
SUB-PROCESSORS
Last updated July 06, 2026
ABOUT THIS PAGE
We are Kranz & Gupta, Indiepal GbR ("Company," "we," "us," "our"), the operators of the Preb booking and scheduling platform available at the website https://preb.co (the "Site" and, together with our related products and services, the "Services").
To operate the Services, we rely on a limited number of carefully selected third-party companies that process personal data on our behalf. These companies are our "sub-processors." This page tells you who they are, what each one does, what categories of personal data they handle, where they are located, and how we notify you when the list changes. Being transparent about our supply chain is part of how we earn and keep your trust.
This page supplements, and forms part of, our Privacy Policy, our Terms and Conditions, and any Data Processing Agreement ("DPA") we have entered into with you, each of which is incorporated into this page by reference. Capitalized terms that are not defined here have the meaning given to them in those documents or in applicable data-protection law. If there is any conflict between this page and a signed DPA between you and us, the DPA controls.
We reserve the right, in our sole discretion, to make changes or modifications to this page at any time. We will alert you to changes by updating the "Last updated" date at the top of this page and, where required, by following the notification process described in Section 9. Your continued use of the Services after an updated list is posted constitutes your acknowledgment of the change, subject to any objection rights described below. We recommend that you review this page periodically and print or save a copy for your records.
TABLE OF CONTENTS
1. DEFINITIONS
In this page, the following terms have the meanings set out below. Where they are also defined in the GDPR or another applicable data-protection law, they carry that statutory meaning.
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed through the Services.
- "Controller" means the party that determines the purposes and means of processing Personal Data. When you use the Services to manage your own bookings, contacts, and customers, you are generally the Controller.
- "Processor" means a party that processes Personal Data on behalf of the Controller. When we process the data you upload or generate through the Services, we generally act as your Processor.
- "Sub-processor" means any third party engaged by us to process Personal Data on our behalf in connection with providing the Services, as further described on this page.
- "Data Subject" means the individual to whom Personal Data relates — for example, a member of your workspace, a booking guest, a contact, or a website visitor.
- "GDPR" means Regulation (EU) 2016/679 (the EU General Data Protection Regulation) and, where applicable, the equivalent United Kingdom regime (the "UK GDPR").
- "DPA" means a Data Processing Agreement or Addendum entered into between you and us that governs our processing of Personal Data on your behalf.
- "Standard Contractual Clauses" (or "SCCs") means the standard data-protection clauses adopted by the European Commission (and, where relevant, the UK International Data Transfer Agreement or Addendum) for the transfer of Personal Data to third countries.
2. OUR ROLE AND RESPONSIBILITY
In relation to the Personal Data you and your team upload, generate, or manage through the Services — such as your contacts, booking guests, and deal records — we generally act as a Processor acting on your instructions, and you act as the Controller. In relation to certain limited data that we determine the purposes of ourselves — such as your account and billing information, and data we use to secure, operate, and improve the Services — we act as an independent Controller, as described in our Privacy Policy.
Where we act as your Processor, each sub-processor we engage acts as a further processor. We remain fully responsible to you for the performance of our sub-processors' obligations, and we require them, by written contract, to observe data-protection obligations that are no less protective than those in our own agreement with you, in accordance with Article 28 of the GDPR and equivalent laws. Engaging a sub-processor does not relieve us of our responsibilities to you.
By using the Services, you provide a general authorization for us to engage the sub-processors listed in Section 4, and to add or replace sub-processors in accordance with Section 9 and any applicable DPA.
3. HOW WE SELECT AND MANAGE SUB-PROCESSORS
We only engage sub-processors that we believe provide sufficient guarantees to implement appropriate technical and organizational measures to protect Personal Data. Before engaging a new sub-processor, and on an ongoing basis, we take reasonable steps to ensure that our supply chain remains trustworthy, including by:
- Due diligence. Assessing the sub-processor's security practices, certifications, reputation, and data-protection posture before onboarding, and reassessing where circumstances change.
- Written contracts. Entering into a data-processing agreement (or relying on the sub-processor's equivalent terms) that imposes confidentiality, security, purpose-limitation, transfer-safeguard, deletion, and assistance obligations no less protective than our own.
- Data minimization. Sharing only the Personal Data that a sub-processor genuinely needs to perform its function, and limiting its use to that purpose.
