Legal
Sub-processors
The third-party services SaliencyLab engages to operate the product, what they do, where they run, and the data they receive.
Last updated: May 1, 2026
| Service | Purpose | Region | Data types |
|---|---|---|---|
| Supabase | Primary database, authentication, edge functions, and object storage for uploaded creatives. | EU (Frankfurt) | Account data, authentication tokens, Customer Content (images, videos), analysis results. |
| Vercel | Web hosting and serverless edge runtime for the Next.js application. | United States (global edge network) | Request metadata, IP addresses, HTTP logs. No raw Customer Content stored at rest. |
| Google Cloud — Vertex AI (Gemini) | Multimodal AI scoring and report generation from uploaded creatives. Includes Vertex AI (europe-west1). Video Intelligence and Speech-to-Text are processed at Google's global endpoint and EU-US SCCs apply (see separate row). | EU (europe-west1) for Vertex AI; Google global for Video Intelligence and Speech-to-Text. | Customer Content submitted for analysis, structured prompts. Not used for model training per Vertex AI terms. |
| Google Cloud — Video Intelligence & Speech-to-Text | Shot detection, label detection, and audio transcription for video analysis. These specific APIs do not currently expose an EU-only endpoint; requests transit Google's global network and are governed by the Google Cloud DPA with EU-US SCCs. | Google global endpoint (videointelligence.googleapis.com / speech.googleapis.com); no EU-only equivalent currently exposed. | Video frames and extracted audio. |
| Stripe | Payment processing and subscription management. | United States + EU (Ireland) | Billing contact, payment method tokens. Full card data held by Stripe, never by SaliencyLab. |
| Resend | Transactional email delivery (account, security, receipts), authentication links and one-time codes (email confirmation URL, password reset URL, OTP codes — forwarded immediately to the recipient and not retained beyond Resend's standard delivery log retention), and lifecycle / weekly-digest summary emails. | United States | Recipient email address, message content, delivery metadata. Lifecycle and weekly-digest emails include product summary content (best/worst creative name, KPI score, verdict band — Scale/Sharpen/Rebuild) — never the uploaded creative itself. |
| Sentry | Error tracking and performance monitoring. | United States / EU (Frankfurt) — EU region selected where configured. | Error events, stack traces, limited request metadata, optional user id. |
| PostHog | Product analytics, feature flag evaluation, and session-level usage metrics. | EU Cloud (Frankfurt) where configured. | Pseudonymous user id, event name, page path, feature flag state, and product event properties such as project ID, study ID, share token, KPI scores, and verdicts (Scale/Sharpen/Rebuild) — operational metadata necessary to understand product usage, never including the contents of uploaded creatives. |
| Google Analytics 4 (Google Ireland Ltd. / Alphabet Inc.) | Pageview and funnel analytics. Loads only after the user grants analytics consent via the consent banner (CMP gate, R4P3). | Google global (multi-region). Country-level IP only after IP anonymization. | Pseudonymous client id, page URL, referrer, event name, country-level IP after IP anonymization, and — when the user is signed in — the Supabase user_id (a UUID, not the email) passed as the GA4 User-ID for cross-device session stitching only. The GA4 User-ID is never joined with content the user uploads and never used for advertising. Retention: GA4 property setting (target 14 months; Google operational logs separate). Legal basis: consent (Article 6(1)(a)). Sub-processor DPA: Google Workspace / Cloud standard terms. |
| Cloudflare (Turnstile) | Bot and abuse protection on signup and other sensitive forms (Turnstile widget). Legal basis: legitimate interest (Article 6(1)(f)) — preventing abuse and securing the service. | Cloudflare global edge. | Browser challenge tokens, browser environment signals, remote IP (sent to siteverify on the server). Retention: Cloudflare default — challenge ephemeral, no long-term storage SaliencyLab triggers. Sub-processor DPA: Cloudflare standard DPA. |
Notice of changes
We will update this page before adding or replacing a sub-processor. Enterprise customers with a countersigned DPA can opt in to receive email notifications of changes at least 30 days in advance. To subscribe, email contact@saliencylab.com with the subject line "Sub-processor notifications".
For international transfers, we rely on the European Commission Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum where applicable. See our Data Processing Addendum for full detail.