Subprocessors & Third-Party Services
Last Updated: December 22, 2025
PhotoHeirloom uses trusted third-party service providers (subprocessors) to help deliver our service. This page lists all subprocessors that process your personal data, what data they handle, and where they operate. All subprocessors are contractually bound to protect your data and comply with GDPR and other privacy regulations.
Clerk (Authentication)
Purpose: User authentication, account management, and session security
Data Processed: Email addresses, names, authentication tokens, login history
Data Location: United States (AWS infrastructure)
Privacy Policy: clerk.com/privacy
Vercel (Hosting & Storage)
Purpose: Website hosting, photo/video storage (Vercel Blob), and analytics
Data Processed: Photos, videos, website usage data, IP addresses (anonymized for analytics)
Data Location: United States (multi-region infrastructure)
Privacy Policy: vercel.com/legal/privacy-policy
Supabase (Database)
Purpose: PostgreSQL database for family tree data, photos metadata, and user relationships
Data Processed: Family tree data (names, dates, relationships), photo metadata, user preferences
Data Location: United States (AWS us-west-1)
Privacy Policy: supabase.com/privacy
Replicate (AI Processing)
Purpose: AI-powered photo restoration and video generation
Data Processed: Photos you choose to restore or animate (processed temporarily, not stored permanently)
Data Location: United States
Privacy Policy: replicate.com/privacy
Google (Maps & Contacts APIs)
Purpose: Location autocomplete (Maps API) and optional contact import (Contacts API)
Data Processed: Location queries (Maps), Contact names and emails (Contacts - not stored on our servers)
Data Location: Global (Google Cloud Platform)
Privacy Policy: policies.google.com/privacy
Paddle (Payment Processing)
Purpose: Payment processing, subscription management, and billing
Data Processed: Payment information, billing details, transaction history (we do not store credit card numbers)
Data Location: United Kingdom & United States
Privacy Policy: paddle.com/legal/privacy
Data Protection & Compliance
All our subprocessors have been carefully selected based on their compliance with data protection regulations:
- GDPR Compliance: All subprocessors are GDPR-compliant and adhere to strict data protection standards
- Data Processing Agreements: We have signed Data Processing Agreements (DPAs) with all subprocessors that handle personal data
- Security Standards: Subprocessors use industry-standard encryption (TLS/SSL for data in transit, AES-256 for data at rest)
- Regular Audits: We regularly review our subprocessors' security practices and compliance status
Updates to This List
We may add, remove, or replace subprocessors as our service evolves. When we make significant changes (e.g., adding a new subprocessor that handles personal data), we will update this page and notify users via email if required by law. The 'Last Updated' date at the top reflects when this list was last modified.
Questions About Subprocessors?
If you have questions about our subprocessors or how your data is processed, please contact us at [email protected].