Subprocessors
Last updated May 23, 2026
This page lists the third-party services that process personal data on our behalf, along with what they do, where their infrastructure is, and a link to each provider's data processing agreement (DPA). The list below is the source of truth — when we add or remove a subprocessor, we update this page before going live.
Who processes your data on our behalf
| Service | Role | Region | DPA | |---|---|---|---| | Polar (polar.sh) | Payment processing & subscription state | EU | polar.sh/legal | | Resend (resend.com) | Transactional + marketing email delivery | EU / US | resend.com/legal/dpa | | Google Ads (Google LLC) | Ad-conversion measurement (only with consent in EEA/UK/CH) | US | business.safety.google/gdpr | | Google (OAuth) | Sign-in when you choose "Continue with Google" | US | (Google account terms) | | GitHub (OAuth) | Sign-in when you choose "Continue with GitHub" | US / EU | (GitHub terms) | | Railway (railway.com) | PostgreSQL + Redis + API/workers hosting | US | railway.com/legal/dpa | | Vercel (vercel.com) | Web app hosting | US | vercel.com/legal/dpa | | Cloudflare (cloudflare.com) | CDN + DDoS protection | Global | cloudflare.com/cloudflare-customer-dpa |
Processing activities
| What we process | Why | Legal basis | Where stored | Retention |
|---|---|---|---|---|
| Name, email, profile image | Identify your account | Contract performance | Railway Postgres | Until account deletion + 30 days |
| OAuth tokens (access, refresh, ID) | Maintain authentication | Contract performance | Railway Postgres (encrypted at rest) | Until account deletion or token expiry |
| Session IP address & user-agent | Session security, abuse prevention | Legitimate interest | Railway Postgres | 1 day after session expiry (purged daily) |
| Pluck usage events (mode, framework, timestamp) | Enforce plan limits, anonymous analytics | Contract performance + legitimate interest | Railway Postgres | Indefinite; user_id nullified on account deletion |
| Submitted feedback (HTML / Figma JSON) | Investigate bug reports | Legitimate interest | Railway Postgres | 90 days |
| Marketing contact (email + name) | Send product updates if you opted in | Consent | Resend audience + Railway Postgres | Until you unsubscribe or delete your account |
| Payment / subscription state | Process payments, gate paid features | Contract performance + legal obligation | Polar | Per Polar's retention policy |
Changes
When we add or remove a subprocessor we update this page first. If you have questions, email info@quassum.com.