Sub-processors
Version 1.0 — Effective 20 May 2026
This page is the authoritative list of third-party service providers (“sub-processors”) used to deliver the Profiled platform. It is maintained independently of our Privacy Policy and updated whenever we add, remove, or replace a provider.
1. Why we publish this
A “sub-processor” is a third-party company we use to deliver part of the Profiled service. Under GDPR Article 28, the California Consumer Privacy Act, and the Australian Privacy Principles, we are required (or strongly encouraged) to be transparent about who has access to your data, what they do with it, and where they operate.
Every provider listed below is bound by a Data Processing Agreement (or equivalent contractual obligation) that limits their use of your data to providing services to us. None of these providers are permitted to use your data for their own marketing, advertising, model training, or unrelated commercial purposes.
2. Current sub-processors
The following providers process personal data on our behalf:
| Provider | Purpose | Data processed | Hosting region |
|---|---|---|---|
| Clerk | Authentication & identity | Email, name, OAuth tokens | United States |
| Supabase | Database & storage | All profile and account data | United States (us-east-1) |
| Stripe | Payment processing | Email, billing address, subscription plan | United States |
| Anthropic | AI (primary provider, Claude) | Profile content for AI context | United States |
| OpenAI | AI (failover + voice) | Profile content for AI context; voice audio for real-time transcription | United States |
| LiveKit | Voice WebRTC infrastructure | Voice audio streams (relayed in-flight; not stored) | United States (Cloud); EU on request |
| Fly.io | LiveKit worker hosting | Voice session metadata, transient audio buffers | United States |
| Resend | Transactional & broadcast email | Email address, recipient name, email content | United States |
| Sentry | Error monitoring | Error context, stack traces, anonymised IP address | United States |
| Upstash | Rate limiting & caching (Redis) | User identifiers (hashed), rate-limit counters | United States |
| Vercel | Hosting, CDN & serverless compute | Request metadata, IP address, all in-flight HTTP traffic | United States (primary); global edge cache |
3. How we notify you of changes
When we add a new sub-processor, replace an existing one, or change the data categories a sub-processor receives:
- We update this page and bump the effective date at the top.
- For material additions (a new sub-processor receiving a new category of personal data), we email all account holders with the change summary and a link to this page.
- Enterprise / Agency-tier customers under custom Data Processing Agreements may receive change notifications under additional commitments specified in their contract.
You may withdraw consent and delete your account at any time if you object to a sub-processor change. Self-service deletion is available via Dashboard → Settings → Data.
4. Not sub-processors (out of scope)
The following providers are used internally by Profiled (for operations, code hosting, or operator productivity) but do not receive personal data from the platform itself and are therefore not sub-processors under GDPR Article 28:
- GitHub— source code hosting; receives no user data
- Bitwarden— operator secret storage; receives no user data
- Cloudflare— DNS only; does not terminate TLS or see user traffic
5. Changelog
- 2026-05-20 (v1.0): Initial publication as a standalone page. Added LiveKit + Fly.io to the list (previously implicit via the voice infrastructure description in the privacy policy). Extracted from Privacy Policy §6 inline table.
6. Questions
Questions about a sub-processor, a Data Processing Agreement, or our change-notification commitments should be directed to:
- Email: privacy@profiled.careers
- Data Protection Officer: Martin Aranovitch, Imaginapps Pty Ltd
See also our Privacy Policy for the broader data-handling framework and your rights under GDPR, CCPA, and the Australian Privacy Principles.