Kinship Public Subprocessor List
Effective date: 2026-06-05
Last updated: 2026-06-05
Version: v1.0
What this page is
A subprocessor is a third party we authorize to process personal data on our behalf. Under our Terms of Service §6 we owe users a named, current list of every subprocessor that touches their data, plus at least 30 days' notice before adding or replacing an AI subprocessor. The same window applies, as a policy commitment, to any subprocessor that touches identifiable contact, note, or life-event data.
We will update this page whenever the list changes, and the change will be noted in the changelog at the bottom. To be notified of changes, watch the public commit history of this page. Email notifications to paid-plan account holders will accompany any change that adds or replaces a subprocessor handling identifiable content (see "Notification of changes" below).
If your jurisdiction requires us to seek your prior consent before transferring your personal data to a new subprocessor (e.g. some EU member-state interpretations of GDPR Art. 28), please contact us — we will pause processing of your data through any added vendor until consent is recorded.
Active subprocessors
Categories: (P) Platform / hosting / database, (AI) AI model providers, (C) Integrations / connected accounts, (O) Operational (billing, email, observability, rate-limiting).
| # | Subprocessor (legal entity) | Category | Role on Kinship | Data categories processed | Processing location | Retention by subprocessor | DPA / public privacy doc |
|---|---|---|---|---|---|---|---|
| 1 | Supabase, Inc. (Delaware) | P | Primary database (Postgres + pgvector), Auth (OAuth orchestration, JWT signing), user storage (avatars). Prod project hexecmcmwmnhkkhsckty. | All account data, all user-supplied contact/note/life-event content, all derived AI summaries and embeddings, auth metadata. | United States (us-east-1). | Database: lifetime of account, then per our retention schedule. Point-in-time-recovery backups: 7 days on the Supabase Pro tier we use. | Supabase DPA · Supabase Privacy Policy |
| 2 | Vercel, Inc. (Delaware) | P | Application hosting, edge runtime, preview deployments, scheduled jobs (cron), platform logging. | All HTTP request metadata (IP, user-agent, path, referrer, timing), any request body that transits an edge/server function (i.e., effectively all account interactions), and runtime logs that may contain redacted error context. We do not send identifiable contact bodies into Vercel's product analytics. | United States (default Vercel region; specific edge POP may be the nearest to the user for static assets and edge middleware). | Vercel Pro runtime logs: 24 hours rolling. Build logs: 30 days. (We are upgrading from Hobby — see Changelog.) | Vercel DPA · Vercel Privacy Policy |
| 3 | Anthropic, PBC (Delaware) | AI | Large-language-model provider for paid-tier AI Features only (note summarization, follow-up prompts, NL search reranking, relationship-health digests). Model: claude-sonnet-4-6 via the claude-3 family API. | Only the specific note/activity content or query you direct an AI Feature to operate on, plus minimal account metadata to scope the request. Sent only when (a) plan tier is paid, (b) ai_features_enabled=true, (c) the per-activity opt-out is not set. Not sent: full address book, OAuth tokens, payment data, other users' content. | United States. | Inputs and outputs are not used to train Anthropic's foundation models under the Anthropic Commercial Terms in force on the policy effective date. Per Anthropic's stated retention, prompts and outputs are retained for up to 30 days for trust-and-safety review and then deleted, unless we separately enroll in zero-retention. | Anthropic Commercial Terms · Anthropic Privacy Policy · Anthropic Sub-Processor List |
| 4 | Voyage AI Innovations, Inc. (Delaware) | AI | Embedding-model provider for natural-language search (model: voyage-3). Every call is gated by lib/ai/gate.ts — same consent / plan / age-gate / kill-switch (VOYAGE_EMBEDDINGS_DISABLED) as Anthropic. | The structured "contact document" we build from your saved contact — typically the contact's name, current role + organization, tags, AI summaries (or raw notes if no AI summary exists) of up to 20 activities, and the title/description of any life events recorded against the contact. See lib/ai/embeddings.ts buildContactDocument. | United States. | Per Voyage's documented retention, request payloads are not used to train Voyage's models and are retained for up to 30 days for abuse detection, unless we separately enroll in a shorter-retention or zero-retention configuration. | Voyage Terms of Service · Voyage Privacy Policy |
| 5 | Google LLC (Delaware) | C / O | (a) Social login via Google OAuth 2.0. (b) Read-only Contacts / Gmail / Calendar / Tasks sync — only when you connect a Google account, only with *.readonly scopes. (c) Google Analytics 4 for aggregate marketing-site and in-app usage measurement (consent-gated, no ad signals). | (a) Your Google account email, profile name, profile picture URL, OAuth refresh token. (b) Contact list entries you have in Google Contacts; subject/snippet/from/to/date metadata of messages we read; titles/attendees/start-end of events we read. We never store full message bodies; we never send to Google. (c) Page views, anonymized IP, referrer, broad geography; no advertising identifiers. | United States; Google may transfer for processing per its data processing addendum. | (a/b) Tokens until you disconnect. (c) GA4 raw event retention is 2 months (admin-set). | Google Workspace DPA · Google API Services User Data Policy · Google Privacy Policy |
