Sub-Processors
What is a sub-processor?
To run Collabrate, XBudd LLC ("we") relies on a small number of trusted third-party services that handle specific portions of our infrastructure — for example, hosting our website or delivering transactional email. Each of these services is what privacy law calls a sub-processor: they may handle personal data on our behalf, but only as instructed by us and only for the purpose we engage them for.
This page lists every sub-processor currently used by Collabrate, what they do, where they're located, and a link to their privacy policy or DPA. We keep this list complete and up to date.
Current sub-processors
These services are active today and may process data submitted through collabrate.ai:
| Provider | Status | Purpose | Data processed | Location | Privacy / DPA |
|---|---|---|---|---|---|
| Vercel Inc. | Active | Web hosting, edge delivery, serverless API functions, performance analytics | Request metadata (IP address, user-agent, page paths, performance metrics). No cookies set by Vercel on this site. | United States | Privacy · DPA |
| Loops | Active | Email delivery and contact management for waitlist communications | Email address you submit to the waitlist, plus signup-source attribution (e.g. which form you used) | United States / New Zealand | Privacy · DPA |
| Upstash Inc. | Conditional | Per-IP rate limiting on the waitlist API (prevents abuse) | Truncated IP address used as a short-lived counter key (60-second TTL). No persistent storage of identifiable data. | United States | Privacy |
Conditional sub-processors are engaged only when specific features are active. Upstash is active only when rate limiting is enabled. We update this list when their status changes.
Infrastructure and content-delivery services
These services deliver static assets (fonts, icons) to your browser. They see standard HTTP request metadata (IP address, user-agent) for the purpose of asset delivery and abuse prevention. They are not formal data processors and do not handle personal data submitted through our forms.
| Provider | Purpose | Location | Privacy |
|---|---|---|---|
| jsDelivr | CDN for the four typeface families used on the site (Outfit, Fraunces, Syne, Plus Jakarta Sans, JetBrains Mono) | Global edge network | Privacy |
| unpkg | CDN for icon set (Phosphor Icons) | Global edge network | About |
Coming at product launch
The following sub-processors will be added when the Collabrate creator product launches. We are listing them here in advance so the disclosure is complete. We will move them to the active table above when each is in production use.
| Provider | Purpose | Data processed | Location | Privacy / DPA |
|---|---|---|---|---|
| Anthropic, PBC | AI inference for email classification, proposal evaluation, and negotiation drafting | Content of brand-proposal emails forwarded to Collabrate, plus creator's rate-card and voice-calibration data needed to generate responses | United States | Privacy · DPA |
| Clerk | User authentication (login, password / passwordless flows, session management) | Email address, hashed credentials, session tokens, sign-in metadata | United States | Privacy · DPA |
| Google (Gmail API) | OAuth-authorized read access to creator's Gmail inbox to detect inbound brand proposals; OAuth-authorized send access for outbound negotiation replies | Headers and body content of emails the creator's filters route to Collabrate. Personal email outside that scope is not read. | United States | Privacy |
| Stripe Inc. | Subscription billing and success-fee processing | Payment-method tokens, billing address, transaction history. We do not see or store full card numbers. | United States | Privacy · DPA |
| Database hosttbd | Primary application database (Postgres). Stores creator profiles, rate cards, deal records, and negotiation history. | All persistent product data tied to a creator account | To be confirmed (US region) | To be confirmed |
How we choose and manage sub-processors
Before adding any sub-processor, we evaluate them on:
- Security posture and certifications (SOC 2, ISO 27001 where applicable)
- Data-protection commitments (a signed or clickwrap DPA with Standard Contractual Clauses for any cross-border data transfer)
- Necessity: we use only what's required to deliver the service
- Track record and operational reliability
We keep timestamped snapshots of each vendor's privacy policy and DPA at the time of acceptance, so we have a verifiable record of the terms in force when we engaged them.
Notice of changes
When we add a new sub-processor or replace an existing one, we update this page first. For material changes (new categories of data processed, new geographic transfer, change of a primary processor like our hosting provider or AI provider), we will notify waitlist members and active users by email at least 30 days before the change takes effect, where reasonably practical.
You can subscribe to a quarterly digest of any sub-processor updates by emailing hello@collabrate.ai with the subject "sub-processor updates."
Contact
Questions about our sub-processor list, or to object to a specific sub-processor:
hello@collabrate.ai
XBudd LLC · Texas, United States