Sub-processors

Last Updated: May 15, 2026

SellerAide engages the third-party service providers ("sub-processors") listed below to operate the Service. Each sub-processor is contractually bound to protect data they process on our behalf, in line with our Privacy Policy.

We review every sub-processor at least annually and prefer providers that hold SOC 2 Type II or equivalent independent attestation. We will update this page before adding a new sub-processor that materially changes how your data is processed.

Core Infrastructure

  • Vercel, Inc.

    • Purpose: Application hosting, edge network, content delivery for the website.
    • Region: United States (multi-region edge).
    • Data processed: Request logs, IP addresses, browser metadata, the application code and assets, and (in transit) any content you submit through the Service.
    • Security & compliance: SOC 2 Type II. TLS 1.3 by default. ISO 27001.

  • Supabase, Inc.

    • Purpose: Authentication, Postgres database, file storage, database backups.
    • Region: United States — AWS US East (us-east-1) by default.
    • Data processed: Account records, hashed passwords, conversation history, generated listings, brand information, brand assets, listing images, OAuth tokens (encrypted at the application layer), usage events.
    • Security & compliance: SOC 2 Type II. AES-256 encryption at rest. Row-level security policies enforced on every multi-tenant table.

  • Stripe, Inc.

    • Purpose: Payment processing, subscription management, invoicing, tax compliance.
    • Region: United States (global processing infrastructure).
    • Data processed: Payment-method token, card brand and last four, billing address, subscription state, invoices.
    • Security & compliance: PCI DSS Level 1. SOC 2 Type II. ISO 27001.

  • Upstash, Inc.

    • Purpose: Redis-based rate limiting.
    • Region: United States.
    • Data processed: Short-lived rate-limit counters keyed on IP address or user identifier.
    • Security & compliance: SOC 2 Type II. TLS 1.2+.

  • Resend, Inc.

    • Purpose: Transactional email delivery (account emails, feedback handoffs).
    • Region: United States.
    • Data processed: Recipient email addresses, message bodies, delivery metadata.
    • Security & compliance: SOC 2 Type II.

AI Providers

Both AI providers below operate under their paid commercial API terms. Neither uses your inputs or outputs to train their models. See Section 4 of the Privacy Policy for what we send and what we do not send.

  • Google LLC — Gemini API

    • Purpose: AI-powered listing generation, rewriting, optimization, brand discovery interviews, AI logo variants, AI mockups.
    • Region: United States.
    • Data processed: Product descriptions, conversation history, listing fields being audited or rewritten, brand voice samples, brand assets including source logo images for image generation, website text supplied for analysis.
    • Security & compliance: Processed under the Google Cloud / Vertex AI commercial API terms. No training on customer inputs or outputs. SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018.

  • Anthropic PBC — Claude API

    • Purpose: Alternative AI provider for listing generation, rewriting, and chat-based assistance.
    • Region: United States.
    • Data processed: Same as Google Gemini above, when the Anthropic provider is the configured AI provider.
    • Security & compliance: Processed under Anthropic's Commercial Terms of Service. No training on customer inputs or outputs. SOC 2 Type II.

Analytics & Marketing

Analytics, marketing, and affiliate tracking are non-essential. See our Cookie Policy for the consent and opt-out options that apply to these providers.

  • Google LLC — Google Analytics 4

    • Purpose: Website usage analytics.
    • Region: United States.
    • Data processed: Pageviews, session metadata, IP-derived approximate location, device and browser characteristics, referring URLs.
    • Security & compliance: SOC 2 Type II. IP anonymization enabled.

  • Meta Platforms, Inc. — Meta Pixel

    • Purpose: Ad conversion tracking and retargeting for Facebook and Instagram ads.
    • Region: United States.
    • Data processed: Pageviews, event signals (signup, subscribe), device identifiers, IP address.
    • Security & compliance: SOC 2. Subject to Meta's Business Tools Terms.

  • Rewardful, Inc.

    • Purpose: Affiliate-program click tracking and attribution.
    • Region: Canada / United States.
    • Data processed: Affiliate referral identifier, click timestamp, signup and subscription events.
    • Security & compliance: TLS in transit. Per Rewardful's published security overview.

Optional Marketplace Integrations

These sub-processors are engaged only when you choose to connect your account on the corresponding marketplace.

  • eBay Inc. — Developer API

    • Purpose: Push AI-generated listings to your eBay drafts when you connect your eBay account.
    • Region: United States.
    • Data processed: eBay User ID, encrypted OAuth tokens, listing payloads we transmit on your behalf.
    • Security & compliance: Per the eBay Developer Program agreements.

  • Etsy, Inc. — Open API v3

    • Purpose: Push AI-generated listings to your Etsy shop as drafts when you connect your Etsy account.
    • Region: United States.
    • Data processed: Etsy User ID, Shop ID, Shop Name, granted OAuth scopes, encrypted OAuth tokens, listing payloads we transmit on your behalf.
    • Security & compliance: Per the Etsy API Terms of Use.

  • Amazon Services LLC — Selling Partner API (SP-API)

    • Purpose: Import your Amazon catalog and listings, and push optimized updates back to Amazon, when you connect your Amazon seller account. Integration is forthcoming.
    • Region: United States.
    • Data processed: Amazon Selling Partner ID, authorized marketplace identifiers, encrypted LWA refresh tokens, cached catalog and listing data.
    • Security & compliance: Per the Amazon Selling Partner API Developer Agreement, Data Protection Policy, and Acceptable Use Policy.

International Transfers

Where personal data of EEA, UK, or Swiss data subjects is processed by sub-processors in the United States, we rely on the European Commission's Standard Contractual Clauses (SCCs), the UK's International Data Transfer Addendum, and the Swiss FDPIC's recognition of those clauses, executed with each affected sub-processor.

Contact

Questions about this list, or want to be notified when it changes? Email support@selleraide.com.