Beautay — Subprocessors
This page lists third-party providers used to deliver the Beautay Platform. In our Data Processing Agreement (“DPA”), a “subprocessor” is a provider that processes Customer Personal Data on Beautay’s behalf to provide, secure, support, maintain or improve the Platform.
This page is intended to identify provider roles at a practical level. It does not provide separate vendor assurance statements beyond the provider roles described below. Some providers may act as independent controllers for certain processing, especially payment, fraud, regulatory or user-account activities.
Subprocessors
| Provider | Service | Typical data involved | Notes |
|---|---|---|---|
| Vercel | Application hosting and deployment | Application data, request metadata, IP address, logs and technical diagnostics | Used to host and operate the Platform. |
| Neon / PostgreSQL | Managed database infrastructure | Customer Data and Customer Personal Data stored in the Platform database | Used as the Platform’s primary database infrastructure. |
| AWS | Storage, encryption and infrastructure services | Uploaded files, images, documents, backups, encryption keys or related metadata where applicable | Used for file storage and supporting infrastructure, including storage/encryption services where configured. |
| Better Auth Infra | Authentication security and abuse-prevention services | Account/security identifiers, email or login metadata, IP address, device/browser data and risk signals | Used to help protect authentication flows and detect suspicious activity. |
| Resend | Email delivery | Recipient email addresses, message content, delivery metadata and bounce/engagement metadata | Used for service emails, account emails, reminders, confirmations and customer-configured communications. |
| Twilio | SMS delivery and SMS webhooks | Recipient phone numbers, message content, delivery status and related metadata | Used for SMS communications configured or triggered through the Platform. |
| Stripe | Payment processing, checkout, connected accounts and billing events | Payment identifiers, checkout references, payment status, customer/payment metadata and connected-account status | Stripe may act as a subprocessor for limited Platform-related payment metadata and as an independent controller for certain payment, fraud, compliance and regulatory processing. |
| Upstash | Rate limiting and abuse prevention | IP addresses, identifiers, request metadata and rate-limit counters | Used to protect the Platform from abuse and excessive automated activity. |
| trigger.dev | Background jobs and workflow execution | Job payloads and operational metadata needed to run scheduled or asynchronous Platform tasks | Used for automations, reminders, maintenance and other background processing. |
| Sentry | Error monitoring and diagnostics | Error details, technical diagnostics, device/browser data, route/context metadata and limited identifiers where included | Used to detect and troubleshoot errors. Beautay aims to avoid sending sensitive content such as health data, form responses, payment details or secrets. |
| Axiom | Logging and observability | Application logs, operational events, technical metadata, security/audit context and limited identifiers where included | Used to monitor service health, investigate issues and support security operations. |
| PostHog | Product analytics | Usage events, page/view metadata, device/browser data and limited account or tenant identifiers where included | Used to understand Platform usage and improve the service. Beautay aims to use limited, non-sensitive analytics data. |
| Cloudflare | DNS, CDN and static website delivery | IP address, request metadata, cached/static content and security metadata | Used for DNS/CDN and delivery of public website pages, including legal pages. |
Optional integrations and providers that may act independently
| Provider | Service | Typical data involved | Role notes |
|---|---|---|---|
| Google Calendar integration | Calendar account metadata, OAuth tokens, appointment details and calendar event metadata | Used only where an authorised user connects Google Calendar. Google may process data under its own terms and privacy notices. | |
| Microsoft | Microsoft Calendar integration | Calendar account metadata, OAuth tokens, appointment details and calendar event metadata | Used only where an authorised user connects Microsoft Calendar. Microsoft may process data under its own terms and privacy notices. |
| Zoom | Video meeting integration | Zoom account metadata, OAuth tokens, meeting details, meeting IDs and join/start links | Used only where an authorised user connects Zoom or configures virtual appointments. Zoom may process data under its own terms and privacy notices. |
| Stripe | Payment processing and connected payment accounts | Payment details, bank/account onboarding details, identity/business verification information, fraud and compliance data | Stripe commonly acts as an independent controller for payment, fraud, regulatory and connected-account processing. |
Supporting technologies
The Platform may also use software libraries, frameworks or runtime tools that do not, by themselves, receive Customer Personal Data as external service providers. Examples include authentication libraries, anti-bot challenge libraries, rendering tools and other application dependencies. These are not listed as subprocessors unless they process Customer Personal Data as an external provider.
Subprocessor change log
| Date | Change |
|---|---|
| 17 May 2026 | Updated provider list and categorisation to reflect the current Platform, including authentication security, monitoring, analytics, optional integrations and payment-provider role notes. |
| 4 February 2026 | Initial published list. |