Legal

Subprocessors

Effective date: July 4, 2026 · Last updated: July 4, 2026

Roles

For behavioral telemetry collected from your sites' visitors, you are the data controller and Flusterduck (operated by Creayo LLC) acts as your data processor. For your account, organization, and billing data, Flusterduck is the controller. The providers below are the subprocessors we engage to deliver the service; each processes data only on our documented instructions, only as needed to provide its service to us, and under a written agreement imposing data-protection obligations consistent with ours.

The baseline that applies before any subprocessor is involved: end-user telemetry is PII-redacted in the visitor's browser before it leaves. No provider on this list ever receives form values, keystrokes, or session recordings, because we never collect them. Visitor IP addresses are hashed at the edge before storage.

Infrastructure subprocessors

SubprocessorPurpose of processingCategories of dataData subjectsLocation
Supabase, Inc. (hosted on Amazon Web Services, Inc.)Database, authentication, and edge-function compute. The core of the service runs here.All service data: behavioral events, detected issues, page snapshots, account and organization records.Site visitors (pseudonymous), account membersUnited States
Vercel Inc.Hosts flusterduck.com and the API proxy; dashboard and SDK traffic transits its edge network.Request traffic in transit, including SDK event payloads and dashboard sessions.Site visitors (pseudonymous), account membersUnited States (global edge)
Cloudflare, Inc.Hosts the MCP server (mcp.flusterduck.com) for AI-assistant access to your data.MCP requests and responses for accounts that use the MCP integration.Account membersUnited States (global edge)
Anthropic, PBCAI models behind issue diagnosis, triage, Guide answers, and Autofix.PII-scrubbed issue evidence: signal data, element labels, error summaries, and public page snapshots. Never raw visitor identifiers.Site visitors (pseudonymous, aggregated)United States
context.devFetches rendered snapshots of your public pages to ground AI diagnosis and power the site scanner.URLs of your public pages. Receives no visitor or account data.None (page URLs only)United States
Stripe, Inc.Billing: subscriptions, payment methods, and invoices.Account holder name, email, and payment details. Stripe acts as an independent controller for payment data; card numbers never touch our systems.Account holdersUnited States (global)
ResendTransactional email: alerts, weekly digests, and onboarding messages.Member names and email addresses, plus the content of the notification.Account membersUnited States

Trade names are used where a provider does not prominently publish its legal entity name; the full entity name appears in that provider's own terms. Providers may replicate or route traffic through other regions via their own networks; primary processing locations are listed above. One client-side note for completeness: the dashboard and scan results load site favicons directly from Google's public favicon service in your browser. Only the site's domain name reaches Google, never account or visitor data.

International transfers

Where personal data originating from the European Economic Area, the United Kingdom, or Switzerland is transferred to the providers above, the transfer relies on the EU–US Data Privacy Framework (and its UK and Swiss extensions) where the provider is certified, and on Standard Contractual Clauses otherwise, together with the technical measures described in our privacy policy: in-browser PII redaction, IP hashing, and encryption in transit and at rest.

Integrations you connect

The following receive data only if you connect them, only what you direct us to send, and stop receiving anything the moment you disconnect them. Because they process data on your instructions under your own agreements with them, they act as your directly appointed processors (or independent controllers) rather than our subprocessors:

  • Linear: issue titles, summaries, and status sync.
  • GitHub: issue exports and Autofix draft pull requests.
  • Slack: alert notifications and slash-command responses.
  • PagerDuty: alert escalations.

Notice of changes and right to object

We update this page before engaging a new infrastructure subprocessor or replacing an existing one, and we give organization owners at least 30 days' advance notice through the dashboard and by email, except where an urgent replacement is required to protect the security or availability of the service, in which case we notify you as soon as reasonably possible.

If you object to a new subprocessor on reasonable data-protection grounds, contact support@flusterduck.com within the notice period. We will work with you in good faith to address the objection, for example by adjusting configuration so the subprocessor is not used for your data where the product allows it (such as disabling page-content fetching in Settings → AI). If no resolution is reasonably possible, you may terminate the affected service and we will refund any prepaid fees covering the remainder of the term.

Data processing agreement

A data processing agreement incorporating these subprocessor terms and Standard Contractual Clauses is available to customers on request at support@flusterduck.com. See also the privacy policy and terms of service.

Subprocessors | Flusterduck