Subprocessors
Last updated: January 19, 2026
Overview
Ship Poster uses the following third-party service providers (subprocessors) to deliver our services. Each subprocessor has been vetted to ensure they maintain appropriate data protection standards and comply with applicable data protection laws.
In accordance with GDPR Article 28, we maintain this list of subprocessors who process personal data on our behalf. We will notify users of any changes to this list via email at least 30 days before engaging a new subprocessor.
Current Subprocessors
| Subprocessor | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase | Database, Authentication & File Storage | All user data, authentication credentials, uploaded media | United States (AWS us-east-1) |
| Stripe | Payment Processing | Email, billing address, payment card details, transaction history | United States |
| SendGrid (Twilio) | Transactional Email | Email addresses, email content | United States |
| OpenAI | AI Text & Image Generation | Brand information, content prompts, campaign data | United States |
| Google (Gemini) | AI Image Generation | Image generation prompts, brand visual preferences | United States |
| LATE | Social Media Publishing | Post content, social account tokens, publishing schedules | United States |
| Vercel | Application Hosting | Request logs, IP addresses, performance metrics | Global (Edge Network) |
| Google Analytics | Website Analytics | Anonymized usage data, page views, feature interactions | United States |
Data Processing Agreements
We have entered into Data Processing Agreements (DPAs) with each of our subprocessors to ensure they process personal data in accordance with GDPR requirements, including:
- Processing data only on our documented instructions
- Ensuring personnel are bound by confidentiality obligations
- Implementing appropriate technical and organizational security measures
- Assisting us with data subject rights requests
- Deleting or returning data upon termination of services
- Submitting to audits and inspections
International Transfers
Some of our subprocessors are located in the United States. For transfers of personal data from the European Economic Area (EEA) to the US, we rely on:
- EU-US Data Privacy Framework: Where subprocessors are certified
- Standard Contractual Clauses (SCCs): As approved by the European Commission
- Supplementary measures: Additional technical and organizational safeguards where needed
Change Notification
We will provide at least 30 days' notice before adding a new subprocessor or making material changes to existing subprocessors. Notifications will be sent to the email address associated with your account.
If you have a reasonable objection to a new subprocessor on data protection grounds, please contact us at support@ship-poster.com within 14 days of receiving the notification. We will work with you to find a resolution.
Questions
If you have any questions about our subprocessors or data processing practices, please contact us at support@ship-poster.com.