Sub-processors
Last Updated: July 4, 2026
SellerAide engages the third-party service providers ("sub-processors") listed below to operate the Service. Each sub-processor is contractually bound to protect data they process on our behalf, in line with our Privacy Policy.
We review every sub-processor at least annually and prefer providers that hold SOC 2 Type II or equivalent independent attestation. We will update this page before adding a new sub-processor that materially changes how your data is processed.
Core Infrastructure
Vercel, Inc.
- Purpose: Application hosting, edge network, content delivery for the website.
- Region: United States (multi-region edge).
- Data processed: Request logs, IP addresses, browser metadata, the application code and assets, and (in transit) any content you submit through the Service.
- Security & compliance: SOC 2 Type II. TLS 1.3 by default. ISO 27001.
Supabase, Inc.
- Purpose: Authentication, Postgres database, file storage, database backups.
- Region: United States — AWS US West 2 (Oregon, us-west-2).
- Data processed: Account records, hashed passwords, conversation history, generated listings, brand information, brand assets, listing images, uploaded expense receipts (private), accounting/expense records, OAuth tokens (encrypted at the application layer), usage events.
- Security & compliance: SOC 2 Type II. AES-256 encryption at rest. Row-level security policies enforced on every multi-tenant table.
Stripe, Inc.
- Purpose: Payment processing, subscription management, invoicing, tax compliance.
- Region: United States (global processing infrastructure).
- Data processed: Payment-method token, card brand and last four, billing address, subscription state, invoices.
- Security & compliance: PCI DSS Level 1. SOC 2 Type II. ISO 27001.
Upstash, Inc.
- Purpose: Redis-based rate limiting.
- Region: United States.
- Data processed: Short-lived rate-limit counters keyed on IP address or user identifier.
- Security & compliance: SOC 2 Type II. TLS 1.2+.
Resend, Inc.
- Purpose: Transactional email delivery (account emails, feedback handoffs).
- Region: United States.
- Data processed: Recipient email addresses, message bodies, delivery metadata.
- Security & compliance: SOC 2 Type II.
Functional Software, Inc. (Sentry)
- Purpose: Application error and performance monitoring.
- Region: United States.
- Data processed: Error and exception events: stack traces, request metadata and URL, browser/device characteristics, IP address, and the user identifier associated with an errored request. No listing content, payment data, OAuth tokens, or marketplace data is sent.
- Security & compliance: SOC 2 Type II. ISO 27001. TLS in transit; encrypted at rest.
AI Providers
Both AI providers below operate under their paid commercial API terms. Neither uses your inputs or outputs to train their models. See Section 4 of the Privacy Policy for what we send and what we do not send.
Google LLC — Gemini API
- Purpose: AI-powered listing generation, rewriting, optimization, brand discovery interviews, AI logo variants, AI mockups, document field extraction.
- Region: United States.
- Data processed: Product descriptions, conversation history, listing fields being audited or rewritten, brand voice samples, brand assets including source logo images for image generation, website text supplied for analysis, and receipts/invoices/bills you upload to the document inbox for field extraction.
- Security & compliance: Processed under the Google Cloud / Vertex AI commercial API terms. No training on customer inputs or outputs. SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018.
Anthropic PBC — Claude API
- Purpose: Alternative AI provider for listing generation, rewriting, and chat-based assistance.
- Region: United States.
- Data processed: Same as Google Gemini above, when the Anthropic provider is the configured AI provider.
- Security & compliance: Processed under Anthropic's Commercial Terms of Service. No training on customer inputs or outputs. SOC 2 Type II.
Analytics & Marketing
Analytics, marketing, and affiliate tracking are non-essential. See our Cookie Policy for the consent and opt-out options that apply to these providers.
Google LLC — Google Analytics 4
- Purpose: Website usage analytics.
- Region: United States.
- Data processed: Pageviews, session metadata, IP-derived approximate location, device and browser characteristics, referring URLs.
- Security & compliance: SOC 2 Type II. IP anonymization enabled.
Meta Platforms, Inc. — Meta Pixel
- Purpose: Ad conversion tracking and retargeting for Facebook and Instagram ads.
