Subprocessors
Third-party providers that process personal information on Bailar's behalf, with role, data categories, and processing location.
Effective Date: July 8, 2026
This page lists the third parties (“subprocessors”) Bailar, Inc. engages to process personal information on its behalf. Each subprocessor is bound by a data processing agreement (or, where the vendor publishes one, by their standard DPA, which Bailar has accepted) that limits use of personal information to the purposes described and requires safeguards aligned with applicable law (including GDPR Article 28, Quebec Law 25 Article 18.3, PIPEDA Principle 4.1.3, and the LFPDPPP).
We update this list when we add or remove subprocessors. Where required by applicable law (including GDPR Article 28(2)), users in the EU/EEA, UK, and other relevant jurisdictions may be entitled to advance notice of subprocessor changes. To request notice or object to a specific subprocessor, contact our Privacy Officer at privacy@bailar.site.
For AI inference vendors (Section “AI Inference” below): for the live, user-facing inference paths — message-content moderation, image moderation, and the in-app assistant — Bailar routes to Google’s paid Gemini API, whose terms do not train Google’s foundation models on the inputs, with a free tier used as a short-term failover if the paid tier is unavailable (for message-content moderation, the failover chain may also reach Cerebras, a U.S. inference provider listed below). (Known-CSAM detection is a separate perceptual-hash match performed by Microsoft PhotoDNA, listed under “Safety and content moderation” below, not a generative-AI inference call.) For back-office batch and scheduled classification tasks that process public/host-submitted content (for example, categorizing and language-tagging scraped event listings), Bailar routes by default to a free-tier chain (local models, Cerebras, and Google AI Studio); for those vendors, the no-training position rests on each vendor’s own standard API terms rather than a paid/enterprise tier. In all cases Bailar routes AI traffic only to vendors operating under United States, European Union, United Kingdom, or Canadian data-protection law. Other than during a brief failover to a free tier — whose standard terms then govern and may permit the vendor to use the inputs to improve its own services — Bailar’s routing is designed to avoid sending end-user personal data to a vendor for that vendor’s own foundation-model training.
Infrastructure and Platform
| Subprocessor | Role | Data Categories | Processing Location |
|---|---|---|---|
| Supabase Inc. privacy |
Primary database, authentication, file storage, realtime subscriptions | Account data, profile data, communications, photos and media, location data, derived data | United States (AWS us-east-2) |
| Vercel Inc. privacy |
Web hosting, edge runtime, web analytics | IP address, user agent, page views, performance telemetry | United States (global edge network) |
| Cloudflare, Inc. privacy |
DNS, R2 object storage, Workers (map and RPC cache) | IP address, request metadata, cached map tiles and RPC responses | Global edge network |
| Hetzner Online GmbH privacy |
VPS hosting for the harvested-email pipeline (DNS MX precheck, classifier, discovery) and backup orchestration | Public-source business email addresses; no end-user personal data | Germany (European Union) |
| 650 Industries, Inc. (Expo) privacy |
Expo Application Services (EAS) for mobile build, OTA update delivery, and Expo Push (push-notification fan-out to APNs and FCM) | Expo push token, device platform and OS version, OTA runtime version, build metadata | United States |
| GitHub, Inc. privacy |
Source-code hosting and continuous-integration (Actions); no end-user content | Internal commits, CI logs, build artifacts | United States |
Authentication
| Subprocessor | Role | Data Categories | Processing Location |
|---|---|---|---|
| Apple Inc. privacy |
Sign in with Apple; App Store distribution; APNs push delivery; ASA Search Ads attribution (when consented); HealthKit on-device (no server-side health data) | Apple Account identifier (relay-anonymized email where Hide-My-Email is used), name and email (when shared at sign-in), APNs device token | United States; global Apple infrastructure |
| Google LLC (including Firebase) privacy |
Google Sign In (via Firebase project bailar-460ab); FCM push delivery; the Gemini API for content classification, ranking, moderation, and language tasks (detailed under “AI Inference” below); Google Search Console; Google Analytics 4 (web only; cookie-consent gated); Health Connect on-device (no server-side health data) |
Account identifier, IP address, device identifiers, content sent to the Gemini API, FCM registration token, web analytics events (cookie-consent gated) | United States; global Google infrastructure |
| Meta Platforms, Inc. privacy |
Facebook Login (OAuth) sign-in; receipt of the OAuth identity token plus any data the user explicitly authorizes at sign-in (typically name + email). Bailar does not currently use any Meta marketing pixel, Meta Audiences integration, or Meta Conversions API on the Service. | Facebook user identifier, name, email (when granted at sign-in) | United States; global Meta infrastructure |
