Subprocessors

Effective April 10, 2026

Gorganizer uses the third-party services listed below to provide the app. Each entry describes what data is shared, what the vendor uses it for, the processing region, and a link to the vendor's Data Processing Agreement. Vendors marked Required are load-bearing (Gorganizer cannot run without them); the rest are optional features that only receive data when the corresponding feature is enabled in your settings.

This page is maintained in parallel with our Privacy Policy. When we add or remove a subprocessor we update this page and announce the change on the changelog before the change takes effect.

Google LLC

Required

Purpose: Gmail OAuth sign-in and scoped Gmail API access (gmail.modify).
Data shared: OAuth access + refresh tokens, the email metadata and headers Gorganizer reads to score each message, Gmail label mutations, and move-to-trash operations.
Region: United States, with processing distributed across Google Cloud regions.
DPA: https://cloud.google.com/terms/data-processing-addendum

Vercel Inc.

Required

Purpose: Application hosting, serverless function execution, CDN, and web analytics.
Data shared: Every HTTP request to gorganizer.com (including authenticated requests and their response bodies), IP addresses, and Vercel Analytics page-view pings.
Region: Primary compute region configurable per deployment; Gorganizer targets Frankfurt (fra1) for EU processing where possible.
DPA: https://vercel.com/legal/dpa

Supabase Inc.

Required

Purpose: Postgres database hosting (user profiles, settings, scan/clean history, audit log, domain learning).
Data shared: Your Google account id, email, name, Gorganizer settings, cleaning history rows, audit log rows, per-domain trash-boost scores, and encrypted OAuth tokens.
Region: Selectable per project; Gorganizer's project runs in the EU (Frankfurt) region.
DPA: https://supabase.com/legal/dpa

Stripe, Inc.

Required

Purpose: Payment processing, checkout sessions, webhook event delivery, customer portal.
Data shared: Your email address, Stripe customer id, one-time payment intent id, and any billing address you enter at checkout. Gorganizer never sees your card number — Stripe handles card data directly under PCI scope.
Region: United States; Stripe operates globally with DPA coverage for EU transfers.
DPA: https://stripe.com/legal/dpa

Anthropic, PBC

Optional

Purpose: Optional AI email classification (Claude Haiku) for emails the rule engine scores as ambiguous.
Data shared: Sender address, subject line, and the first 300–400 characters of the email body for review-tier messages only. Never sent: full body, attachments, authentication tokens, or other message headers. Input is sanitized against prompt-injection shapes before sending (iter 431).
Region: United States.
DPA: https://www.anthropic.com/legal/commercial-terms

Upstash, Inc.

Optional

Purpose: Redis-backed rate limiting (prevents abuse of scan, clean, export, and delete endpoints).
Data shared: Rate-limit counters keyed by your Google account id. No PII, no message content, no headers — only `(key, count, window)` tuples expiring on a short TTL.
Region: Selectable per database; Gorganizer's instance runs in an EU region.
DPA: https://upstash.com/trust/dpa.pdf

Resend Inc.

Optional

Purpose: Transactional email delivery (post-clean digest, weekly reports, receipt emails).
Data shared: Your email address, the subject + body of any email Gorganizer sends you (a digest of cleaning stats — never message content from your inbox).
Region: United States.
DPA: https://resend.com/legal/dpa

Functional Software, Inc. (Sentry)

Optional

Purpose: Error monitoring and exception aggregation.
Data shared: Exception stack traces, request metadata (path, method, status code), opaque user id (not email), and any context explicitly attached to an error. PII scrubbing is enabled — email addresses, OAuth tokens, and message content are redacted before upload.
Region: United States.
DPA: https://sentry.io/legal/dpa/

PostHog Inc.

Optional

Purpose: Product analytics — aggregated page-view, feature-adoption, and funnel events used to improve the product.
Data shared: Anonymous or pseudonymous PostHog distinct id, page paths, and event names. Once you are signed in, your Gorganizer account email and paid/free tier are attached so the team can prioritise paid-user issues. No Gmail content, no OAuth tokens, no message headers, and no email body text are ever sent. Autocapture is disabled; only events Gorganizer explicitly triggers reach PostHog.
Region: Selectable per project between the US (us.i.posthog.com) and EU (eu.i.posthog.com) clouds. Gorganizer targets the EU region when deployed at sciencemind.se or any EU-origin domain.
DPA: https://posthog.com/dpa

Questions about a specific vendor? Email privacy@gorganizer.com. For a full description of how we handle your data, see the Privacy Policy.