§1Current subprocessors
| Service | Purpose | Region | Notes |
|---|---|---|---|
| OpenAI, Inc. | AI inference — listing generation, vision tagging, photo classification. | United States | Uses paid-API endpoints with the default no-training-on-customer-inputs setting. Zero-data-retention enrollment in progress. |
| eBay, Inc. | Marketplace integration — OAuth, publish, browse comps, taxonomy. | United States + global | User-authorized per OAuth scope. Once a listing is published, eBay becomes an independent controller for that record. |
| Neon, Inc. | Postgres database hosting. | AWS us-east-2 (Ohio) | DPA at neon.tech/dpa. Point-in-time recovery retention: 7–30 days. |
| Cloudflare, Inc. | R2 image storage, DNS, Turnstile bot challenge. | Global edge | DPA at cloudflare.com/cloudflare-customer-dpa. R2 bucket policy defaults to private. |
| Railway Corp. | Backend container hosting. | GCP us-west2 typical | DPA via dashboard. Operational log retention: 7–30 days. |
| Vercel, Inc. | Frontend hosting + edge network. | Global | DPA at vercel.com/legal/dpa. |
| SoldComps.com | Sold-comparable pricing data. | United States | Operates as data source; no personal information shared. |
| Resend, Inc. | Transactional email (verification, deletion, support). | United States | DPA in dashboard. SPF / DKIM / DMARC configured on piccull.com. |
| Stripe, Inc. | Payments, tax calculation, billing portal. | United States + global | Stripe DPA auto-applied. PCI DSS scope is SAQ-A — card data never touches PicCull servers. |
| Google LLC | Google Sign-In (OAuth). | United States | Per-user consent on first sign-in. No background API calls beyond identity. |
| Apple, Inc. | Sign in with Apple (when configured). | United States | Per-user consent. Email-relay-safe. |
| PostHog, Inc. | Product analytics (when enabled). | United States cloud | DPA available. Events are de-identified after user deletion via PostHog DSR API. |
| Sentry / Better Stack | Error tracking and uptime monitoring (when enabled). | United States | DPAs available. PII scrubber strips request bodies and auth headers. |
| Namecheap / Google Workspace | Domain registration and email hosting for piccull.com aliases. | United States | Standard provider DPAs. |
| Discord, Inc. | Operational webhook notifications (admin only). | United States | No customer personal information sent — admin alerts and deploy notifications only. |
§2Notice of changes
We will email subscribed users at least 14 days before adding a subprocessor that processes personal data of registered users. You can object to a new subprocessor by closing your account or emailing privacy@piccull.com before the change date.
To subscribe to subprocessor-change notices independently of an account, email privacy@piccull.com with the subject line “Subprocessor notice subscribe”.