| Kakao Corp. privacy |
Kakao Sign In (OAuth), offered on the login screen to users in the Korea region; receipt of the OAuth identity token plus any data the user authorizes at sign-in (typically name + email) | Kakao account identifier, name, email (when granted at sign-in) | South Korea |
Communications
| Subprocessor | Role | Data Categories | Processing Location |
|---|---|---|---|
| Resend, Inc. privacy |
Transactional and marketing email delivery | Email address, name, email content, delivery status | United States |
| Zoho Corporation privacy |
Business mailbox hosting (paul@bailar.site, support@bailar.site, privacy@bailar.site, legal@bailar.site, dmca@bailar.site, accessibility@bailar.site) | Inbound and outbound mail content; sender and recipient addresses | United States; India |
| Twilio Inc. privacy |
SMS one-time-passcode delivery for phone-based sign-in (Twilio Verify); transactional SMS lifecycle (event reminders, opt-in flows); WhatsApp Business messages for opted-in users; SMS download-link for App Store / Google Play handoffs | Phone number, message content, country of recipient, delivery and read status | United States; Twilio global infrastructure |
Payments
| Subprocessor | Role | Data Categories | Processing Location |
|---|---|---|---|
| Stripe, Inc. privacy |
Payment processing for marketplace transactions (event tickets, studio classes) under a destination-charge architecture; studio subscription billing (Pro / Elite); Stripe Connect host onboarding, KYC, and payouts; chargeback handling | Payment method, transaction amounts and metadata, billing address; card numbers tokenized by Stripe; for Hosts, Stripe-required KYC data (identity documents, beneficial-owner information) collected directly by Stripe | United States; Stripe global infrastructure |
| RevenueCat, Inc. privacy |
Mobile in-app subscription orchestration: receipt validation, entitlement state, and webhooks for Apple App Store and Google Play Billing (the “No Ads” tier and any future consumer subscriptions). Bailar never sees full card numbers; Apple and Google process the underlying payment. | App user ID (Bailar internal), platform receipts, entitlement state, subscription lifecycle events | United States |
| Apple Inc. (App Store Billing) terms |
In-app purchase processing for iOS subscriptions | Apple ID, payment method (held by Apple), transaction history | United States; global Apple infrastructure |
| Google LLC (Play Billing) terms |
In-app purchase processing for Android subscriptions | Google account, payment method (held by Google), transaction history | United States; global Google infrastructure |
| Coinbase, Inc. (Coinbase Business / CDP) privacy |
Where a payee elects the optional USDC payout rail, Coinbase Business sends the USDC transfer; it receives the recipient’s destination wallet address and the payout amount to execute the on-chain transfer | Destination crypto-wallet address, payout amount (no Bailar login credentials) | United States |
Identity verification
Bailar performs a government-ID + live-selfie identity check (a facial match) at two points: (1) to approve an instructor applicant on the automated verification path, and before any instructor is cleared to teach a class open to minors — an applicant who does not clear automated verification may still be approved for adult-only teaching by human staff review; and (2) before releasing a marketplace payout to a payee on the USDC payout rail (including non-instructor studio staff such as door, sound, security, greeter, or photo roles). This involves processing identity documents and facial-image data, which may be biometric or special-category data under laws such as the EU/UK GDPR (Article 9) and U.S. state biometric-privacy statutes. Bailar routes each person to one of the two providers below based on their country. Neither the ID image nor the selfie is used for advertising or model training.
| Subprocessor | Role | Data Categories | Processing Location |
|---|---|---|---|
| Stripe, Inc. (Stripe Identity) privacy |
Identity verification (government-ID document check plus live-capture selfie facial match) for instructor applicants and for payees on the USDC payout rail (including non-instructor studio staff), in Stripe Identity’s supported countries | Government-ID document image, live-capture selfie / facial-image data, verification result | United States; Stripe global infrastructure |
| Persona Identities, Inc. privacy |
Identity verification (government-ID document check plus selfie facial match) for instructor applicants and for payees on the USDC payout rail (including non-instructor studio staff) — the fallback provider for those in countries not supported by Stripe Identity | Government-ID document image, selfie / facial-image data, verification result | United States |
Safety and content moderation
To detect and report child sexual abuse material (CSAM) as required by law, images and video frames uploaded to Bailar (avatars, event media, message media, studio logos) are matched against known-CSAM hash databases. This involves sending the image bytes to the vendor below for perceptual-hash matching; a confirmed match is reported to the National Center for Missing & Exploited Children (NCMEC).
