Subprocessors — goldprice.dev
Version 0.2.0 · Last updated: 2026-05-04
What is a subprocessor?
A subprocessor is a third-party service we use to operate goldprice.dev. Each subprocessor processes some category of data on our behalf under a data processing agreement (or equivalent contractual protection). This page is the canonical list; our Terms of Service and Privacy Policy reference it rather than re-listing every vendor, so we can swap vendors without amendment ceremony.
If you have questions about a specific subprocessor, email support@goldprice.dev with subject prefix [PRIVACY].
Current subprocessors
| Service | Purpose | Data handled | Hosting region | Provider privacy policy |
|---|---|---|---|---|
| Stripe, Inc. | Payment processing, invoicing, dunning, customer portal | Billing address, tax ID, payment method metadata (last 4 digits), email, customer + subscription identifiers | US (SOC 2 Type II, PCI-DSS Level 1) | stripe.com/privacy |
| Supabase, Inc. | Primary database, authentication, row-level security | Account data, API key hashes, derived price records (no personal data), aggregated usage metadata | US (us-west-1) | supabase.com/privacy |
| Fly.io, Inc. | Application hosting, container orchestration, edge routing; self-hosted Redis for rate-limit counters and short-lived session data | Request logs (IP, endpoint, status), ephemeral compute state, rate-limit counters (keyed by org ID or IP), onboarding session plaintext keys (10-minute TTL) | Global edge (primary: IAD / US-East) | fly.io/legal/privacy-policy |
| Resend, Inc. | Transactional email delivery; marketing email delivery for opt-in subscribers | Email address, message subject + body, delivery + open metadata | US | resend.com/legal/privacy-policy |
| Sentry, Inc. | Error tracking, performance monitoring | Error stack traces, user agent, IP address at error time, redacted request metadata | US | sentry.io/privacy |
| Cloudflare, Inc. | CDN, DNS, DDoS protection, TLS termination | IP addresses, request headers, request metadata | Global edge network | cloudflare.com/privacypolicy |
| Vercel, Inc. | Marketing site + dashboard hosting, edge routing, build artifacts | Request logs (IP, endpoint, status), build outputs | Global edge (primary: IAD / US-East) | vercel.com/legal/privacy-policy |
| Anthropic, PBC | LLM-assisted parsing of public analyst-source HTML into structured forecast rows. Operates under zero-retention API terms | No personal data; we send public web content (analyst publications) for extraction only | US | anthropic.com/legal/privacy |
| CoinMarketCap (CMC) | Reference market data — tokenized-gold spot prices (PAXG, XAUT) under their commercial Basic plan with attribution requirement | No personal data; we read public reference market data only | US | coinmarketcap.com/privacy |
Upstream public-reference data sources
The following are not subprocessors in the data-protection sense — we do not send personal data to them. They are the public-reference data layers that feed our aggregation pipeline. Listed here for transparency and described in our methodology document:
- Yahoo Finance — primary public delayed-feed series for gold, silver, and copper futures settle prices (~15 min delayed, 3-min cadence)
- Stooq — secondary fallback for futures settle prices, cross-validated against the primary series
- Reuters Poll, Yardeni Research, World Gold Council — public analyst forecast publications (LLM-assisted extraction with ≤200-character verbatim excerpts per row, attributed to source)
- European Central Bank (ECB) via
frankfurter.dev— FX reference rates (public reference, daily, 164-way triangulation) - Permissionless public oracle sources— real-time XAU/USD + XAG/USD spot reference streams (commercial-redistribution-permissive per 2026-04-21 T&C review)
Use of these public-reference layers is governed by our Terms of Service § 7 (Data Methodology and Accuracy) and our published methodology. We do not claim a redistribution license from any of these sources; our responsibility model is aggregated-public-reference with explicit user-responsibility for downstream compliance.
Changes to this list
We maintain this list as vendors change. Material changes (adding a new vendor that processes personal data in a new category, or removing a vendor that we had previously named) are reflected here without requiring separate notice, consistent with the "living list" structure referenced in Terms of Service § 13. Subscribers to our news feed at /news may see summary updates after material changes.
If you want explicit notification on subprocessor additions, email support@goldprice.dev with subject prefix [SUBPROCESSOR-ALERTS] and we will add you to the notification list.
Contact
Nusantara Ventures LLC
1401 Pennsylvania Avenue STE 105 1776, Wilmington, DE 19806, USA
Email: support@goldprice.dev with subject prefix [PRIVACY]