Sub-processors

Last updated: May 18, 2026

Overview

Pricelyzer, Inc. engages the sub-processors listed below to help operate the Pricelyzer platform. Each sub-processor is bound by a data-processing agreement (or equivalent contractual terms) that imposes data-protection obligations substantially equivalent to those in our Data Processing Agreement.

This list reflects the current state of the Pricelyzer production stack. We update it at least 14 days before any new sub-processor begins processing customer personal data. Enterprise customers who have objected to a new sub-processor under the DPA may notify us at privacy@pricelyzer.app within 14 days of receiving the notice email.

Infrastructure and hosting

• Hetzner Online GmbH
  Purpose: Cloud compute for the Pricelyzer application and worker services.
  Region: Ashburn, Virginia, USA (Hetzner US-East datacenter).
  Headquarters: Gunzenhausen, Germany.
  Transfer mechanism: Hetzner Cloud Data Processing Agreement + EU Standard Contractual Clauses (Hetzner is a GDPR-compliant EU controller).
• Supabase, Inc.
  Purpose: Managed Postgres database (application data, encrypted at rest), authentication primitives, and connection pooling.
  Region: Canada Central (Montreal, Canada).
  Headquarters: United States.
  Transfer mechanism: Supabase Data Processing Agreement + EU Standard Contractual Clauses.
• Cloudflare, Inc.
  Purpose: DNS, CDN, TLS termination at the edge, DDoS mitigation, and Web Application Firewall on public endpoints (provisioning before public launch).
  Region: Global edge network.
  Headquarters: United States.
  Transfer mechanism: Cloudflare Data Processing Addendum + EU Standard Contractual Clauses.
• Doppler, Inc.
  Purpose: Production secret management (API keys, database credentials, third-party tokens). No customer personal data is stored in Doppler.
  Headquarters: United States.
  Transfer mechanism: Doppler Data Processing Addendum (no customer personal data processed).

Payments

• Stripe, Inc.
  Purpose: Payment processing, subscription management, invoicing (integration in progress; live before public launch).
  Data processed: Billing name, email, card details (Stripe is PCI-DSS Level 1 compliant; Pricelyzer never stores raw card data), Stripe customer ID.
  Headquarters: United States.
  Transfer mechanism: Stripe Data Processing Agreement + EU Standard Contractual Clauses.

Email delivery

• Postmark (a product of Wildbit / ActiveCampaign, Inc.)
  Purpose: Transactional email delivery — account confirmations, password resets, billing receipts, breach notifications (integration in progress; live before public launch).
  Data processed: Recipient email address, message content, delivery timestamps.
  Headquarters: United States.
  Transfer mechanism: Postmark Data Processing Addendum + EU Standard Contractual Clauses.

Error monitoring

• Sentry (Functional Software, Inc.)
  Purpose: Application error and performance monitoring (integration in progress; live before public launch).
  Data processed: Crash stack traces, request paths, user-agent strings, and the authenticated user identifier when an error occurs. Personal data in error payloads is scrubbed before transmission where feasible.
  Headquarters: United States.
  Transfer mechanism: Sentry Data Processing Addendum + EU Standard Contractual Clauses.

Third-party data providers

• Google LLC (Gemini API)
  Purpose: Pack-size verification for sourcing analysis — we send product titles and descriptions to Gemini to detect mismatches between an Amazon listing's pack size and the retailer's pack size.
  Data processed: Product titles, product descriptions, structured prompts. No customer personal data (name, email, billing) is transmitted to Google.
  Headquarters: United States.
  Transfer mechanism: Google Cloud Data Processing Addendum + EU Standard Contractual Clauses.
• Keepa GmbH
  Purpose: Amazon historical pricing, BSR history, and offer data used to compute sourcing economics inside Pricelyzer.
  Data processed: Pricelyzer query parameters (ASIN, marketplace). No customer personal data is transmitted to Keepa beyond what is required to perform the API call.
  Headquarters: Germany (EU). Processing location: EU.
  Transfer mechanism: No cross-border transfer of personal data required; Keepa processes within the EEA. Standard Keepa API license agreement applies.

Amazon Selling Partner API

• Amazon.com Services LLC
  Purpose: SP-API data access — fee estimation, Buy Shipping rates, inventory, listing restrictions, and catalog data — on behalf of the seller who has granted Pricelyzer OAuth authorization.
  Data processed: Seller account identifiers (merchant token), inventory data, fee schedule queries, listing-restrictions queries.
  Headquarters: United States.
  Governing agreement: Amazon Selling Partner API Developer Agreement and Data Protection Policy govern how Pricelyzer uses SP-API data. Pricelyzer does not enter into a DPA with Amazon in the traditional sense; Amazon is a data source operating under its own Developer Agreement.
  Note: Pricelyzer is registered as an Amazon Solution Provider. Pricelyzer is not affiliated with, endorsed by, or sponsored by Amazon.com, Inc.

Affiliate networks (planned)

Pricelyzer may integrate one or more affiliate networks for sponsored retailer links after public launch. When that happens we will add the specific network(s) and their data-processing details to this page at least 14 days before any customer personal data is shared. Until then, affiliate redirects are handled internally by Pricelyzer and do not share data with third-party networks.

Changes to this list

We will email the account's registered address at least 14 days before adding a new sub-processor that will process customer personal data. If you have objection rights under the DPA, you must notify us within 14 days of that email. Contact privacy@pricelyzer.app for questions or to request copies of the relevant Standard Contractual Clauses.

Contact

Data protection inquiries: privacy@pricelyzer.app