Data Processing & Sub-processors
Effective date: [EFFECTIVE DATE] Last updated: [EFFECTIVE DATE]
This document describes how the Social application (the "Service") operated by [COMPANY NAME] ("[COMPANY SHORT]") processes personal data and lists the third-party sub-processors that help us deliver it. It supplements the Privacy Policy and the Data Rights Addendum.
1. Processing roles
- For your account and profile data, [COMPANY SHORT] is the controller.
- For conversation content that includes other people's personal data, you are the
controller and [COMPANY SHORT] acts as a processor on your behalf, processing it only to provide the Service and per your instructions.
- Our sub-processors act as processors (or, in some cases such as payments, as
independent controllers for their own compliance purposes).
2. Categories of data processed
Account identifiers; authentication data; profile and settings; conversation content (audio, transcripts, narrated accounts, context notes); contact/speaker records; coach chat messages; AI-generated outputs; usage and billing metadata; device and log data.
3. Current sub-processors
Keep this table current. Notify users of material changes per the Privacy Policy. Confirm each vendor's data-processing terms and the region(s) where they process data.
| Sub-processor | Function | Data processed | Region(s) |
|---|---|---|---|
| Anthropic (Claude API) | AI analysis, replays, briefings, chat, portrait | Transcripts/narratives, context, generated outputs | [e.g., USA] |
| Deepgram | Audio transcription + diarization | Audio recordings/uploads, resulting transcripts | [e.g., USA] |
| Stripe | Payments, subscriptions, customer portal | Billing identifiers, payment metadata, email | [e.g., USA/Global] |
| Resend | Transactional email (magic links) | Email address, message content | [e.g., USA] |
| Render | Application hosting + database storage | All data stored by the Service | [e.g., USA] |
| Google (OAuth) — *when enabled* | Sign-in with Google | Email, basic profile, auth tokens | [e.g., Global] |
4. Safeguards
- We enter into data-processing agreements (DPAs) with sub-processors where required.
- We limit sub-processors to the data they need for their function.
- For transfers out of the EEA/UK, we rely on appropriate safeguards (e.g., EU Standard
Contractual Clauses).
- We do not permit sub-processors to use your conversation content to train their
general models, consistent with our agreements and the Privacy Policy.
5. New sub-processors
If we engage a new sub-processor that processes personal data, we will update this list and provide notice where required, giving controllers an opportunity to object where the law or a contract requires it.
6. Security measures (summary)
Encryption in transit; hashed passwords; scoped, expiring authentication tokens; access controls; least-privilege vendor scoping; environment-variable secret management. See the Privacy Policy, Section 12.
Contact: [COMPANY NAME] · Privacy: [PRIVACY EMAIL]