Legal
Sub-processors
External processors that personal or pseudonymous data flows to from GlyphIQ. This is the single source of truth for sub-processor disclosures.
Vercel
Hosting and edge compute for the GlyphIQ Next.js application at glyphiq.app (single origin serving both marketing root and authenticated dashboard); cookieless aggregate product analytics (Vercel Web Analytics) and Core Web Vitals telemetry (Vercel Speed Insights) for that surface. No analytics is loaded on the scan-redirect (qr.glyphiq.app) or archived-code landing (expired.glyphiq.app) paths.
- Legal entity:
Vercel Inc.- Location:
- United States (standard contractual clauses or DPF per Vercel DPA).
- Privacy policy:
- vercel.com/legal/privacy-policy
Cloudflare
Scan redirect, pseudonymized analytics ingestion, KV short-code storage, Analytics Engine query serving, destination-URL safety screening (Cloudflare Radar URL Scanner), and bot protection (Turnstile).
- Legal entity:
Cloudflare, Inc.- Location:
- United States (Cloudflare edge; contracting entity per DPA).
- Privacy policy:
- cloudflare.com/privacypolicy
Google (Safe Browsing)
Destination-URL safety screening at code create/edit time. Receives the destination URL of a code to check it against the Google Safe Browsing threat database; no account identity is sent.
- Legal entity:
Google LLC- Location:
- United States (DPF or SCC per Google Cloud / API terms).
- Privacy policy:
- policies.google.com/privacy
MongoDB Atlas
Authenticated user account records, subscription state, QR code metadata, folder and event records.
- Legal entity:
MongoDB, Inc. (contracting entity for MongoDB Atlas SaaS)- Location:
- EU region (intra-EEA, no transfer mechanism required).
- Privacy policy:
- mongodb.com/legal/privacy-policy
Clerk
User authentication and identity management — holds authoritative identity record (email, name, phone, profile image, password hash, session tokens, OAuth tokens).
- Legal entity:
Clerk Inc.- Location:
- United States (standard contractual clauses or DPF per Clerk DPA).
- Privacy policy:
- clerk.com/legal/privacy
Lemon Squeezy
Subscription billing and standalone-pack order processing. Merchant of record holding buyer name, billing address, payment card details on behalf of the controller.
- Legal entity:
Lemon Squeezy, LLC- Location:
- United States (DPF or SCC per Lemon Squeezy DPA).
- Privacy policy:
- lemonsqueezy.com/privacy
Resend
Transactional email delivery (currently: account inactivity warning). Receives recipient email address and templated message body at send time; no email content persisted in GlyphIQ MongoDB.
- Legal entity:
Resend, Inc.- Location:
- United States (DPF or SCC per Resend DPA).
- Privacy policy:
- resend.com/legal/privacy-policy
Reserved future entry — archived-code ad network
The archived-code landing surface on expired.glyphiq.appwill introduce a contextual ad network as a sub-processor. At launch, no ad network is wired — the ad slot on the landing page is a reserved placeholder only and no ad-network processing occurs. When the follow-up wire-up ships (current default target: Google AdSense in non-personalized / contextual mode; parallel Carbon Ads application), a new entry will be appended above with: legal entity, purpose (“Contextual ad serving and impression measurement on the archived-code landing pages at expired.glyphiq.app”), and location.
The processing purpose on that future entry is locked to contextual-only — personalised or behavioural advertising requires a separate assessment.
Change-log convention
Any processor added or removed in the future is logged here as a dated single-line entry — keyed to the date the change was made. Example: 2026-06-01 — added Example Co. (contextual ad serving).