| 6 | Microsoft Corporation (Washington) | C | Social login via Microsoft Identity Platform. Read-only Outlook contacts / Mail / Calendar sync via Microsoft Graph — only when you connect a Microsoft account, only with Mail.Read, Calendars.Read, Contacts.Read, Tasks.Read scopes. | Microsoft account email, profile name, OAuth refresh token; mail/calendar metadata as in row 5 above. No bodies stored; nothing written back. | United States (Microsoft default); enterprise tenants may be in their own region. | Tokens until you disconnect. | Microsoft Online Services DPA · Microsoft Privacy Statement |
| 7 | Stripe, Inc. (Delaware) | O | Subscription billing and the customer portal for paid plans. Webhook-driven profile.plan_tier updates. | Cardholder data is processed by Stripe directly — we never see or store payment-card numbers. We share with Stripe: your account email, your Stripe customer ID, the price you are subscribing to. | United States. | Per Stripe's documented retention for payment-card data. | Stripe DPA · Stripe Privacy Policy |
| 8 | Resend, Inc. (Delaware) | O | Transactional email — currently DSAR identity-verification one-time codes (privacy@kinshiprm.app, 10-minute expiry). We will roll long-form DSAR receipts and account notifications onto Resend before paid GA. | Recipient email address, OTP code, account context line. We do not send raw notes, contacts, or AI output through Resend. | United States (AWS us-east-1 per Resend's published infrastructure). | Send logs retained per Resend's tier (we are on a paid tier; default 30 days for delivery telemetry). | Resend DPA · Resend Privacy Policy |
| 9 | Functional Software, Inc. d/b/a Sentry (California) | O | Application error monitoring (frontend + backend stack traces). Email, name, and IP are stripped from payloads in sentry.client.config.ts:14 and sentry.server.config.ts:12 before transmission. | Redacted stack traces, route name, browser/runtime metadata, request ID, plan tier flag. No identifiable note/contact bodies. | United States. | 30 days on the Sentry free tier. | Sentry DPA · Sentry Privacy Policy |
| 10 | Upstash, Inc. (Delaware) | O | Redis-backed rate-limit and OTP-throttle store. (We may interchangeably use Vercel KV, which is also backed by Upstash.) | Hashed identifiers (IP, email-hash, account ID) and short-lived counters/timestamps. No identifiable user content. | United States (us-east-1). | Counters auto-expire on rolling windows (minutes to hours). | Upstash DPA · Upstash Privacy Policy |
Subprocessors used only by kinshiprm.app marketing site
Listed for completeness; not part of the product data path. Covered today by the invite-phase Privacy Policy §4 table.
| Subprocessor | Role | Data |
|---|---|---|
| Google LLC (GA4) | Aggregate marketing-site measurement | Anonymized IP, page-view events; no ad signals; consent-gated cookies |
| Vercel, Inc. | Hosting the marketing site | Same as row 2 above |
| Sentry | Error monitoring | Same as row 9 above |
Not subprocessors (clarifications)
- Cloudflare, Inc. — used as the DNS provider for
kinshiprm.app. DNS resolution is not personal-data processing in our use; we do not run Cloudflare as a CDN or proxy in front of the app. Not listed as a subprocessor. If we later run Cloudflare (or any other CDN-class vendor) as a CDN or proxy in front of the application, it will be added to this list before that change reaches production. - GitHub, Inc. — source-code host. Application code is processed here; user personal data is not. Not listed as a subprocessor.
- Plane (self-hosted on
plane.s4solutions.ai) — internal issue tracker. No user-facing intake form (/contact?topic=privacy,/legal/data-request, support) auto-files into Plane, and copying user identifying information into Plane for triage is policy-prohibited. Under that condition no customer personal data is stored here, and Plane is not a subprocessor. If that data flow ever changes, Plane will be added to the active list above. - LinkedIn (any LinkedIn-Corp service) — explicitly not a subprocessor. We never call LinkedIn APIs. Per DEC-006, LinkedIn data only enters the system as a CSV the user uploads themselves; the CSV is parsed in the browser and stored in Supabase only.
- Clearbit / Apollo / Proxycurl / Phantombuster / Dux-Soup / Apify — explicitly not subprocessors. No enrichment vendor is wired up in production today.
Roadmap subprocessors (will be added on 30 days' notice before production use)
- Enrichment vendor for the job-change-alert feature — name not locked. This page will be updated and the 30-day notice will start before any production enrichment call is made.
- Long-form transactional email vendor beyond DSAR OTP — likely Resend expansion; if a second vendor is added, it will appear here first.
Notification of changes
We will notify users of changes to this list at least 30 days in advance for any AI subprocessor (per Terms of Service §6) and for any subprocessor that newly receives identifiable contact, note, or life-event data. Notice methods: (a) commit to this page on main, (b) email to all paid-plan account holders, (c) in-product banner on first session after the notice goes out. For lower-impact changes (e.g., rotating the rate-limit Redis provider) we will update this page within 7 days of the change with a changelog entry.
Changelog
- 2026-06-05 — v1.0 public publication. Initial publication of the post-Counsel, founder-accepted full-product Subprocessor List. Supersedes the prior job-change-alerts-scoped page. Source markdown lives on internal issue SSO-2527, revision
3c17fcea.
Questions
Reach us through our privacy contact form or our legal contact form.