwegian Data Protection Authority (Datatilsynet), www.datatilsynet.no

Questions or Concerns

If you have questions about our sub-processor relationships, you can email:

privacy@archasterlabs.earth

We will respond promptly.