Last updated: 2026-04-29
Draft
This list is published in good faith ahead of legal review and will be reaffirmed by counsel before any paid customer goes live. Questions? privacy@skygem.tech.
A subprocessor is a third-party service that processes customer or end-user data on VibeID’s behalf. The table below lists every active subprocessor as of the date above. We notify customers at least 30 days before adding a new subprocessor or removing an existing one. Email privacy@skygem.tech to receive change notifications.
Vendors marked opt-in only process data when a team explicitly connects the integration; teams that do not connect it never transit data through that vendor.
| Vendor | Purpose | Data | Region |
|---|---|---|---|
| Vercel, Inc. | Hosting, edge runtime, build pipeline, Web Analytics | Request logs, IP, headers, page views, Core Web Vitals telemetry | United States (iad1) |
| Supabase, Inc. | Database, auth, storage, edge functions | Account info, card metadata, contacts, meeting notes, integration tokens (encrypted), team data, device push tokens | United States |
| Stripe, Inc. (and Stripe Payments Europe Ltd.) | Subscription billing and Customer Portal | Email, team identifier, billing-period dates, seat count, payment-method metadata | United States (PAN-EU controller for EU customers) |
| Functional Software, Inc. d/b/a Sentry | Error monitoring, crash analytics, source maps | Stack traces, error messages, breadcrumbs, app version, device info. PII keys (email, phone, password, token, auth, jwt, session, cookie) are redacted client-side before transmission. | United States (us.sentry.io) |
| PostHog, Inc. | Product analytics | Page views, button clicks, feature usage, session identifier, anonymized IP | United States (us.i.posthog.com) |
| Cloudflare, Inc. | AI text generation (Workers AI — primary provider) | User-submitted card context (name, role, company, vibe), AI bio prompts | United States / global edge |
| Groq, Inc. | AI text generation (overflow fallback when primary quota exhausted) | Same prompt categories as Cloudflare, only when primary quota is exhausted | United States |
| Apple Inc. | Sign in with Apple identity provider | Email, anonymized provider identifier, auth tokens at sign-in only | United States |
| Google LLCopt-in | Sign in with Google identity provider; Google Calendar event read; Gmail signature install; Google Wallet pass issuance | Email, OAuth scopes (userinfo.email, gmail.settings.basic, calendar.readonly), calendar event metadata, wallet object payload | United States |
| HubSpot, Inc.opt-in | CRM contact bidirectional sync | Name, email, phone, company, role, custom properties — only for teams who connect HubSpot | United States |
| 650 Industries, Inc. d/b/a Expo | Push notifications and over-the-air app updates | Device push tokens, notification titles + bodies, OTA update metadata | United States (exp.host, u.expo.dev) |
The following providers are wired in our codebase as fallbacks or future integrations but are not active in the current production configuration. They will be added to the list above with 30-day notice if they become active: DeepSeek (AI overflow), Resend (transactional email, M4+), OpenAI and Google Gemini (additional AI fallbacks).
jsDelivr / Fontsource is used to fetch web font binaries during static rendering; no customer or end-user PII transits this CDN. Apple Wallet uses Apple’s public Web Save endpoint with cert pinning; no separate subprocessor agreement applies.
