Legal · Subprocessor list
Subprocessors
Last updated: 2026-05-12
This page lists every third party that processes Pikkot user data on our behalf, the purpose of the processing, the jurisdiction where the processor is located, and the contractual safeguards we rely on. It supplements the Privacy Policy with the structured detail required by GDPR Art. 28(2) and Taiwan PDPA §8 (cross-border transfer disclosure).
What we do before adding a new subprocessor
- Review the proposed processor's DPA, security practices, and country-of-processing alignment with our existing privacy notice;
- Add the processor to this page before the integration ships;
- Notify all paying customers by email at least 14 days before the new processor goes live (material changes only — adding a US analytics provider qualifies; switching a US analytics provider for an equivalent US one does not);
- Honour any objection from a paying customer within the 14-day window: we'll find an alternative, accept a service downgrade, or — if no alternative exists — offer a pro-rata refund of the remaining subscription period.
Currently engaged subprocessors
Mobile readers: scroll horizontally on the table below.
| Processor | Purpose | Jurisdiction | Data categories | Safeguards |
|---|---|---|---|---|
| Vercel, Inc. | Web hosting + edge runtime (Next.js) | United States (global edge) | Request logs, IP for abuse detection, signed-in session cookies | Vercel DPA (SCCs), 30-day log retention, customer's own region pinning |
| Supabase, Inc. | Authentication + Postgres database | Singapore (ap-southeast-1) | Account email, password hash, user metadata, pack rows, transaction rows, audit logs | Supabase DPA with EU SCCs, bcrypt password hashing, RLS at database layer |
| Cloudflare, Inc. (R2 object storage + DNS) | Reference image, generated artwork, zip bundle storage | Global CDN, primary region: Asia-Pacific | Uploaded reference photos, AI-generated images, packed zip archives | Cloudflare DPA, server-side encryption at rest, signed PUT/GET URLs (5-min TTL) |
| Inngest, Inc. | Background workflow orchestration (pack generation pipeline) | United States | Workflow event payloads (pack IDs, user IDs, generation parameters) | Inngest DPA, event payloads exclude raw reference images (only R2 keys) |
| Lemon Squeezy, LLC | Payment processing (Merchant of Record — handles VAT, sales tax, refunds globally) | United States (Delaware) | Order ID, subscription state, amount, billing email, billing country. We do NOT receive card numbers or tax-purpose billing addresses. | Lemon Squeezy DPA, PCI DSS Level 1, Sole MoR for all payments |
| Resend, Inc. | Transactional email (sign-up confirmation, pack-ready, refund notice) | United States | Recipient email address, email subject, delivery metadata | Resend DPA, no email body content stored after delivery |
| Anthropic, PBC | Pack planning + content moderation (Claude models) | United States | Theme text, reference image (for moderation only), planner output | Anthropic Commercial Terms (no training on customer data), 30-day retention |
| Google LLC (Vertex AI) | Sticker image generation (Imagen / Gemini family) | United States (regional, configurable) | Reference image, generation prompts, generated images | Google Cloud DPA, Vertex AI commercial terms (no training) |
| fal.ai, Inc. | Background-removal model runtime | United States | Reference image (for background segmentation) | fal.ai Terms of Service, ephemeral processing (no persistent storage) |
| OpenAI, L.L.C. | Reserved capacity for future features; not currently in the active request path | United States | Not currently processing any user data | OpenAI Business Terms (no training on API data), 30-day retention |
| Functional Software, Inc. (Sentry) | Error tracking + performance monitoring | United States | Server-side error stack traces, request URL, user ID hash, no sensitive PII captured | Sentry DPA with SCCs, server-side PII scrubbing, 90-day retention |
| PostHog, Inc. | Product analytics (consent-gated — only loaded when the user accepts analytics cookies) | United States (US Cloud — EU Cloud available on request) | Anonymous user ID, page views, feature interactions, viewport | PostHog DPA, opt-in consent banner, IP anonymisation enabled |
| Axiom Systems, Inc. | Structured log shipping (server-side request logs) | United States | Request logs, HTTP status, timing, user ID hash. No payload bodies shipped. | Axiom DPA, 30-day retention, server-side log scrubbing for known PII patterns |
| Upstash, Inc. | Rate limiting (Redis) + webhook deduplication | United States (configurable region) | Rate-limit counters keyed by user ID hash, webhook body SHA-256 fingerprints | Upstash DPA, no personal-data values stored (counts + opaque IDs only), TLS in transit |
Cross-border transfers
The table above shows that most processing happens outside Taiwan (the operator's jurisdiction). For each transfer we rely on one or more of the following safeguards:
- EU Standard Contractual Clauses (SCCs) with US processors that publish their DPAs publicly (Vercel, Anthropic, Google, Sentry, PostHog, Resend, Lemon Squeezy);
- Supabase Regional Hosting Agreement for the Postgres database in Singapore (ap-southeast-1);
- Taiwan PDPA §6 written disclosure — by accepting our Privacy Policy at sign-up, you consent to the cross-border transfers listed here. You may object within 30 days of sign-up and we will delete your account data if you do.
- GDPR Art. 49 derogations for one-shot consumer transactions where SCCs aren't yet executed (this applies to Upstash and fal.ai — we're moving these to SCCs before exiting closed beta).
Notification of changes
We commit to the following notice protocol for changes to this list:
- 14 days advance email to all paying customers before adding a new processor that handles user-uploaded content or generated artwork;
- 30 days advance email if a processor change involves a new country-of-processing not already covered by an existing SCC;
- No notice required for like-for-like replacements (e.g. swapping one US observability vendor for another with equivalent safeguards) — but the page is updated immediately.
How to object
If you object to a specific subprocessor — perhaps because of recent enforcement action against them, a country-of-processing concern, or any other reason — email hi@pikkot.com with the subject line "Subprocessor objection". We will respond within 5 business days with one of:
- An alternative processor we can route your account through;
- A reduced-functionality option (e.g. opt out of analytics-only processors);
- A pro-rata refund of the remaining subscription period if no alternative works.
Audit rights (Pro and enterprise customers)
Pro-tier and future enterprise customers may request a copy of any subprocessor's publicly-available DPA or SOC 2 / ISO 27001 audit report. We pass the request through to the processor on your behalf. Email hi@pikkot.com with the subject "Audit request".
This subprocessor list is informational and supplements (but does not replace) the Privacy Policy. In the event of conflict, the Privacy Policy controls.