- Region: United States.
- Data processed: Pageviews, event signals (signup, subscribe), device identifiers, IP address.
- Security & compliance: SOC 2. Subject to Meta's Business Tools Terms.
Rewardful, Inc.
- Purpose: Affiliate-program click tracking and attribution.
- Region: Canada / United States.
- Data processed: Affiliate referral identifier, click timestamp, signup and subscription events.
- Security & compliance: TLS in transit. Per Rewardful's published security overview.
Market Data Providers
The provider below supplies public product-level marketplace data for our product-research features. Because only product identifiers are sent, it does not process personal data on our behalf; we list it here for transparency.
Keepa GmbH
- Purpose: Product-level Amazon market data (price history, sales-rank history, offer and stock-level data) powering the Sourcing Scout and Price Ceiling Analysis product-research features, including embedded price-history charts.
- Region: Germany (European Union).
- Data processed: Product identifiers only — the ASIN or barcode being researched and lookup parameters. No personal data, account data, or seller data is sent to Keepa; lookups are proxied through our servers and are not attributable to an individual user by Keepa.
- Security & compliance: TLS in transit. Per the Keepa API terms of service.
Optional Marketplace Integrations
These sub-processors are engaged only when you choose to connect your account on the corresponding marketplace.
eBay Inc. — Developer API
- Purpose: Push AI-generated listings to your eBay drafts, and read your own orders/finances to power analytics and profit/P&L, when you connect your eBay account.
- Region: United States.
- Data processed: eBay User ID, encrypted OAuth tokens, listing payloads we transmit on your behalf, and normalized order financials (item/shipping totals, fees, refunds, payouts, status, SKUs). Buyer identity is stripped before storage; raw payloads are purged within 30 days.
- Security & compliance: Per the eBay Developer Program agreements.
Etsy, Inc. — Open API v3
- Purpose: Push AI-generated listings to your Etsy shop as drafts when you connect your Etsy account.
- Region: United States.
- Data processed: Etsy User ID, Shop ID, Shop Name, granted OAuth scopes, encrypted OAuth tokens, listing payloads we transmit on your behalf.
- Security & compliance: Per the Etsy API Terms of Use.
Amazon Services LLC — Selling Partner API (SP-API)
- Purpose: Import your own Amazon catalog and listings, audit and optimize them, and push updates back to Amazon, when you connect your Amazon seller account.
- Region: United States.
- Data processed: Amazon Selling Partner ID, authorized marketplace identifiers, encrypted LWA refresh tokens, and cached catalog, listing, listing-issue, A+ Content, and fee-estimate data for your own account. We do not request buyer, order, or payment data. (Order-financial and settlement summaries are added only if and when you authorize the corresponding non-buyer-PII roles.)
- Security & compliance: Per the Amazon Selling Partner API Developer Agreement, Data Protection Policy, and Acceptable Use Policy. Used solely to provide the Service to the authorizing seller; never used to benefit other sellers, for advertising, or to train AI models.
Intuit Inc. — QuickBooks Online Accounting API
- Purpose: Post summarized settlement journal entries to your QuickBooks Online company, and read your Chart of Accounts at setup so you can map categories, when you connect your QuickBooks company.
- Region: United States.
- Data processed: QuickBooks company (Realm) ID, company name, granted OAuth scope (accounting only), encrypted OAuth tokens, your account-mapping preferences, and a record of the journal entries we posted (IDs only). We do not copy your QuickBooks financial records, and QuickBooks data is never sent to an AI provider.
- Security & compliance: Per the Intuit Developer Terms of Service. OAuth 2.0; tokens encrypted at rest (AES-256-GCM); we act as an independent controller and use the data solely to provide the Service to you; disconnect revokes the tokens at Intuit.
International Transfers
Where personal data of EEA, UK, or Swiss data subjects is processed by sub-processors in the United States, we rely on the European Commission's Standard Contractual Clauses (SCCs), the UK's International Data Transfer Addendum, and the Swiss FDPIC's recognition of those clauses, executed with each affected sub-processor.
Contact
Questions about this list, or want to be notified when it changes? Email support@selleraide.com.