Subprocessors
Last updated: November 26, 2025
We use the following service providers (“Subprocessors”) to help us deliver the Services. Each Subprocessor is contractually required to handle personal information securely and only under our instructions.
| Name | Purpose | Cookie Category | Categories of data | Region | Training on customer content | Retention highlights | Links |
|---|---|---|---|---|---|---|---|
| Supabase | Database, authentication, storage | Strictly necessary | Account/profile, auth/session, app DB records, stored assets, logs | Global/US | N/A (no model training) | Customer‑controlled; daily backups; PITR optional | DPASecurityPrivacy |
| Stripe | Payments & billing | Strictly necessary | Payment method, billing info, fraud/risk telemetry, receipts | Global | N/A (no model training) | Retained as needed for legal, fraud, tax, reporting | PrivacyDPA |
| OpenAI | AI chat processing | Strictly necessary | Prompts, attachments, outputs, usage/abuse telemetry | Global | No by default | API data retained up to 30 days; ZDR available for eligible orgs | Your dataBusiness data |
| FAL.ai | AI image generation | Strictly necessary | Prompts, input image URLs/files, job metadata, outputs | Global | Not publicly stated (see Privacy/Terms) | Generated files available ≥ 7 days; then may be deleted | PrivacyTermsFAQ |
| Resend | Transactional emails | Strictly necessary | Message metadata/content, delivery/bounce events, logs | Global | N/A (no model training) | Backups ~7 days; optional content storage off (paid add‑on) | PrivacySecurityContent storage |
| Vercel | Hosting, infrastructure & analytics | Analytics (requires consent) | Deployment artifacts, runtime logs (IP, UA, URL, timestamps), high-level analytics | Global | N/A (no model training) | Retained as needed to provide services and meet legal obligations | PrivacyDPATrust Center |
| Google (Google Analytics) | Product analytics and usage measurement | Analytics (requires consent) | Pseudonymous identifiers (cookies), IP address, device/browser data, page views and events | Global | N/A (no model training on customer content) | Retention per Google Analytics configuration and policies | PrivacyAnalytics data |
| LinkedIn (Insight Tag) | Advertising and conversion analytics | Marketing (requires consent) | Pseudonymous identifiers (cookies), IP address, device/browser data, page visits and conversions | Global | N/A (no model training on customer content) | Retention per LinkedIn’s policies; users can manage preferences in their LinkedIn account | PrivacyInsight Tag |
We may update this list as our Service evolves. For questions, contact matt@vistafy.ai.