We engage the third parties listed below ("sub-processors") to help us operate HiringCoach.ai. Each is bound by a Data Processing Agreement. To subscribe to advance notice of changes, email [email protected].
Core infrastructure
| Sub-processor | Purpose | Data processed | Region |
|---|
| Google Cloud / Firebase | Authentication, database, file storage, background tasks, text-to-speech | All user profile, content, session, and audit data | US (default) |
| Vercel | Application hosting, edge middleware, serverless functions, AI Gateway, logs | Request headers, execution logs, routed AI traffic | Global edge; primary US |
Payments
| Sub-processor | Purpose | Data processed | Region |
|---|
| Stripe | Subscription billing, card processing (hosted) | Customer ID, email, subscription metadata. No card PAN touches HiringCoach. | US + EU |
Communications
| Sub-processor | Purpose | Data processed | Region |
|---|
| SendGrid (Twilio) | Transactional email | Recipient email, send metadata, bounce / complaint records | US |
| Mailchimp (Intuit) | Opt-in marketing email | Email, marketing consent, preferences | US |
AI providers
| Sub-processor | Purpose | Data processed | Region |
|---|
| OpenAI | LLM generation (called directly and via Vercel AI Gateway) | User prompts and completions; per-request store: false. Standard OpenAI API retention applies (no ZDR amendment). | US |
| Perplexity | Research-backed intelligence | Query text. Provider default retention applies. | US |
| ElevenLabs | Text-to-speech | Text to be spoken. Provider default retention applies. | US |
| Deepgram | Speech-to-text | Audio clips (user voice); per-request redact=true. Provider default retention applies. | US |
| Google Cloud TTS | Alternate text-to-speech | Text. Provider default retention applies. | US |
Error monitoring and analytics
| Sub-processor | Purpose | Data processed | Region |
|---|
| Sentry | Error and performance monitoring | Stack traces, hashed user IDs (PII scrubbed) | US |
| Amplitude | Product analytics | Event data, session IDs | US |
| Mixpanel | Product analytics | Event data | US |
| Hotjar | Heatmaps and session insights | Session recordings with input masking | EU |
| Google Analytics / GTM | Web analytics | Page views, events | US / EU |
| Meta Pixel (Facebook) | Conversion measurement | Hashed identifiers, conversion events | US |
Integrations and platform
| Sub-processor | Purpose | Data processed | Region |
|---|
| Mapbox | Geocoding and maps | Location strings you enter | US |
| LinkedIn | OAuth sign-in; profile import with your consent | LinkedIn profile fields | US |
| Google OAuth | OAuth sign-in; Google Drive export (opt-in) | Profile and email; Drive scope only when you grant it | US |
| Facebook OAuth | OAuth sign-in | Profile and email | US |
| Canva (optional) | Design asset import | File metadata | US |
| GitHub | Source-code hosting and CI | No customer production data | US |
| Domain registrar + DNS | Domain and DNS management | No customer data | US |
How to object
Per our Privacy Policy, you may object to specific processing. Contact [email protected]. Some sub-processors (payments, identity, infrastructure) are essential to the service; we cannot provide the service without them. For analytics and marketing, you can opt out via the cookie banner or your account settings.