Subprocessors
To deliver the Crunchly service, we engage third-party subprocessors that handle infrastructure, payments, email, analytics, and similar functions. This page lists every subprocessor that may process your personal data on Crunchly's behalf.
We sign a Data Processing Addendum (DPA) or equivalent with each subprocessor where required by law (GDPR Article 28, CPRA). We update this page whenever a subprocessor is added, removed, or replaced.
Current subprocessors
| Subprocessor | Purpose | Data processed | Location | Privacy policy |
|---|---|---|---|---|
| Vercel | Hosting, edge runtime, serverless functions | Site traffic, IP address, server logs | USA | vercel.com |
| Supabase | Database, authentication, file storage | Account info, deal data, session tokens | USA (us-east-1) | supabase.com |
| Stripe | Payments, subscriptions, billing portal, tax | Name, email, billing address, payment method (Stripe-stored) | USA / Ireland | stripe.com |
| Resend | Transactional email delivery | Email address, message content (transient) | USA | resend.com |
| Anthropic | Ask Crunch AI chat (Claude API) | Chat prompts you submit (not used to train models) | USA | anthropic.com |
| Google (Maps + Analytics) | Property address lookup; site analytics (opt-in only) | Property addresses you enter; anonymized IP for GA4 | USA | google.com |
| Cloudflare / jsDelivr / cdnjs | JavaScript library CDN (Supabase JS, Chart.js, etc.) | IP address (network-level) | Global edge | cloudflare.com |
| OpenStreetMap (Nominatim) | Fallback address geocoding | Property addresses you enter | UK / Germany | osmfoundation.org |
| Unsplash | Editorial article images in Market News widget | IP address (network-level, image fetch) | USA | unsplash.com |
| Twitter / X | Investor Voices news widget (embedded content) | IP address (network-level, embed fetch) | USA | twitter.com |
| FRED (St. Louis Fed) | Mortgage rate data for rate-change alerts | None (server-to-server) | USA | stlouisfed.org |
How we evaluate subprocessors
Before engaging any new subprocessor, we review their security posture, data-handling commitments, and privacy compliance (GDPR / CPRA / SOC 2 where applicable). Each is bound by contract to: (a) use personal data only on our documented instructions, (b) maintain appropriate security measures, and (c) notify us promptly of any data incident.
Cross-border transfers
Where personal data is transferred from the EU/UK/Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs) plus supplementary measures per the Schrems II decision. Where a subprocessor offers EU-region hosting and the customer requests it, we accommodate where feasible.
Notification of changes
We will update this page when subprocessors change. Customers on Pro or Investor plans who require advance notice of subprocessor changes for their own compliance program can email legal@crunchly.io to be added to our notification list.