International Data Transfers
Effective from: 2 July 2026 · Privacy Policy · Terms of Service
This document supplements the BREVET Privacy Policy and describes the legal basis on which personal data is transferred outside the European Economic Area (EEA), where applicable, in connection with the processors that BREVET uses.
1. Why the Transfer Occurs
Some processors used by BREVET to operate the Platform (in particular for payment processing, communication, and hosting) are companies headquartered or corporately structured in the United States. GDPR (Chapter V, Article 44 et seq.) requires that any transfer of personal data outside the EEA be covered by an appropriate legal mechanism — most commonly an adequacy decision or Standard Contractual Clauses (SCCs).
2. Overview of Processors and Transfer Mechanisms
| Processor | Purpose | Transfer mechanism |
|---|---|---|
| Meta Platforms, Inc. (WhatsApp Business Platform) | Delivery of Job-related messages | Certified under the EU-U.S. Data Privacy Framework (DPF), including the UK Extension |
| Stripe, Inc. / Stripe Payments Europe | Payment processing (Stripe Connect) | Certified under the EU-U.S. Data Privacy Framework (DPF), including the UK Extension |
| Twilio Inc. | Automated voice calls (robocalls) to Tradespeople as part of the emergency dispatch cascade | Certified under the EU-U.S. Data Privacy Framework (DPF), including the UK Extension |
| Supabase, Inc. | Data storage, authentication, database hosting | Primary storage in an EU region (Frankfurt); transfer to Supabase, Inc. (USA) covered by Standard Contractual Clauses (SCCs) under the Data Processing Agreement |
| Vercel Inc. | Hosting of the web and mobile application | Standard Contractual Clauses (SCCs) under the Data Processing Agreement — we monitor the current scope of certification on an ongoing basis |
| Google Ireland Ltd. / Google LLC | Web analytics and advertising measurement (Google Analytics, Google Ads) | Certified under the EU-U.S. Data Privacy Framework (DPF), including the UK Extension |
3. A Note on Supabase
Even when a European region (Frankfurt) is selected for primary data storage, Supabase, Inc. remains a U.S. company and, as such, may in theory be subject to requests from U.S. authorities (e.g. under the CLOUD Act) regardless of the physical location of the server. We disclose this transparently in line with the GDPR's accountability principle. This is not a circumstance that currently requires a change of processor, but it forms part of our ongoing documentation of the processing chain.
4. Verifying Certifications
The current list of companies certified under the Data Privacy Framework can be verified in the official registry at www.dataprivacyframework.gov.
5. Your Rights
In connection with the international transfer of data, you have the same rights as set out in the Privacy Policy, including the right to lodge a complaint with the Office for Personal Data Protection (ÚOOÚ), www.uoou.cz, or with the competent supervisory authority in your country of residence.
info@brevet.cz