Subprocessor List
Current as of the Privacy Policy version date. We notify users of material changes at least 14 days in advance.
Each processor is bound by a Data Processing Agreement and, where applicable, the EU–US Data Privacy Framework (DPF) or Standard Contractual Clauses (SCCs).
| Subprocessor | Purpose | Data Processed | Location | Transfer Mechanism |
|---|---|---|---|---|
| Supabase | Database, auth, storage, edge functions | Account data, brand assets, usage data | US (or EU region if configured) | DPF (verify) + SCCs |
| Vercel | Hosting, CDN, serverless runtime, cron | Request logs, IP (ephemeral) | US | DPF + SCCs |
| Sentry | Error tracking | Anonymised stack traces, user ID | US | DPF + SCCs |
| Mixpanel | Product analytics — funnels, cohorts (opt-in only). Optional Session Replay (separate, granular opt-in) for UX debugging. | Usage events, $device_id, user_id, tenant_id, role, email, name. Session Replay (when enabled): masked DOM events of in-app interactions; payment, integration, admin, and brand-KB routes are excluded entirely. | EU (Frankfurt) | EU residency for primary storage; SCCs for any incidental US support access |
| Google (Analytics 4) | Audience and acquisition analytics (opt-in only) | Pseudonymous client_id, page URL, referrer, user_id once authenticated | US (with EU regional collection per GA4 default) | DPF + SCCs |
| Google (Ads / Conversion Tracking) | Measure ad campaign conversions and build remarketing audiences (separate opt-in). Without consent, runs in Consent Mode v2: anonymous, cookieless conversion pings only. | Pseudonymous click ID (gclid), conversion event, page URL. With advertising opt-in: cookie-based audience identifiers for remarketing. | US | DPF + SCCs |
| Paddle (Merchant of Record) | Payment processing, billing, subscription management, and sales-tax/VAT/GST calculation and remittance. Acts as the seller of record and an independent controller for payment and tax data. | Name, email, billing address, payment card details (held by Paddle, not us), transaction and tax records | UK / US | UK adequacy + SCCs |
| Resend | Transactional email | Email address, name, message body | US | DPF + SCCs |
| OpenAI | AI content generation | Prompts + brand context | US | DPF |
| Anthropic | AI content generation | Prompts + brand context | US | SCCs |
| Google (Gemini) | AI fact-checking | Prompts + brand context | US / EU | DPF |
| OpenAI gpt-image-2 | AI image generation (hero, social, instagram) | Image prompts | US | DPF |
| Customer-connected integrations (WordPress, Buffer, WooCommerce, Google Ads, Meta Ads, Brevo) | Publishing + analytics | API keys, publishing payloads, analytics | Varies per vendor | Customer-configured |
To subscribe to change notifications or ask questions about this list, email admin@coolest.agency.