Sub-processors
Last updated: 2026-05-15
retailerapi is operated by Scepter Software LLC, a Michigan limited liability company. To deliver the Service, we engage the third parties listed below as "sub-processors" — each one receives a defined slice of data, has a written contract with us governing how it can be used, and is bound by either the EU Standard Contractual Clauses (SCCs), the EU–US Data Privacy Framework (DPF), or both. We do not use any sub-processor that trains AI models on your data.
We notify paid subscribers by email at least 30 days before adding or replacing a sub-processor. If a change is material to you, you may terminate your subscription before it takes effect; see the Terms of Service for the cancellation procedure.
| Sub-processor | Purpose | Data shared | Location | Transfer mechanism |
|---|---|---|---|---|
| Supabase Inc. | Authenticated database + auth service | Account email, hashed session tokens, org metadata, API usage rows, billing-state cache | United States (us-east-1) | SCCs + DPF |
| Stripe, Inc. | Payments + invoicing | Billing email, full name, billing address, card brand + last 4 (full card stored by Stripe, not us), tax-residence country/ZIP | United States | SCCs + DPF |
| Resend, Inc. | Transactional email delivery (magic links, receipts, welcome + product update emails) | Recipient email address, message body | United States | SCCs |
| Vercel Inc. | Application hosting + edge network | Request logs, IP addresses (auto-purged 30 days), build artifacts | Global edge (US primary) | SCCs + DPF |
| Cloudflare, Inc. | DNS + DDoS protection + Turnstile bot challenge | IP addresses, request headers, Turnstile challenge tokens (no cookies) | Global | SCCs + DPF |
| Functional Software, Inc. (Sentry) | Error and exception tracking | Stack traces, route names, error metadata. No request bodies, no PII, no IP addresses captured. | United States | SCCs |
| GitHub, Inc. (Microsoft) | Source code hosting + CI/CD | No customer data. Source code + build artifacts only. | United States | SCCs + DPF |
| Anthropic, PBC | Optional Custom GPT / MCP backend (only if customer enables) | API requests proxied via the customer’s own Anthropic key. We do not pass customer data to Anthropic on our own behalf. | United States | Customer-controlled |
Upstream data providers
retailerapi also calls third-party retailer APIs and scraping infrastructure to gather the public product data the Service exists to deliver. These providers receive only the product identifier (UPC, EAN, ISBN, GTIN, ASIN, or retailer SKU) and the originating request metadata required to fulfill the lookup. They never receive your account email, billing data, or any PII about your end users. The list rotates as we tune coverage and cost; current providers include managed scrape APIs and Google search providers for organic discovery. We do not consider these providers "sub-processors" in the GDPR sense because the data they receive is not personal data — it’s public-catalog product information — but we list them here for completeness.
Change log
- 2026-05-15 — Initial publication. Mirrors Section 7 of the Privacy Policy with column-level detail.
Questions: email software@sceptermarketing.com. Postal mail: Scepter Software LLC, c/o Matt Hall, 2844 East Grand River Ave, East Lansing, MI 48823, USA.
See also: Privacy Policy · Terms of Service · Data Processing Addendum.