Subprocessors & Data Flows
A complete list of the third parties My Feelings Matter relies on to deliver the service, what each one processes, and where student data is stored. Updated whenever a subprocessor is added or changed.
Last updated: 5/22/2026
Frameworks we align to
Supabase (AWS us-east-1)
Purpose: Primary database, authentication, file storage, edge functions
Data processed: All student data, journal entries, assessments, account info
Region: United States
Safeguards: SOC 2 Type II · Encrypted at rest (AES-256) · Row-Level Security
Resend / Lovable Email
Purpose: Transactional email delivery (password resets, weekly digests, DPA confirmations)
Data processed: Recipient email address, name, message subject + body
Region: United States / EU
Safeguards: TLS in transit · DKIM/SPF/DMARC · One-click unsubscribe
Google Gemini (via Lovable AI Gateway)
Purpose: AI-powered coaching responses, journal prompts, content generation
Data processed: Prompt text only — student PII is stripped before sending; outputs are not used for model training
Region: United States
Safeguards: Zero data retention for training · Per-request only · No fine-tuning
OpenAI (via Lovable AI Gateway)
Purpose: Alternate AI model for coaching and assessment scoring
Data processed: Prompt text only — student PII is stripped; outputs are not used for model training
Region: United States
Safeguards: Zero data retention API · No training on inputs
Lovable (application hosting & CDN)
Purpose: Web application hosting, custom domain, SSL termination
Data processed: Application code, static assets, request logs (no student data persisted here)
Region: United States / Cloudflare edge
Safeguards: TLS 1.2+ · DDoS protection · Auto-renewing Let's Encrypt certs
Data flows
| From | To | Payload | Protection |
|---|---|---|---|
| Student / Teacher
(browser) |
Lovable CDN → Supabase API | Auth tokens, check-ins, journal entries | TLS 1.2+, JWT session |
| Supabase Edge Function | Lovable AI Gateway → Gemini/OpenAI |
Coaching prompt (PII-stripped) | TLS, zero-retention API |
| Supabase pg_cron | Resend / Lovable Email | Weekly digest, transactional emails | TLS, DKIM-signed, unsubscribe link |
| District admin (browser) | Supabase → pdf export | Aggregated SEL reports (rendered client-side) | RLS-scoped to admin's classes only |
Data residency
All student data is stored in the United States (AWS us-east-1 via Supabase). We do not transfer student data internationally.
AI inference requests may transit US-based AI providers (Google, OpenAI) but contain no persistently-stored student PII and are not used for model training.
Transactional email may transit Resend infrastructure in the US or EU. Email contents include only recipient name and the email body — not source records.
Change notifications
We notify all district administrators by email at least
30 days before
adding or replacing a subprocessor that handles student data. Districts may object in writing during that window.
