Legal
Subprocessors
Effective June 2026 · Last updated 2026-06-01
Recoup relies on the following third-party services to operate. Each subprocessor has been vetted for security and compliance. We have Data Processing Agreements (DPAs) in place where required.
| Provider | Purpose | Location | Data processed |
|---|---|---|---|
| Supabase | Authentication, database (Postgres), file storage | Frankfurt, Germany (eu-central-1) | Email, OAuth tokens, user profile, songs, contracts, earnings snapshots |
| Vercel | Application hosting and serverless functions | Washington DC, USA (iad1) | Processed in transit only — no persistent data stored on Vercel |
| Stripe | Payment processing and subscription management | Global (data residency: EU/US) | Stripe customer ID, subscription status, invoice metadata. Card numbers never touch our servers. |
| Anthropic | LLM-based contract parsing (Claude) | USA | Extracted contract text (not original files). Zero data retention per API terms. |
| DeepSeek | LLM-based contract parsing (fallback provider) | China (data processed via API) | Extracted contract text (not original files). Zero data retention per API terms. |
| Songstats (via RapidAPI) | Streaming and radio play data for songs you add | Global (RapidAPI: USA) | ISRC codes only — no personal data. Response data cached as earnings snapshots. |
| Resend | Transactional email (password reset, billing notices) | USA | Email address, email content |
| Sentry | Error tracking and crash reporting | USA | Anonymised error traces. No PII or contract content. |
| PostHog | Anonymous product analytics | EU (eu.posthog.com) | Page views and feature usage. Cookie-less. No PII. IP addresses anonymised. |
| Cloudflare | Turnstile bot protection on signup/login forms | Global | Challenge tokens only. No persistent user data. |
| Spotify | OAuth sign-in and playlist import (opt-in) | Global | Spotify user ID, OAuth token. Playlist metadata and track ISRCs are imported only when you explicitly trigger an import. |
| OAuth sign-in provider (opt-in) | Global | Email address, display name, Google account ID | |
| Apple | OAuth sign-in provider (opt-in) | Global | Email address (or private relay address), display name |
| Discord | OAuth sign-in provider (opt-in) | Global | Email address, Discord username, Discord user ID |
This list is updated as our infrastructure evolves. For questions about any subprocessor, contact hello@recoup.cloud.