A subprocessor is a third-party service VoiceBloom uses to operate the platform. We're transparent about every subprocessor, what data they handle, where they're located, and the compliance certifications they hold. We'll notify subscribers by email at least 30 days before adding a new subprocessor that handles personal data.
Under GDPR Article 28, CCPA, PIPEDA, and HIPAA, organizations that process personal data must list every third-party service they share data with, the purpose of each, and the safeguards in place. This page is that list.
| Provider | Purpose | Data location | Certifications / safeguards |
|---|---|---|---|
| Supabase supabase.com |
Database (Postgres), user authentication, file storage, real-time sync | United States (AWS us-east region) | SOC 2 Type II · HIPAA-eligible with BAA · GDPR DPA available · ISO 27001 |
| Vercel vercel.com |
Application hosting, edge functions, serverless API routes | United States (multi-region edge); Europe for EEA traffic | SOC 2 Type II · HIPAA-eligible with BAA · GDPR DPA · CCPA-aligned |
| Vercel Analytics vercel.com/analytics |
Page-view and custom event tracking on marketing pages. Loaded only after the user accepts optional cookies. Pseudonymous; no advertising identifiers | United States; Europe for EEA traffic | GDPR DPA · CCPA-aligned · cookieless by design |
| Vercel Speed Insights vercel.com/docs/speed-insights |
Real-user web-vitals telemetry (LCP, CLS, INP) to monitor site performance. Loaded only after the user accepts optional cookies | United States; Europe for EEA traffic | GDPR DPA · CCPA-aligned · no PII |
| Cloudflare (Turnstile) cloudflare.com/products/turnstile |
Privacy-preserving anti-bot challenge on the contact, login, and newsletter forms. Receives visitor IP and user-agent; no advertising tracking | United States; global edge network | SOC 2 Type II · GDPR DPA · ISO 27001 · CCPA-aligned |
| Mailchimp (Intuit) mailchimp.com |
Notify-list signups for native iOS / Android app launch announcements (the "Notify me" form on the homepage). Receives email address only; no child data | United States | SOC 2 Type II · GDPR DPA · CCPA-aligned · CAN-SPAM compliant |
| Stripe stripe.com |
Payment processing, subscription billing, invoicing. VoiceBloom never stores card details | United States, EU, UK (regional routing) | PCI DSS Level 1 · SOC 1/2 · GDPR DPA · Strong Customer Authentication (PSD2) |
| Anthropic (Claude API) anthropic.com |
AI text generation for Coach replies, weekly report drafts, IEP note drafts. Sent inputs are not used to train Anthropic's models per our API agreement | United States | SOC 2 Type II · HIPAA-eligible with BAA · ISO 27001 · zero-retention API tier available on request |
| Resend resend.com |
Transactional email delivery (receipts, trial reminders, password resets, weekly reports, access notifications) | United States | SOC 2 Type II · GDPR DPA · sender domain authenticated (SPF, DKIM, DMARC) |
| Sentry sentry.io |
Error and crash monitoring. Receives stack traces, page URL, anonymous user ID. No symbol-tap content, no child names, no PII | United States | SOC 2 Type II · ISO 27001 · GDPR DPA · data-scrubbing enabled by default |
| Google Fonts fonts.google.com |
Web font (Nunito) on public marketing pages only. The in-app experience uses bundled fonts and does not call Google Fonts | Google global CDN | No cookies set · IP address visible to Google for font fetch |
| Google Gemini (image generation) ai.google.dev |
Used during development to generate the bundled symbol illustrations. Not called at runtime by end users | United States | Used for static asset generation only · no end-user data sent |
| GitHub github.com |
Source code hosting. Does not process end-user data | United States | SOC 2 Type II · ISO 27001 · two-factor authentication enforced |
Several subprocessors are based in the United States. Where data is transferred outside Canada or outside the EEA, transfers are governed by:
We will notify subscribers by email at least 30 days before:
If you object to a new subprocessor and the change is material to your use of VoiceBloom, you may cancel your subscription before the change takes effect and we will refund any prepaid amounts covering the period after the change.
Therapy and School / District plan subscribers may request a Data Processing Agreement (GDPR Article 28) or a Business Associate Agreement (HIPAA) at any time. Email info@voicebloom.ca with your account email and we will route the request to the right team.