What This Is
Under GDPR Article 28, we are required to disclose the third-party services ("sub-processors") that process personal data on our behalf. This page lists every service that has access to any personal data flowing through EWEPIP.
We keep this list deliberately short. Most platforms have dozens of sub-processors. We have six, and four of them are self-hosted on our own hardware.
Current Sub-processors
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Square Third-party | Payment processing (primary) | Card details, billing name, billing address, transaction amounts | USA |
| Stripe Third-party | Payment processing (backup/enterprise) | Card details, billing name, billing address, transaction amounts | USA |
| Cloudflare Third-party | CDN, DNS, DDoS protection, tunnel | IP addresses, request metadata, TLS termination | USA / Global edge network |
| Redis Self-hosted | Session storage, caching | Session tokens, user preferences, temporary data | USA (on-premise servers) |
| PostgreSQL Self-hosted | Primary database | All user data, marketplace data, social data, POS data | USA (on-premise servers) |
| Ollama (Qwen models) Self-hosted | AI inference for Talk to EWE | Chat messages (processed in real-time, not stored permanently) | USA (on-premise servers) |
Note About Self-Hosting
Most of our infrastructure is self-hosted on our own physical servers. Your data does not leave our hardware for the majority of operations.
Here is what "self-hosted" means in practice:
- AI processing — Talk to EWE runs on Ollama with Qwen models on our own GPU servers. Your chat messages are never sent to OpenAI, Anthropic, Google, or any cloud AI provider.
- Database — PostgreSQL runs on our own Dell R420 server. User accounts, marketplace listings, social posts, POS transactions — all stored on hardware we physically control.
- Caching — Redis runs on the same on-premise infrastructure. Session data and temporary caches never leave our servers.
- File storage — Uploaded media (product images, profile photos, video content) is stored on our own servers, not on Amazon S3, Google Cloud Storage, or similar cloud services.
The only data that leaves our physical infrastructure is payment card data (routed to Square or Stripe for PCI-compliant processing) and web traffic metadata (routed through Cloudflare for CDN and security).
No Data Brokers
We do not share data with data brokers, advertising networks, or marketing platforms. Ever.
To be explicit about what we do not use:
- No Google Analytics, Google Tag Manager, or any Google tracking
- No Facebook Pixel, Meta tracking, or social media trackers
- No Mixpanel, Amplitude, Segment, or behavioral analytics platforms
- No Hotjar, FullStory, or session recording tools
- No advertising networks (Google Ads, Facebook Ads, programmatic ad exchanges)
- No data enrichment services (Clearbit, ZoomInfo, etc.)
- No email marketing platforms that track opens and clicks (Mailchimp, SendGrid marketing)
If a service is not on the table above, it does not have access to your data.
Changes to This List
We update this page whenever our sub-processor list changes. Per our Data Processing Agreement, we provide at least 30 days notice before adding a new sub-processor.
To stay informed about changes:
- Check this page monthly
- Subscribe to sub-processor updates by emailing [email protected] with the subject "Subscribe to subprocessor updates"
If you object to a new sub-processor, you may contact us within 14 days of notification. See our DPA for the full objection process.