- Transfer safeguards. Putting in place appropriate safeguards, such as SCCs, for any transfer of Personal Data outside the EEA, the United Kingdom, or Switzerland (see Section 7).
- Ongoing oversight. Monitoring our sub-processors' continued suitability and acting where a sub-processor no longer meets our standards, including by replacing it.
4. OUR CURRENT SUB-PROCESSORS
The following third parties process Personal Data on our behalf as part of the core operation of the Services. Some of these providers rely, in turn, on their own infrastructure sub-processors (for example, cloud hosting providers such as Amazon Web Services), which they engage under equivalent obligations. Not every sub-processor processes every category of Personal Data, and some are engaged only in connection with specific features you choose to use.
| Sub-processor | Purpose of processing | Personal Data processed | Location |
| Supabase, Inc. | Application database, authentication, and file storage hosting | Account, workspace, booking, contact, and login data | United States (on cloud infrastructure) |
| Vercel Inc. | Application hosting, serverless compute, and content delivery | Request data, IP addresses, and any data submitted through the Services | United States |
| Upstash, Inc. | Rate limiting and caching (Redis) to keep the Services secure and responsive | IP addresses and transient request identifiers | United States / European Union |
| Stripe, Inc. (and Stripe Payments Europe, Ltd.) | Subscription billing and payment processing | Name, email, billing details, and payment / transaction data | United States / Ireland |
| Resend (Plus Five Five, Inc.) | Delivery of transactional and account emails (e.g. booking confirmations, magic links) | Recipient name, email address, and email content | United States |
| Functional Software, Inc. (Sentry) | Error monitoring, performance measurement, and diagnostics | Technical error data, which may incidentally include IP addresses and user identifiers | United States |
| Tolt | Referral and affiliate program management (see our Referral Program Terms) | Partner email address, referral link, and commission data | United States |
| Featurebase | In-app support, feedback, and feature-request widget | Name, email, and support / feedback content you submit | European Union |
The entity names, purposes, and locations above are provided in good faith and may be updated from time to time as providers change their corporate details, hosting regions, or the scope of their services. If you require the current list at any time, or details of a specific sub-processor's safeguards, please contact us using the details in Section 13.
5. CUSTOMER-ENABLED INTEGRATIONS
In addition to the sub-processors listed in Section 4, the Services let you connect optional third-party integrations. These services only receive Personal Data if and when you (or a member of your workspace) choose to connect them, and they typically process that data under your own account and agreement with the relevant provider. When you direct data to these services, you do so as the Controller of that data, and their processing is governed by their own terms and privacy policies rather than solely by our instructions. We are not responsible for the acts or omissions of these providers.
| Integration | Purpose (when you connect it) | Location |
| Google LLC | Google sign-in, Google Calendar sync, and conversion measurement (Google Ads) | United States |
| Microsoft Corporation | Outlook / Microsoft 365 calendar sync via Microsoft Graph | United States / European Union |
| Zoom Communications, Inc. | Automatic creation of Zoom meetings for bookings on a host's connected account | United States |
| Slack Technologies, LLC | Sending workspace notifications to a connected Slack workspace | United States |
| Meta Platforms, Inc. | Conversion measurement via the Meta Pixel and Conversions API when you enable tracking | United States / Ireland |
If you do not connect these integrations, no Personal Data is shared with the corresponding provider through them. Where you enable a tracking or advertising integration (such as the Meta Pixel or Google Ads measurement), you are responsible, as Controller, for providing any legally required notices and for obtaining any required consent from your website visitors and booking guests before that data is collected or shared.
6. CATEGORIES OF DATA AND DATA SUBJECTS
Depending on how you use the Services, our sub-processors may process the following categories of Personal Data, relating to the following categories of Data Subjects:
Categories of Data Subjects
- You and the members, administrators, and hosts of your workspace (your "users").
- Your booking guests, invitees, contacts, leads, and customers.
- Visitors to your public booking pages and any Referral Program partners.
Categories of Personal Data
- Identity and contact data — such as name, email address, phone number, and time zone.
- Booking and scheduling data — such as event types, appointment times, meeting locations, and answers to booking questions.
- Account and authentication data — such as login credentials, session identifiers, and role or permission information.
- Billing and transaction data — such as plan, billing contact, and payment records (full card details are handled by our payment processor, not stored by us).
- Technical and usage data — such as IP addresses, device and browser information, log data, and diagnostic information.
- Support and feedback data — such as the content of support messages and feature requests you submit.
