Sub-processors

Commune uses the following third-party services that process personal data on our behalf. All transfers outside the EEA/UK are covered by Standard Contractual Clauses (SCCs) or an equivalent transfer mechanism, unless the recipient country has an adequacy decision.

Supabase

Database, file storage, authentication

Data processedAll user data (profiles, items, messages, transactions, auth tokens, session logs)

LocationEuropean Union (AWS eu-central-1 — verify in Supabase project settings)

NotesPrimary data processor. DPA available; must be signed by controller.

Resend

Transactional email delivery

Data processedEmail address, display name, email subject and body per send

LocationUnited States

NotesProcesses email addresses and send metadata. SCCs apply for EU/GDPR. Resend retains send logs per their policy. DPA must be signed.

Anthropic

AI-powered item price suggestion and item analysis

Data processedItem title, category, condition, description (free-text — may incidentally contain personal detail)

LocationUnited States

NotesNo user identifiers are sent. Default data retention: 30 days. Request Zero Data Retention (ZDR) for zero retention. DPA must be signed.

Google Maps Platform

Address/area autocomplete during signup

Data processedUser-typed address query, detected geolocation (browser-side), IP address (per Google's platform policy)

LocationUnited States / Global

NotesGoogle Maps Platform Terms include a data processing amendment. Default query log retention: 12 months. Restricted to Egypt (country: eg).

Vercel

Web application hosting, CDN, serverless function execution

Data processedIP addresses (access logs), request metadata, environment variables (including service keys at rest)

LocationUnited States (global CDN edge nodes)

NotesPlatform-level; app code cannot access Vercel's internal logs. Vercel DPA available. Standard log retention: 30 days.

Expo (Expo Inc.)

Mobile application build infrastructure, OTA update delivery

Data processedMobile app bundle; EAS build metadata; no direct user personal data unless push notifications are configured via Expo

LocationUnited States

NotesApplies to the Commune mobile app only, not the web app.

Bosta (Bosta Technologies S.A.E.)

Courier fulfilment — package pickup from seller, quality-control hub transit, last-mile delivery to buyer

Data processedSeller name, phone number, pickup address; buyer name, phone number, delivery address; package description (generic — item title is never sent); declared item value

LocationEgypt

NotesEgyptian-incorporated processor — no cross-border data transfer for courier operations. Addresses are transmitted server-side only and are never exposed client-side to the counterparty. DPA must be signed. Applies only to transactions where the buyer selects courier delivery.

Last updated 31 May 2026. Questions? privacy@commune-eg.com

← Privacy policy

Sub-processors

Supabase

Database, file storage, authentication

Data processedAll user data (profiles, items, messages, transactions, auth tokens, session logs)

LocationEuropean Union (AWS eu-central-1 — verify in Supabase project settings)

NotesPrimary data processor. DPA available; must be signed by controller.

Resend

Transactional email delivery

Data processedEmail address, display name, email subject and body per send

LocationUnited States

NotesProcesses email addresses and send metadata. SCCs apply for EU/GDPR. Resend retains send logs per their policy. DPA must be signed.

Anthropic

AI-powered item price suggestion and item analysis

Data processedItem title, category, condition, description (free-text — may incidentally contain personal detail)

LocationUnited States

NotesNo user identifiers are sent. Default data retention: 30 days. Request Zero Data Retention (ZDR) for zero retention. DPA must be signed.

Google Maps Platform

Address/area autocomplete during signup

Data processedUser-typed address query, detected geolocation (browser-side), IP address (per Google's platform policy)

LocationUnited States / Global

NotesGoogle Maps Platform Terms include a data processing amendment. Default query log retention: 12 months. Restricted to Egypt (country: eg).

Vercel

Web application hosting, CDN, serverless function execution

Data processedIP addresses (access logs), request metadata, environment variables (including service keys at rest)

LocationUnited States (global CDN edge nodes)

NotesPlatform-level; app code cannot access Vercel's internal logs. Vercel DPA available. Standard log retention: 30 days.

Expo (Expo Inc.)

Mobile application build infrastructure, OTA update delivery

Data processedMobile app bundle; EAS build metadata; no direct user personal data unless push notifications are configured via Expo

LocationUnited States

NotesApplies to the Commune mobile app only, not the web app.

Bosta (Bosta Technologies S.A.E.)

Courier fulfilment — package pickup from seller, quality-control hub transit, last-mile delivery to buyer

Data processedSeller name, phone number, pickup address; buyer name, phone number, delivery address; package description (generic — item title is never sent); declared item value

LocationEgypt

Last updated 31 May 2026. Questions? privacy@commune-eg.com