| Subprocessor | Role | Data Categories | Processing Location |
|---|---|---|---|
| Microsoft Corporation (PhotoDNA Cloud Service) about |
Known-CSAM detection: perceptual-hash matching of uploaded images and video frames against aggregated known-CSAM hash sets | Uploaded image / video-frame bytes | United States |
Mercantile fulfillment (bailar.site/shop)
| Subprocessor | Role | Data Categories | Processing Location |
|---|---|---|---|
| Printful, Inc. privacy |
On-demand merchandise printing and drop-ship fulfillment for the /shop catalog | Customer name, ship-to address, ordered SKU, order metadata; payment is captured by Stripe before fulfillment is initiated | United States; European Union; global Printful fulfillment network |
Product analytics
| Subprocessor | Role | Data Categories | Processing Location |
|---|---|---|---|
| PostHog Inc. privacy |
Product analytics, funnel and conversion analysis, feature-flag delivery for the mobile app and bailar.site. On the web, PostHog is loaded only after the user accepts analytics cookies (and never when a Global Privacy Control signal is present). In the mobile app, PostHog collects pseudonymous product-usage events, and is not initialized at all for devices in the UK, EU, or EEA (where analytics stays off pending a mobile consent mechanism). | Pseudonymous device or user identifier, event names, page paths, interaction metadata, in-app feature usage; no message content, no payment data | United States (us.posthog.com) |
Marketing and advertising (web)
On the bailar.site website only, the vendors below are loaded solely after you accept marketing/advertising cookies through the site’s cookie controls, and never when your browser sends a Global Privacy Control signal (see our Cookie Policy). They are not used in the mobile app.
| Subprocessor | Role | Data Categories | Processing Location |
|---|---|---|---|
| Pinterest, Inc. privacy |
Pinterest conversion / audience tag (loaded only after you accept marketing cookies): measures ad conversions and builds audiences for Bailar’s own Pinterest campaigns | IP address, cookie identifiers (e.g. _pin_unauth), page/conversion events |
United States |
| Google LLC (AdSense) privacy |
Google AdSense advertising delivery and measurement, where an AdSense client ID is configured for the deployed environment (loaded only after you accept marketing cookies) | IP address, advertising cookie identifiers, ad-interaction events | United States |
Observability and Operations
| Subprocessor | Role | Data Categories | Processing Location |
|---|---|---|---|
| Functional Software, Inc. (Sentry) privacy |
Application error tracking and performance monitoring; feeds the internal autofix triage pipeline | Stack traces; user identifier in error contexts; IP address; device and OS metadata | United States |
| Slack Technologies, LLC privacy |
Internal alerting and observability channels (operational logs only; no end-user content posted) | Operational alerts, system logs | United States |
AI Inference
The vendors below run inference on data Bailar sends them at the moment of use. As described in the note above, Bailar routes live user-facing inference (message moderation, image moderation, the in-app assistant) to Google’s paid Gemini API (no-train tier), with a free tier used only as short-term failover; back-office batch classification of public/host-submitted content routes by default to a free-tier chain of local models, Cerebras, and Google AI Studio, whose no-training position rests on each vendor’s standard API terms. On-device (local) models are used where available.
| Subprocessor | Role | Data Categories | Processing Location |
|---|---|---|---|
| Anthropic, PBC privacy |
Claude for optical character recognition and image classification (reading text from event flyers and receipts, photo quality/suitability checks, image ranking, and reference photo-license matching) and the internal engineering / autofix loop. Not used for message-content or image safety moderation (those use Google Gemini and Microsoft PhotoDNA) or for user-facing chat/text generation (that uses Google Gemini). | Images submitted for OCR / vision classification (e.g. event flyers, uploaded event or studio photos), and event copy; no private message content | United States |
| Google LLC terms |
Gemini API (paid tier primary) for text generation, content classification, ranking, moderation, and language tasks — the primary user-content inference provider | Content submitted to AI features (event copy, classification inputs, moderation prompts, message-content moderation) | United States |
| Cerebras Systems, Inc. privacy |
Text inference fallback in the routing chain when other providers are unavailable | Content sent to inference | United States |
| AudD, OU privacy |
Music-recognition for the “What’s playing?” song-identification feature, which you initiate. On Android and the server path, a short (~12-second) microphone audio clip is sent to AudD to identify the song. On iOS, Apple ShazamKit computes an acoustic signature from the clip on your device and sends that signature (not the raw audio recording) to Apple’s Shazam cloud catalog (Apple Inc., United States) for matching. On the Android/server path the raw clip is retained only transiently on Bailar’s server (automatically deleted within about 24 hours) and is not otherwise stored or shared beyond the identification request. | Short user-initiated microphone audio clip (AudD, Android/server) or an on-device-derived acoustic signature (Apple ShazamKit, iOS); no account identifier required for the match | European Union (AudD); United States (Apple) |
Studio promo-creative generation
Studios can optionally use a Backstage tool that generates promotional images for their events from a text prompt the studio writes and an optional source photo the studio chooses. When a studio initiates a generation, the prompt text and any source photo are sent to Google’s Vertex AI image-generation model (Imagen) to produce the promotional images. Google’s enterprise Vertex AI terms do not use the submitted inputs to train Google’s foundation models. This feature is studio-initiated and operates within the studio’s own promotional workflow.