You control what Personal Data you and your users submit through the Services. You should not submit special categories of Personal Data (such as health, biometric, or financial-account data) through free-text or booking fields unless you have a lawful basis to do so and have satisfied yourself that such use is appropriate.
7. INTERNATIONAL DATA TRANSFERS
Some of our sub-processors are located, or process Personal Data, outside the European Economic Area ("EEA"), the United Kingdom, or Switzerland — in particular in the United States. Where Personal Data is transferred to a country that has not received an adequacy decision, we rely on appropriate safeguards recognized under applicable data-protection law, such as the European Commission's Standard Contractual Clauses (together with the UK International Data Transfer Addendum, where relevant), and we implement supplementary technical and organizational measures where necessary. Certain providers may also be certified under the EU–U.S. Data Privacy Framework and its UK and Swiss extensions.
You can request further information about the specific safeguards we rely on for a given sub-processor, and a copy of the relevant clauses (with commercially confidential terms redacted), by contacting us using the details in Section 13.
8. SECURITY AND CONFIDENTIALITY
We require each sub-processor to maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. These measures typically include encryption in transit and, where appropriate, at rest; access controls and authentication; network and application security; logging and monitoring; and personnel confidentiality obligations.
Each sub-processor is contractually required to keep Personal Data confidential and to process it only for the purposes of providing its service to us. Where a sub-processor experiences a personal-data breach affecting your data, we will cooperate with it to obtain the information reasonably necessary to meet our own notification obligations to you under our DPA and applicable law.
9. CHANGES AND NOTIFICATION
We may add, remove, or replace sub-processors as our Services evolve. When we do, we will update this page and revise the "Last updated" date. Where we have entered into a DPA with you that requires advance notice of new sub-processors, we will provide notice in accordance with that DPA before the new sub-processor begins processing Personal Data, so that you have a fair opportunity to review the change and, if applicable, to object under Section 10.
If no specific notice period is agreed in a DPA, we will use reasonable efforts to give you a fair opportunity to review material changes before they take effect. To receive notifications of changes to this list, you can subscribe to updates (where we offer that option) or contact us to be added to our notification list. Your continued use of the Services following an update constitutes your acknowledgment of the updated list, subject to your objection rights below.
10. YOUR RIGHT TO OBJECT
If you have a legitimate, data-protection-related objection to a new or replacement sub-processor, you may notify us in writing within any objection period set out in your DPA or, if none is specified, within thirty (30) days of the update being posted or notified. Your objection should explain the reasonable grounds for it.
On receiving a valid objection, we will work with you in good faith to address your concern — for example, by proposing a commercially reasonable alternative, an additional safeguard, or a configuration change. If we are unable to resolve your objection and we nonetheless proceed to use the sub-processor for processing that materially and adversely affects your Personal Data, you may, as your sole and exclusive remedy, terminate the affected portion of the Services in accordance with your agreement with us. If you do not object within the applicable period, the updated list of sub-processors is deemed accepted.
11. YOUR RESPONSIBILITIES
As Controller of the Personal Data you process through the Services, you are responsible for: (1) having a valid lawful basis for the processing and, where required, obtaining any necessary consents from your Data Subjects; (2) providing your Data Subjects with any privacy notices required by law, including where you enable optional integrations or tracking features; (3) ensuring that your instructions to us comply with applicable law; and (4) configuring and using the Services, and any integrations you connect, in a compliant manner. You must not use the Services in a way that would cause us or any sub-processor to violate applicable data-protection law.
12. DATA SUBJECT RIGHTS
Depending on your location, Data Subjects may have rights under applicable data-protection law, including the rights to access, correct, delete, restrict, or object to the processing of their Personal Data, and the right to data portability. Where we act as your Processor, we will provide reasonable assistance to help you respond to Data Subject requests, taking into account the nature of the processing and the information available to us. If a Data Subject contacts us directly about data we process on your behalf, we will, where lawful and appropriate, refer them to you as the Controller. Requests concerning data held by our sub-processors are handled by them under their agreements with us and with you. For more information about how we handle Personal Data for which we are the Controller, and how to exercise your rights, please see our Privacy Policy.
13. CONTACT US
For questions about our sub-processors, this page, our data-processing practices, or to submit an objection or request under this page, please contact us at:
Kranz & Gupta, Indiepal GbR
Brunnenstr. 11
Bonn, NRW 53123
Germany
Phone: (+49)15679 568914