Sub-processors

Last Updated: November 6, 2025

This page lists all third-party service providers ("sub-processors") that I Made It Up uses to process customer data. We are committed to transparency about how and where your data is processed.

Notice of Changes: We will provide at least 30 days advance notice before adding new sub-processors or making material changes to existing ones. Notifications will be sent via email to registered users.

Current Sub-processors

Service Provider	Purpose	Data Processed	Location	Date Added
OpenAI, L.L.C. 3180 18th Street, San Francisco, CA 94110	AI Model Provider (Active) - Powers persona generation and conversation capabilities	Pseudonymised (converted to codes that cannot be linked back to you without our records) user identifier (for abuse monitoring). User-submitted content (contains PII - personally identifiable information - only if you choose to input it).	United States	November 5, 2025
Anthropic PBC 500 Howard Street, San Francisco, CA 94105	AI Model Provider (Approved) - Available for persona generation and conversations	Pseudonymised (converted to codes that cannot be linked back to you without our records) user identifier (for abuse monitoring). User-submitted content (contains PII - personally identifiable information - only if you choose to input it).	United States	November 5, 2025
Google LLC 1600 Amphitheatre Parkway, Mountain View, CA 94043	Multiple Services: 1. AI Model Provider (Gemini API) - Available for persona generation and conversations 2. Authentication Provider - OAuth-based login	AI: Pseudonymised (converted to codes that cannot be linked back to you without our records) user identifier, user-submitted content Sign-in: Email address, profile information (name, avatar)	Global (Google Cloud data centers worldwide) Safeguards: Standard Contractual Clauses (2021), EU-U.S. Data Privacy Framework	November 5, 2025
Cloudflare, Inc. 101 Townsend St, San Francisco, CA 94107	Infrastructure & Hosting - Cloudflare Workers, D1 Database, R2 Storage, CDN	All application data including user accounts, personas, conversations, and uploaded content	Global (Primary: United States)	November 5, 2025
Stripe, Inc. 510 Townsend Street, San Francisco, CA 94103	Payment Processing - Subscription billing and payment management	Payment information, billing email, subscription status	United States (Global infrastructure)	November 5, 2025
Sentry Functional Software, Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105	Error Monitoring & Diagnostics - Application performance monitoring and error tracking	Error logs, stack traces, usage patterns, user identifiers (hashed), device/browser information	United States	November 5, 2025

International Data Transfers

Some of our sub-processors process data in countries outside the UK and European Economic Area (EEA). When your personal data is transferred internationally, we ensure appropriate safeguards are in place:

Transfer Safeguards

Standard Contractual Clauses (2021): Approved by UK ICO and European Commission for transfers to countries without adequacy decisions
UK International Data Transfer Agreement (IDTA): Used for UK-specific transfers where required
EU-U.S. Data Privacy Framework: Some sub-processors are certified under this framework, providing additional protections for EU-U.S. transfers

Specific Processing Locations

United States: OpenAI (AI processing), Google (OAuth + AI), Cloudflare (distributed hosting), Sentry (error logs) - all with appropriate safeguards
Ireland/EU: Stripe processes payment data within the EU via Stripe Payments Europe, Limited
European Union: Anthropic processes AI requests in EU (automatic for EU users since August 2025; storage remains in US)
Global/Distributed: Cloudflare processes data at edge locations closest to users worldwide for performance. Google may process Gemini API requests at any Google Cloud data center globally.

Your Data's Journey

When you use our Services:

Your input is sent to our infrastructure hosted on Cloudflare
AI processing requests are sent to OpenAI (United States), Anthropic (EU), or Google (global) depending on your selected model
Responses are returned to you through Cloudflare

All sub-processors have executed appropriate data transfer agreements and implement technical and organizational measures to protect your data regardless of processing location.

Minimizing International Transfers

We've taken steps to minimize data transfers and protect your data:

User identifiers are pseudonymised (hashed) before being sent to AI providers
AI providers retain API request data for limited periods for abuse monitoring: OpenAI (30 days), Anthropic (7 days as of Sept 2025), Google Gemini (55 days). None use API data for model training.
Payment data processed within EU via Stripe's Irish entity
All transfers protected by Standard Contractual Clauses and additional safeguards

For enterprise customers, we offer additional data residency options where technically feasible. Contact enterprise@imadeitup.ai for details.

Data Processing Standards

All sub-processors listed above are required to:

Maintain appropriate technical and organizational security measures
Process data only as instructed by I Made It Up
Comply with applicable data protection laws (GDPR, CCPA, etc.)
Maintain confidentiality of customer data
Provide appropriate data processing agreements

Privacy Practices

AI Provider Data Usage: We use third-party AI model providers that do not train their models on your data:

OpenAI: API services do not train on customer data. Retains data for 30 days for abuse monitoring. See OpenAI's Enterprise Privacy
Anthropic: API services do not train on customer data. Retains data for 7 days (as of Sept 2025) for abuse monitoring. See Anthropic's Commercial Terms
Google: Gemini API does not train on customer data. Retains data for 55 days for abuse monitoring. See Google AI Terms

Your conversations and personas are processed to generate responses for you and are not used to improve AI models. AI providers retain request data temporarily for abuse monitoring purposes only.

User Privacy: We hash user identifiers before storage to minimize personally identifiable information (PII) in our databases. Raw email addresses are preserved only for OAuth authentication and API attribution purposes.

Enterprise Options

For enterprise customers, we offer additional options including:

Custom Data Processing Agreements (DPA)
Data residency preferences (where available)
Additional security controls and audit capabilities

Questions

If you have questions about our sub-processors or data processing practices, please contact us at privacy@imadeitup.ai or review our Privacy Policy.

← Back to Terms of Use