Sub-processors

Last Updated: October 25, 2025

This page lists all sub-processors (third-party service providers) used by Earn Coupon d.o.o. to deliver the LTV SaaS service. We are committed to transparency about which parties process your data.

As required by GDPR Article 28, we will notify you 30 days before adding or replacing any sub-processor. You have the right to object to changes.

1. Infrastructure Sub-processors

These providers host and deliver the core service infrastructure:

2. Communication Sub-processors

3. Payment Sub-processors

4. Data Recipients (Not Sub-processors)

Important: These are platforms YOU connect, and we send data TO them on your behalf. They are data recipients, not our sub-processors:

• Google Ads - Receives conversion events with GCLID attribution (via OAuth you authorize)
• Meta Conversions API - Receives conversion events with FBCLID/FBP attribution (via token you provide)
• TikTok Events API - Receives conversion events with TTCLID attribution (via OAuth you authorize)
• LinkedIn Ads - Receives B2B conversion events with LinkedIn tracking UUID (via OAuth you authorize)

YOU control which platforms receive data through your dashboard configuration. We only send data to platforms you explicitly connect.

5. Sub-processor Change Notification

5.1 Notification Process

Before engaging a new sub-processor or replacing an existing one:

• We will send email notification to your account email
• Notification will be sent at least 30 days in advance
• Email will include: sub-processor name, services provided, location, safeguards
• You may object to the change within 30 days

5.2 Objection Rights

If you object to a sub-processor change:

• Notify us in writing within 30 days
• Provide legitimate grounds for objection
• We will work with you to find alternative solution
• If no solution found, either party may terminate the agreement

6. Sub-processor Security Requirements

All sub-processors must:

• Provide sufficient guarantees of GDPR compliance
• Implement appropriate technical and organizational security measures
• Be bound by written contract with same data protection obligations
• Undergo regular security audits (SOC 2, ISO 27001, or equivalent)
• Maintain cyber insurance for data breaches

7. International Data Transfers

For sub-processors located outside the EEA:

• Supabase (US operations): Standard Contractual Clauses + supplementary encryption
• Vercel (US): Standard Contractual Clauses + edge encryption
• Resend (US): Standard Contractual Clauses + TLS
• Lemon Squeezy (US): Standard Contractual Clauses + PCI-DSS

8. Audit & Compliance

We require sub-processors to:

• Provide annual compliance reports (SOC 2, ISO certifications)
• Submit to periodic security assessments
• Maintain appropriate data breach insurance
• Notify us of any security incidents within 24 hours

9. Changes to This List

This page is current as of the "Last Updated" date above. We will:

• Update this page when sub-processors change
• Send email notification 30 days in advance
• Maintain historical records of sub-processor changes

10. Contact Information

Questions about sub-processors or data processing?

Earn Coupon d.o.o.
Data Protection Officer
75 Vodovodska street
Belgrade, Serbia
Tax ID (PIB): 107955125
Email: admin@ltvsaas.com

This Sub-processors list is part of our Data Processing Agreement and is incorporated into our Terms of Service.