To run Chatalott we rely on a handful of vetted third-party vendors. This page is the authoritative list. We notify customers at least 30 days before adding a new subprocessor that handles personal data, giving you a right to object under our DPA.
Current subprocessors
| Vendor | Purpose | Data received | Region | Policy |
|---|---|---|---|---|
| Vercel (Vercel, Inc.) | Application hosting, edge functions, static asset CDN. | All requests to the platform. Request metadata, IP, response logs. | Global edge network; primary compute in US (iad1). | View |
| Neon (Neon Inc.) | Primary PostgreSQL database — users, contacts, billing records. | All customer data at rest (encrypted). | US East (AWS us-east-1). | View |
| Upstash (Upstash Inc.) | Redis — rate-limiting counters, ephemeral session state. | IP-hashed keys, user-ID hashed keys, request counts. No message content. | US East. | View |
| Stripe (Stripe, Inc.) | Payment processing, subscription billing, Connect payouts for Ambassadors. | Name, email, billing address, card data (tokenized by Stripe — we never see it), payout bank details for Ambassadors. | US, with GDPR-compliant EU routing for European customers. | View |
| Resend (Resend, Inc.) | Transactional email — sign-up confirmations, password resets, billing receipts. | Recipient email address, message content you asked us to send. | US. | View |
| Groq (Groq, Inc.) | LLM inference for Offer Lab, follow-up generation, email drafts. | Prompt text you submit plus minimal context. Not used to train models. | US. | View |
| Fal.ai (Features Analysis Lab Inc.) | AI image and video generation for Creative Studio. | Prompts and uploaded reference images. Not used to train models. | US. | View |
| Vercel Blob | Object storage for user-uploaded avatars, generated images, exports. | The file bytes plus a signed URL. | US East. | View |
| Google (Alphabet Inc.) | Google Calendar sync and Sign in with Google (optional integrations). | OAuth scopes you approve: calendar read/write, basic profile. Only when you connect. | Global; data-residency governed by your Google account. | View |
Change notifications
We publish changes to this list on this page and email customers on Pro or Premium plans (the plans eligible for DPAs) at least 30 days before a new subprocessor begins handling personal data. To subscribe to subprocessor change notices without a paid plan, email privacy@chatalott.com.
Safeguards
Every vendor above has signed a Data Processing Agreement (DPA) with us that contains the Standard Contractual Clauses where applicable, restricts processing to the purposes listed, and requires them to maintain an equivalent security posture to our own.
Questions?
Email us at support@chatalott.com