Privacy
Subprocessors
Effective 2026-05-08 · Operated by Flaresoft Solutions
What this list is for
A subprocessor is a third party we share user data with so that Bingecraft can run. The list below names every active subprocessor, what they touch, where it's stored, and a link to their published Data Processing Addendum. We update this page within seven days of adding or removing a subprocessor.
By using Bingecraft you agree to our use of these subprocessors per our Privacy Policy and Terms of Service. If you have a question or want to object to a specific subprocessor, email privacy@bingecraft.app.
Active subprocessors
Clerk
DPA / terms ↗Authentication and account management. Stores your email, hashed password, and any profile fields you add (display name, avatar). Bingecraft references your account via the Clerk user id.
- Data
- Account credentials · Profile metadata · Session tokens
- Region
- United States
Neon
DPA / terms ↗Serverless Postgres host. Holds your library, watch history, forum posts, theories, ratings, and notification preferences. The canonical store of everything you author in the app.
- Data
- User-generated content · Watch history · Profile metadata
- Region
- United States (us-east-2 default; configurable)
Vercel
DPA / terms ↗Web hosting + edge infrastructure for the Next.js app and serverless API routes. Standard request logs (IP, user-agent, URL, response code) retained per Vercel defaults.
- Data
- Server logs · IP addresses
- Region
- United States + global edge
Inngest
DPA / terms ↗Durable background jobs (TMDB sync, push delivery, email digests, engagement rollups, billing webhooks). Receives event payloads + job state — no raw user PII beyond what the job processes.
- Data
- Job event payloads · User ids
- Region
- United States
Pusher
DPA / terms ↗Real-time WebSocket delivery for forum updates, group chat, and DMs. Channel ids carry user ids; message payloads relay only what was already authored in the app.
- Data
- Real-time event payloads · User ids
- Region
- United States + Europe
Resend
DPA / terms ↗Transactional and editorial email delivery. Holds your email address, send history, bounce / complaint state, and (for the newsletter) opt-in status. The Resend Audience is the source of truth for who receives the newsletter.
- Data
- Email addresses · Email delivery state
- Region
- United States + Europe
Anthropic
DPA / terms ↗Claude AI model inference for the Companion, recommendations, theory shielding, and DNA scoring. We send the user prompt + minimal show context per call. Anthropic's zero-retention terms apply — no data is used for training.
- Data
- AI prompts · AI outputs
- Region
- United States
Operated under the API zero-retention default — Anthropic does not retain prompts or outputs after the response completes.
TMDB
DPA / terms ↗Show metadata and imagery (titles, posters, episodes, where-to-watch). We never send your personal data to TMDB; the API key is server-side only.
- Data
- No user data sent
- Region
- United States
Read-only metadata. Listed for completeness — TMDB is not a processor of user data, but disclosure is good hygiene.
Stripe
DPA / terms ↗Payment processing for Supporter subscriptions, Founder one-time charges, and AI Message Pack purchases. Holds your billing details (card last-4, expiry, country) and charge history. We never see the full PAN.
- Data
- Billing details · Charge history
- Region
- United States + Europe (regional routing)
Vercel Blob
DPA / terms ↗Storage for forum image attachments and GDPR data-export ZIPs. Forum attachments are public-by-URL on a CDN; data exports are gated behind an authed proxy and expire after 7 days.
- Data
- User-uploaded images · Data export archives
- Region
- United States + global edge
Reddit
DPA / terms ↗Cultural Pulse trending data — public posts in r/television and per-show subreddits. We send no user data to Reddit; the API call sends only show titles.
- Data
- No user data sent
- Region
- United States
Google Trends
DPA / terms ↗Cultural Pulse interest-over-time signal. Unauthenticated public API. We send only show titles; no user data leaves Bingecraft.
- Data
- No user data sent
- Region
- United States
Expo / EAS
DPA / terms ↗Mobile build infrastructure and over-the-air update delivery for the iOS + Android app. Holds build artifacts; no live user data.
- Data
- Build artifacts · OTA update bundles
- Region
- United States
Apple Push Notification service
DPA / terms ↗Native push notification delivery on iOS. Receives the device token + notification payload. Apple does not retain delivered payloads.
- Data
- Device tokens · Notification payloads
- Region
- United States
Firebase Cloud Messaging (Google)
DPA / terms ↗Native push notification delivery on Android. Receives the device token + notification payload.
- Data
- Device tokens · Notification payloads
- Region
- United States + global
Scheduled / contingent
These vendors are integrated in code but not yet active. They do not receive user data until the trigger noted in each entry fires. We'll move the entry up to “Active” on this page within seven days of activation.
Shippo
DPA / terms ↗Founder pin + certificate fulfillment. Receives shipping address only at the moment a Founder hits the production trigger. Address is not sent until physical fulfillment begins.
- Data
- Shipping addresses
- Region
- United States
Not yet active — Shippo integration ships in Founders Tranche 2 once we cross 100 claimed Founders.
Sentry
DPA / terms ↗Native crash reporting for the mobile app (iOS + Android). Receives stack traces, device model, and OS version. User ids are attached when available.
- Data
- Crash diagnostics · User ids
- Region
- United States + Europe
Activates when EXPO_PUBLIC_SENTRY_DSN is configured (Sprint 23b).
Axiom
DPA / terms ↗Server-side logging and alert routing. Receives structured log entries (level, message, context, user id when present). Retained 30 days.
- Data
- Server logs · User ids
- Region
- United States
Activates when Axiom is wired into Vercel logs (Sprint 23b).
How we add a subprocessor
- Sign the vendor's DPA before any production data flows.
- Verify the vendor's data residency, retention defaults, and sub-subprocessor list.
- Add the entry to this page (this commit lands before the env var does).
- Update the privacy policy if the new vendor changes the categories of data we process or the regions we send it to.
How we remove a subprocessor
When we stop sending data to a vendor, we delete it from this list (after 90 days as a historical record). The retention status of any data the vendor still holds is governed by the deletion clause in our DPA with them.