# Subprocessor List

**SnapSell AI**
**Effective Date:** January 2025
**Last Updated:** January 2025

---

## 1. Introduction

This document lists all third-party subprocessors that SnapSell AI, operated by Nova AI Ventures, engages to process personal data on behalf of our users. This list is maintained pursuant to Article 28 of the GDPR.

We will update this list when subprocessors are added or removed. Users can subscribe to updates by emailing privacy@snap-sell.app with the subject "Subprocessor Updates".

---

## 2. Subprocessor Categories

### Category A: Infrastructure & Hosting
Core infrastructure services that store and process user data.

### Category B: Payment Processing
Services that handle financial transactions.

### Category C: AI & Machine Learning
Services that process user content with AI/ML capabilities.

### Category D: Analytics
Services that collect usage data for service improvement.

### Category E: Communication
Services that facilitate user communication.

### Category F: External Marketplaces
Third-party platforms where user listings may be published (user-initiated).

---

## 3. Current Subprocessors

### 3.1 Google Cloud Platform (Infrastructure)

| Field | Details |
|-------|---------|
| **Company** | Google LLC |
| **Location** | United States (with EU data processing) |
| **Category** | A: Infrastructure & Hosting |
| **Services Used** | - Firebase Authentication<br>- Cloud Firestore (Database)<br>- Cloud Storage (File storage)<br>- Cloud Functions (Serverless compute)<br>- Firebase Hosting |
| **Data Processed** | - User account information<br>- User-uploaded photos and videos<br>- Listing data<br>- Application logs |
| **Data Location** | europe-west1 (Belgium) |
| **Transfer Mechanism** | EU-US Data Privacy Framework |
| **Security Certifications** | ISO 27001, SOC 1/2/3, PCI DSS |
| **Privacy Policy** | https://cloud.google.com/privacy |
| **DPA** | https://cloud.google.com/terms/data-processing-addendum |

### 3.2 Google Gemini (AI Processing)

| Field | Details |
|-------|---------|
| **Company** | Google LLC |
| **Location** | United States (with EU data processing) |
| **Category** | C: AI & Machine Learning |
| **Services Used** | - Gemini API (Image analysis)<br>- Gemini API (Text generation)<br>- Gemini API (Video processing) |
| **Data Processed** | - Product photos for enhancement<br>- Photos for description generation<br>- Content for video creation |
| **Data Location** | Processed in accordance with Google Cloud data residency |
| **Transfer Mechanism** | EU-US Data Privacy Framework |
| **Data Retention** | Not retained for model training (API usage) |
| **Privacy Policy** | https://ai.google/privacy |
| **DPA** | Included in Google Cloud DPA |

### 3.3 Stripe (Payments)

| Field | Details |
|-------|---------|
| **Company** | Stripe, Inc. |
| **Location** | United States (with EU entity: Stripe Payments Europe, Ltd.) |
| **Category** | B: Payment Processing |
| **Services Used** | - Payment processing<br>- Stripe Connect (seller payouts)<br>- Stripe Checkout |
| **Data Processed** | - Payment card details (tokenized)<br>- Billing information<br>- Transaction history<br>- Seller payout details |
| **Data Location** | EU (Ireland) for EU customers |
| **Transfer Mechanism** | EU-US Data Privacy Framework, SCCs |
| **Security Certifications** | PCI DSS Level 1 |
| **Privacy Policy** | https://stripe.com/privacy |
| **DPA** | https://stripe.com/legal/dpa |

### 3.4 Google Analytics (Analytics)

| Field | Details |
|-------|---------|
| **Company** | Google LLC |
| **Location** | United States |
| **Category** | D: Analytics |
| **Services Used** | - Google Analytics 4 |
| **Data Processed** | - IP address (anonymized)<br>- Device information<br>- Usage patterns<br>- Page views and events |
| **Data Location** | United States |
| **Transfer Mechanism** | EU-US Data Privacy Framework |
| **Legal Basis** | User consent (optional analytics) |
| **Configuration** | - IP anonymization enabled<br>- Data retention: 14 months<br>- No advertising features |
| **Privacy Policy** | https://policies.google.com/privacy |
| **Opt-Out** | https://tools.google.com/dlpage/gaoptout |

---

## 4. External Marketplace Connections (User-Initiated)

When users choose to connect their accounts and publish listings to external marketplaces, the following processors may receive data:

### 4.1 eBay

| Field | Details |
|-------|---------|
| **Company** | eBay Inc. |
| **Location** | United States (with EU entities) |
| **Category** | F: External Marketplaces |
| **Data Shared** | - Listing information (title, description, price)<br>- Product photos<br>- Seller contact information |
| **User Control** | Connect/disconnect at any time in settings |
| **Privacy Policy** | https://www.ebay.com/help/policies/member-behaviour-policies/user-privacy-notice-privacy-policy |
| **Notes** | Data sharing only when user explicitly publishes a listing |

### 4.2 Allegro

| Field | Details |
|-------|---------|
| **Company** | Allegro.pl sp. z o.o. |
| **Location** | Poland |
| **Category** | F: External Marketplaces |
| **Data Shared** | - Listing information (title, description, price)<br>- Product photos<br>- Seller contact information |
| **User Control** | Connect/disconnect at any time in settings |
| **Privacy Policy** | https://allegro.pl/help/regulations |
| **Notes** | Data sharing only when user explicitly publishes a listing |

---

## 5. Data Processing Locations

| Region | Subprocessors | Primary Use |
|--------|---------------|-------------|
| **EU (Belgium)** | Google Cloud Platform | Primary data storage |
| **EU (Ireland)** | Stripe | Payment processing for EU users |
| **EU (Poland)** | Allegro | Marketplace integration |
| **United States** | Google (Analytics, AI), Stripe, eBay | Analytics, AI processing, global payments |

---

## 6. Security Requirements for Subprocessors

All subprocessors must meet the following minimum requirements:

- [ ] Signed Data Processing Agreement (DPA)
- [ ] Appropriate technical and organizational measures (Article 32)
- [ ] Industry-standard security certifications (ISO 27001, SOC 2, or equivalent)
- [ ] Valid transfer mechanism for non-EU processing (EU-US DPF, SCCs, or Adequacy)
- [ ] Data breach notification procedures
- [ ] Regular security assessments

---

## 7. Changes to Subprocessors

### 7.1 Notification Process

We will notify users of subprocessor changes:

1. **New Subprocessor**: 30 days advance notice via email
2. **Removal**: Updated in this document within 7 days
3. **Material Changes**: 14 days notice for changes to data processing scope

### 7.2 Objection Rights

Business customers with a Data Processing Agreement may object to new subprocessors within 14 days of notification. Objections should be sent to privacy@snap-sell.app.

### 7.3 Change History

| Date | Change | Subprocessor |
|------|--------|--------------|
| January 2025 | Initial list | All listed subprocessors |

---

## 8. Contact Information

For questions about our subprocessors:

**Email:** privacy@snap-sell.app

**Data Controller:**
SnapSell AI
Operated by Nova AI Ventures
Registered in Poland

---

*This Subprocessor List is part of SnapSell AI's GDPR compliance documentation and is updated regularly.*