Subprocessors
Updated 2026-04-30
This page lists third-party services we use to provide SellerCard. Each subprocessor is engaged under a Data Processing Agreement (or equivalent) that binds them to the standards of GDPR Art. 28 and applicable US state privacy laws. We notify active enterprise customers 30 days in advance of adding or removing a subprocessor.
| Subprocessor | Purpose | Data categories | Location | Transfer mechanism |
|---|---|---|---|---|
| Supabase, Inc. | Authentication, database, object storage | Email, user ID, auth tokens, uploaded product images, generated images, usage metadata, billing identifiers | United States / EU (Frankfurt region) | EU Standard Contractual Clauses |
| OpenAI, L.L.C. | AI image generation (gpt-image-2 / gpt-image-1.5), text generation, moderation | Uploaded product images, text prompts, product names and features (to the extent user provides) | United States | EU-US Data Privacy Framework (DPF-certified) |
| LemonSqueezy (Stripe Inc.) | Payment processing as Merchant of Record: charges card, collects VAT/sales tax, issues invoices, handles chargebacks. Uses Stripe Inc. as underlying payment processor. | Email, billing address, payment instrument data, transaction records, IP address | United States | EU Standard Contractual Clauses (in LS DPA); Stripe DPF-certified |
| Resend (Resend, Inc.) | Transactional email delivery (signup, purchase receipts, password reset) | Email address, first name, email content | United States | EU Standard Contractual Clauses |
| PostHog, Inc. | Product analytics, feature flag evaluation, session replay on errors | Device metadata, page views, in-app events, session identifiers | United States / EU | EU Standard Contractual Clauses |
| Sentry (Functional Software, Inc.) | Application error tracking and performance monitoring | Error stack traces, request metadata, user ID (if authenticated), browser metadata | United States | EU Standard Contractual Clauses |
| Cloudflare, Inc. | Bot protection (Turnstile), DNS, DDoS protection | IP address, browser fingerprint, challenge response | United States (global CDN) | EU-US Data Privacy Framework (DPF-certified) |
| Mendable (Firecrawl) | Web scraping for competitor and product research (user-initiated only) | URLs provided by users, scraped page content | United States | EU Standard Contractual Clauses |
| Telegram FZ-LLC | Optional Telegram bot for alerts and bonus claim | Telegram user ID and username (only for opted-in users) | United Arab Emirates | User consent (Art. 49(1)(a) GDPR) |
| Google LLC | Google OAuth Sign-In (when user picks Continue with Google); Google Analytics 4; Google Ads conversion tracking (Consent Mode v2 gated) | Email, name, profile picture URL (OAuth); pseudonymized usage events, click identifiers (gclid, Consent Mode signals) | United States / EU | EU-US Data Privacy Framework (DPF-certified) |
| Apple Inc. | Apple OAuth Sign-In (when user picks Continue with Apple) | Email (or private relay address), name (optional, first login only) | United States | EU Standard Contractual Clauses |
| Meta Platforms, Inc. | Facebook OAuth Sign-In (when user picks Continue with Facebook); Meta Conversions API for Purchase events (transactional, legitimate interest) and, with consent, other attribution events | Email, name (OAuth); hashed email + IP + user agent (CAPI) | United States | EU-US Data Privacy Framework (DPF-certified) |
| fal.ai (Featherless, Inc.) | Kling image-to-video generation for product clips | Uploaded / generated product images, text prompts | United States | EU Standard Contractual Clauses |
| Iubenda s.r.l. | Privacy / cookie consent management, Privacy Policy hosting | Consent records (hash of consent, timestamp, preference) | European Union (Italy) | Adequate jurisdiction (EU) |
| BetterStack (Better Stack GmbH) | Uptime monitoring and status page | HTTP response metadata from public health endpoints only (no PII) | European Union (Czech Republic) | Adequate jurisdiction (EU) |
How to contact us
Data Subject Requests under GDPR Art. 15–22 (access, deletion, portability), CCPA (Do Not Sell / Share), or any other privacy concern should be directed to privacy@sellercards.com. We respond within 30 days.
Controller of record
CREATIVESERVICE EOOD, registered in the Republic of Bulgaria. Company identifier and full address are available on request.