| Subprocessor | Role | Data Categories | Processing Location |
|---|---|---|---|
| Google LLC (Vertex AI — Imagen) terms |
AI image generation for the optional studio promo-creative tool: produces promotional images from a studio-supplied text prompt and an optional source photo | Studio-supplied prompt text; optional source photo (which may depict identifiable people); the generated promotional images | United States |
Content discovery and enrichment
| Subprocessor | Role | Data Categories | Processing Location |
|---|---|---|---|
| Apify Technologies s.r.o. privacy |
Apify Harvest for public social-handle discovery (Instagram, TikTok, Facebook); used by content scrapers to seed the public studio and event directory | Public social media handles, public profile metadata; no end-user account data | Czech Republic (European Union) |
| Brave Software, Inc. privacy |
Brave Search API for internal grounded-search tooling; receives search queries, not user PII | Search queries (no user identifier transmitted) | United States |
| Tavily AI, Inc. privacy |
Tavily research API for internal grounded-search tooling; receives research queries, not user PII | Research queries (no user identifier transmitted) | United States |
| Geoapify GmbH privacy |
City / place search and address autocomplete (the primary provider for the in-app location search box); receives the text you type when searching for a city or place, and coarse coordinates where applicable, to return matching results | Location search-query text; approximate coordinates | European Union (Germany) |
| OpenStreetMap Foundation (Nominatim) privacy |
Fallback city / place geocoding when the primary provider returns no result; receives the location search-query text | Location search-query text | European Union / United Kingdom |
Vendors NOT listed above — and why
The investor packet’s Risk Factors section (§09) and Technology Maturity Appendix (§13) reference additional AI vendors that do not appear on this page. The omission is deliberate: those vendors are used only in Bailar’s internal consensus tooling, dev tooling, or back-office benchmarking pipelines, and they do not process end-user personal data, user content, or any data subject to GDPR Article 28, CCPA Service Provider obligations, or Quebec Law 25 Article 18.3.
Specifically, Bailar’s internal multi-model consensus panel — which helps Bailar’s team make brand, naming, copy, and legal-language decisions — queries a range of third-party models through US-based API providers and aggregators (for example, xAI, Cohere, Meta Llama via Groq, and Google/Anthropic models). These calls send only the question, supplied candidates or artifact, and a context primer authored by Bailar — never end-user personal data. If Bailar later wires any of these vendors into a user-facing inference path, it will be added to the AI Inference section above and disclosed to users on at least thirty (30) days’ advance notice consistent with the general subprocessor-change policy on this page.
Updates to this list
Last reviewed: July 8, 2026. Bailar reserves the right to add or remove subprocessors as the Service evolves. Material additions or replacements will be reflected here, with advance notice provided to users where required by applicable law. Subscribe to subprocessor change notifications by emailing privacy@bailar.site with the subject line “Subprocessor notifications.”
Revision history:
- July 8, 2026 — Accuracy pass. Disclosed three previously-unlisted live subprocessors: AudD (music recognition, EU) for the “What’s playing?” song-ID feature (short user-initiated microphone clip on the Android/server path; on iOS an on-device-derived acoustic signature is sent to Apple’s Shazam cloud catalog); Persona and Stripe Identity for instructor identity verification (government-ID + selfie biometric match); and Microsoft PhotoDNA for known-CSAM hash matching of uploaded images. Added a “Marketing and advertising (web)” section for the Pinterest conversion tag and Google AdSense (web only; loaded only after marketing-cookie consent), aligning with the Cookie Policy. Corrected the AI-inference disclosures to reflect actual routing: for text/inference (moderation, the assistant, classification) the primary user-content provider is Google’s paid Gemini API (not Vertex AI), with Cerebras and on-device models (Groq is used only in internal tooling, not on any user-facing inference path — see “Vendors NOT listed above”); removed the metered OpenAI and Perplexity Sonar rows (not used on any user-facing path). Separately disclosed Google Vertex AI (Imagen) for the optional studio promo-creative image-generation tool (a distinct image-generation path from the text-inference routing). Removed Google Places (retired) and the AI-generated “Operator content generation” vendors (ElevenLabs, Ideogram) consistent with Bailar’s policy against AI-generated marketing content. Softened the “no-training” representation to reflect paid/enterprise-tier no-train routing with a limited free-tier failover. Genericized the internal-consensus-panel vendor description.
- May 25, 2026 — Added Meta Platforms, Inc. (Facebook Login OAuth) under Authentication. Added “Vendors NOT listed above” section clarifying the GDPR Article 28 boundary for internal consensus / dev-tooling AI vendors.
- May 24, 2026 — Removed Google AdMob row (no AdMob SDK is integrated in the Service; aligning this page with the actual code paths in production).