Legal
Sub-processors
External processors that personal or pseudonymous data flows to from GlyphIQ. This is the single source of truth for sub-processor disclosures.
Cloudflare
Scan redirect, pseudonymized analytics ingestion, KV short-code storage, and Analytics Engine query serving.
- Location:
- United States (Cloudflare edge; contracting entity per DPA).
- Privacy policy:
- cloudflare.com/privacypolicy
MongoDB Atlas
Authenticated user account records, subscription state, QR code metadata, folder and event records.
- Location:
- EU region (intra-EEA, no transfer mechanism required).
- Privacy policy:
- mongodb.com/legal/privacy-policy
Clerk
User authentication and identity management — holds authoritative identity record (email, name, phone, profile image, password hash, session tokens, OAuth tokens).
- Location:
- United States (standard contractual clauses or DPF per Clerk DPA).
- Privacy policy:
- clerk.com/legal/privacy
Lemon Squeezy
Subscription billing and standalone-pack order processing. Merchant of record holding buyer name, billing address, payment card details on behalf of the controller.
- Location:
- United States (DPF or SCC per Lemon Squeezy DPA).
- Privacy policy:
- lemonsqueezy.com/privacy
Resend
Transactional email delivery. Receives recipient email address and templated message body at send time; no email content persisted in GlyphIQ MongoDB.
- Location:
- United States (DPF or SCC per Resend DPA).
- Privacy policy:
- resend.com/legal/privacy-policy
Change-log convention
Any processor added or removed in the future is logged here as a dated single-line entry. Example format: 2026-06-01 — added {Processor Name} ({purpose}); DPA accepted {date}.