This page lists the third-party service providers ("sub-processors") that Celerora LLC engages to handle personal information in connection with the Service. Each vendor is contractually bound by data-processing terms — typically a standalone Data Processing Agreement (DPA), or equivalent terms embedded in the vendor's commercial agreement (for example, Anthropic and OpenAI incorporate their data-processing obligations and Standard Contractual Clauses into their Commercial Terms rather than a separate DPA).
For activities where the vendor acts as our processor, those terms require the vendor to safeguard personal data and process it only on our documented instructions. For activities where the vendor acts as an independent or joint controller for parts of the flow (see the note on data roles below), the vendor's own privacy practices govern how it uses the data; in those cases the binding still requires the vendor to handle the data lawfully and protect it with appropriate safeguards, but it is not strictly limited to processing on our instructions.
A note on data roles. Most vendors listed here act as processors on our behalf for the activities described. A few play hybrid or independent roles for parts of the flow — for example, Stripe acts as an independent controllerfor KYC and identity-verification data it collects directly from service providers (held under Stripe's own privacy practices), and Google operates Identity Services and Calendar APIs primarily as an independent provider whose users authorize Celerora to access specific data. We list these vendors here for transparency about who touches your data, not to imply a uniform processor relationship; for the broader controller / processor framework see Section 12 of the Privacy Policy.
For details on how we use each sub-processor, see Section 5 of our Privacy Policy. For details on international transfer safeguards (Standard Contractual Clauses, EU-US Data Privacy Framework, UK Addendum), see Section 13.
We update this list when we add, remove, or replace a sub-processor. Material changes (new categories of data shared, new locations, or replacement of a vendor with one performing different functions) are announced at least 30 days before taking effect, as described in Section 15 of the Privacy Policy.
Current sub-processors (10)
Listed by legal entity. Where a single vendor provides multiple products under one DPA (for example, Cloudflare R2 and Cloudflare Turnstile), both products are described in a single entry.
AI-assisted quote generation and message drafting (Claude API)
Data shared
Text content submitted to AI features (quotes, messages, business descriptions)
Transfer mechanism
Standard Contractual Clauses in Commercial Terms; training opt-out is the default for all commercial API access (we have not enabled any opt-in training feature)
AI-assisted quote generation and message drafting (OpenAI API)
Data shared
Text content submitted to AI features (quotes, messages, business descriptions)
Transfer mechanism
Standard Contractual Clauses in Commercial Terms; training opt-out is the default for the paid API tier we use (we have not enabled any opt-in training feature)
Google Calendar integration (provider opt-in, via Google Calendar API) and Google OAuth authentication (Google Identity Services)
Data shared
For OAuth sign-in: a Google-issued ID token containing the user's Google account ID (the "sub" claim), email address, email-verified flag, first and last name, profile picture URL, and locale preference — the standard claims of a verified Google ID token. For Calendar sync: calendar events read or written on behalf of opted-in providers, plus OAuth refresh tokens used to maintain authorized API access.
Transfer mechanism
Google LLC is certified under the EU-US Data Privacy Framework (with the UK Extension). For the OAuth (Identity Services) and Calendar API surfaces we use, the applicable Standard Contractual Clauses and data-processing terms are embedded in the API service agreements we accept by using those Google products, rather than in a separately signed DPA. We do not use Google Cloud Platform paid services, so the Google Cloud Data Processing Addendum is not the applicable instrument here.
Processing location
Global Google data centers (primary processing in United States)
Web application hosting, serverless function execution, request logging
Data shared
Request metadata (IP address, user-agent, request paths, response codes) and any request content processed through the serverless runtime to render or respond to a request
Transfer mechanism
EU-US Data Privacy Framework (certified) + Standard Contractual Clauses in DPA
PostgreSQL database hosting (primary user data storage)
Data shared
Personal data stored in the application database — including account and profile fields, bookings and quotes, messages, AI conversation records, payment metadata, audit logs, and other records described in the categories at Section 11 of the Privacy Policy
Two products: (1) R2 — object storage for uploaded images and files (avatars, service photos, booking photos); (2) Turnstile — bot and spam protection on signup, login, and public booking forms
Data shared
For R2: uploaded image and file content. For Turnstile: IP address and browser signals used for bot detection
Transfer mechanism
EU-US Data Privacy Framework (certified) + Standard Contractual Clauses in DPA (single DPA covers both products)
Redis-backed authentication cache, token-blacklist storage, and rate-limit counters
Data shared
SHA-256 hashes of issued JWT bearer tokens (the full token string is hashed; the original token cannot be recovered from the hash) used to enforce token blacklisting after sign-out or password change; cached user-status flags (e.g., active, suspended) and basic auth metadata; rate-limit counters keyed by IP address. Raw session tokens, passwords, and other secrets are never written to Redis.
Ask which transfer safeguard applies to a given sub-processor, or request a copy or description of the safeguard (e.g., the relevant Standard Contractual Clauses module or DPF certification reference) under GDPR Article 13(1)(f).
Receive notice when this list changes. Material additions are also announced in advance under the process described in Section 15 of the Privacy Policy.
Ask about the underlying data-processing terms we have with a specific sub-processor (whether those are a standalone Data Processing Agreement or data-processing terms embedded in a commercial agreement). Each vendor generally makes its standard DPA or commercial data-processing terms available on its own site; we will point you to the applicable public terms, or share details about our specific arrangement to the extent the vendor's confidentiality terms permit.