GLYPHIQGlyphIQ

Legal

Sub-processors

External processors that personal or pseudonymous data flows to from GlyphIQ. This is the single source of truth for sub-processor disclosures.

Vercel

Hosting and edge compute for the GlyphIQ Next.js application at glyphiq.app (single origin serving both marketing root and authenticated dashboard); cookieless aggregate product analytics (Vercel Web Analytics) and Core Web Vitals telemetry (Vercel Speed Insights) for that surface. No analytics is loaded on the scan-redirect (qr.glyphiq.app) or archived-code landing (expired.glyphiq.app) paths.

Legal entity:
Vercel Inc.
Location:
United States (standard contractual clauses or DPF per Vercel DPA).

Cloudflare

Scan redirect, pseudonymized analytics ingestion, KV short-code storage, Analytics Engine query serving, destination-URL safety screening (Cloudflare Radar URL Scanner), and bot protection (Turnstile).

Legal entity:
Cloudflare, Inc.
Location:
United States (Cloudflare edge; contracting entity per DPA).

Google (Safe Browsing)

Destination-URL safety screening at code create/edit time. Receives the destination URL of a code to check it against the Google Safe Browsing threat database; no account identity is sent.

Legal entity:
Google LLC
Location:
United States (DPF or SCC per Google Cloud / API terms).

MongoDB Atlas

Authenticated user account records, subscription state, QR code metadata, folder and event records.

Legal entity:
MongoDB, Inc. (contracting entity for MongoDB Atlas SaaS)
Location:
EU region (intra-EEA, no transfer mechanism required).

Clerk

User authentication and identity management — holds authoritative identity record (email, name, phone, profile image, password hash, session tokens, OAuth tokens).

Legal entity:
Clerk Inc.
Location:
United States (standard contractual clauses or DPF per Clerk DPA).

Lemon Squeezy

Subscription billing and standalone-pack order processing. Merchant of record holding buyer name, billing address, payment card details on behalf of the controller.

Legal entity:
Lemon Squeezy, LLC
Location:
United States (DPF or SCC per Lemon Squeezy DPA).

Resend

Transactional email delivery (currently: account inactivity warning). Receives recipient email address and templated message body at send time; no email content persisted in GlyphIQ MongoDB.

Legal entity:
Resend, Inc.
Location:
United States (DPF or SCC per Resend DPA).

Reserved future entry — archived-code ad network

The archived-code landing surface on expired.glyphiq.appwill introduce a contextual ad network as a sub-processor. At launch, no ad network is wired — the ad slot on the landing page is a reserved placeholder only and no ad-network processing occurs. When the follow-up wire-up ships (current default target: Google AdSense in non-personalized / contextual mode; parallel Carbon Ads application), a new entry will be appended above with: legal entity, purpose (“Contextual ad serving and impression measurement on the archived-code landing pages at expired.glyphiq.app”), and location.

The processing purpose on that future entry is locked to contextual-only — personalised or behavioural advertising requires a separate assessment.

Change-log convention

Any processor added or removed in the future is logged here as a dated single-line entry — keyed to the date the change was made. Example: 2026-06-01 — added Example Co. (contextual ad serving).