Subprocessors
Last updated: April 2026
Chuhching uses the third-party services below to operate the product. This page is the canonical list required by Article 28 of the GDPR and by our standard Data Processing Agreement (Annex II).
We give enterprise customers 30 days' written notice before adding or replacing any subprocessor that processes personal data, so you can raise objections in advance. Routine version bumps by an existing subprocessor don't trigger the notice window.
Data processors
Services that receive or store personal data on your behalf.
| Vendor | Purpose | Data processed | Region | Docs |
|---|---|---|---|---|
| Loops | Onboarding email sequences (opt-in; disabled unless LOOPS_ONBOARDING_ENABLED=1). | Email address, first name, account-created timestamp. | United States | Privacy · DPA |
| OpenAI | AI-generated pitch drafting. Prompts are sent per-user-request; responses are stored in your database. | Prompt content (your profile + target context + instructions). No training on API traffic by default under OpenAI's current API terms. | United States | Privacy · DPA |
| Railway | Application hosting. Runs the Next.js server that handles every request. | Everything that passes through the app in transit (HTTP request bodies, headers, response payloads). Nothing is persisted at Railway — all durable storage is at Supabase. | United States (us-west) | Privacy · DPA |
| Resend | Transactional email delivery (password resets, pitch receipts, reply notifications). | Recipient email, sender email, email subject + body, delivery + open + click telemetry. | United States | Privacy · DPA |
| Stripe | Billing and payment processing. Card data is collected via Stripe.js on the client and never touches our servers. | Name, email, billing address, last-4 of card, subscription status. Full PAN is held by Stripe under PCI-DSS Level 1. | United States (with regional redundancy) | Privacy · DPA |
| Supabase | Primary data store: Postgres database, authentication, file storage (Business Vault files). | All user-generated data: profile, pitches, target lists, outreach history, vault entities/values/files, audit logs. | United States (us-east-1) | Privacy · DPA |
| Svix | Webhook signing and retry infrastructure for inbound reply + press webhooks. | Webhook payloads in transit. Short-retention store for retry buffering only. | United States | Privacy · DPA |
Discovery and scheduling APIs
Services we call with search queries or schedule metadata. These do not receive user personal data; they're listed for completeness.
| Vendor | Purpose | Data sent | Region | Docs |
|---|---|---|---|---|
| cron-job.org | External scheduler that POSTs to our own cron endpoints at fixed intervals (renewal scan, vault purge, ingest jobs). | HTTP Authorization header + URL path only. No user PII. | Germany | Privacy |
| Listen Notes | Podcast discovery and contact enrichment. Paid tier; receives search terms + podcast IDs, returns contact metadata. | Search terms (not tied to a specific user). No user PII. | United States | Privacy |
| Podcastindex.org | Free fallback for podcast discovery. HMAC-signed calls; receives search terms only. | Search terms. No user PII. | United States | Privacy |
| Streamscharts | Twitch creator enrichment for the gaming vertical. Receives creator handles, returns public analytics. | Public creator handles. No user PII. | Cyprus | Privacy |
Your own outbound SMTP
When you configure Chuhching to send pitches on your behalf via your own SMTP provider (Gmail, Fastmail, SendGrid, etc.), that provider is your subprocessor, not ours. Message content is relayed through the provider you chose; we don't store credentials outside your account row.
Questions
DPA requests, Annex II updates, or objections to a new subprocessor: email privacy@chuhching.com.