Legal
Subprocessors
These third parties process personal data on our behalf to deliver the Service, under data-processing terms no less protective than our Privacy Policy. We give DPA customers at least 30 days' notice before adding or replacing a subprocessor.
| Subprocessor | Purpose | Data | Location |
|---|---|---|---|
| Supabase, Inc. | Postgres database and authentication | Account data, audit metadata, scores, findings | USA / EU (region selected) |
| Vercel Inc. | Web hosting, edge runtime, build pipeline | All request traffic | USA + global edge |
| Stripe, Inc. | Payment processing, subscription billing | Billing identifiers; card token + last 4 only | USA / global |
| Cloudflare, Inc. | Turnstile anti-abuse, CDN | IP, browser signals (transient) | Global edge |
| Resend, Inc. | Transactional email delivery | Recipient email, subject, body of transactional emails | USA |
| Google LLC | OAuth sign-in + Google Analytics 4 (EU: consent-gated) | Email, name, avatar, OAuth tokens; GA cookie ID, page views, coarse region/device | USA / global |
We also run Umami analytics on our own infrastructure (analytics.aicommerceaudit.com). Because it is self-hosted and cookieless, no analytics data is shared with a third-party analytics vendor.
Change history
- 2026-05-24Removed Sentry, Upstash, and Trigger.dev from the list — not used in production. We'll add them back here, with notice, if and when they're introduced.
- 2026-05-23Initial published list. Removed PostHog (never used in production); analytics is GA4 (consent-gated in the EU) + self-hosted cookieless Umami.
Questions about a subprocessor? privacy@aicommerceaudit.com