Victory Extraction
ResumeJoin
All legal documents

Sub-processors

Last updated / effective: 1 August 2026

To run Victory Extraction, we use the third-party providers ("sub-processors") below. They process personal data only on our instructions to provide their part of the Service. See the Privacy Policy for purposes and legal bases.


ProviderWhat it does for usData involvedLocation / transfer safeguard
StripePayments and checkout (independent controller — see below)Billing identifiers, payment status (no full card data stored by us)EU/US — EU–US Data Privacy Framework (SCC backup)
AnthropicAI for diary reflections, summaries, the "Victor" assistant, and automated moderation of community contentDiary text and related context you consent to; and — for moderation — community posts, comments, poll questions and options, submitted tasks, and the display name (nickname/first name) shown with themUS — Standard Contractual Clauses (in the DPA); contractual no-training
OpenAITranscription of voice diary input (speech-to-text)Voice audio (transcribed, not retained as audio)US — EU–US Data Privacy Framework (SCC backup, in the DPA); contractual no-training
Amazon Web Services (AWS)Storage of community media and video contentUploaded images/videos, lesson mediaUS (us-east-1) — EU–US Data Privacy Framework + SCC
ResendSending transactional and marketing emailEmail address, message contentUS — EU–US Data Privacy Framework / SCC
VercelHosting and cookieless web analyticsTechnical/log data; aggregate analyticsUS/EU — EU–US Data Privacy Framework (SCC backup)
UpstashCaching and rate-limitingTechnical data, short-lived keysEU region — no transfer outside the EEA
SupabaseDatabase hosting (PostgreSQL)All account/app data stored in the database — including diary entries (special-category data)US (us-east-1) — Standard Contractual Clauses (Supabase DPA)
Google"Sign in with Google"Account identifier, basic profile (name, email)US — EU–US Data Privacy Framework
Apple"Sign in with Apple"Account identifier, basic profileUS — EU–US Data Privacy Framework
Browser push services (Google FCM, Mozilla, Apple)Delivering the web-push notifications you opt intoPush endpoint address; notification payload (title, short text, link) — encrypted in transitUS/EU — routed by your browser vendor's push service; payload is end-to-end encrypted

Stripe acts as an independent controller for its own payment processing, fraud prevention, and regulatory/compliance purposes; for those purposes Stripe is responsible as a controller in its own right, not as our processor.

We update this list when we add or change sub-processors. Questions: info@victoryextraction.com.

More documents

PrivacyTermsCookiesRefundsCommunityImprintHealth data

© 2026 Victory Extraction. All rights reserved.