Sub-processors
Last updated: 24 April 2026
A sub-processor is a third party we use to help run Pharos. This page lists every one of them, what they do, and where they're based. We keep this page current so you always know who is involved in processing your data.
If you have a Data Processing Agreement (DPA) with us, we'll notify you at least 30 days before we add a new sub-processor, unless the change is required for security reasons.
Core infrastructure
| Sub-processor | What they do | Location | Privacy policy |
|---|---|---|---|
| Supabase | Managed PostgreSQL database, authentication, file storage | European Union | supabase.com/privacy |
| Vercel | Web hosting and CDN for heypharos.com and app | Global edge | vercel.com/legal/privacy-policy |
| Stripe | Payment processing, subscription billing, tax | USA + EU | stripe.com/privacy |
| Resend | Transactional and onboarding email delivery | USA | resend.com/legal/privacy-policy |
Analytics
| Sub-processor | What they do | Location | Privacy policy |
|---|---|---|---|
| PostHog | Product analytics (feature usage, funnels) | USA / EU | posthog.com/privacy |
| Microsoft Clarity | Session recording and heatmaps | USA | privacy.microsoft.com/privacystatement |
AI platforms (queried on your behalf)
These are the AI platforms Pharos sends prompts to in order to produce your brand-visibility data. Prompts include the brand names and questions you set up in your dashboard.
| Sub-processor | What they do | Location | Privacy policy |
|---|---|---|---|
| OpenAI | ChatGPT prompt → response | USA | openai.com/policies/privacy-policy |
| Anthropic | Claude prompt → response | USA | anthropic.com/legal/privacy |
| Gemini + AI Overviews | USA + EU | policies.google.com/privacy | |
| Perplexity | Perplexity prompt → response | USA | perplexity.ai/hub/legal/privacy-policy |
Where possible, we send API traffic through zero-retention / no-training endpoints so your prompts aren't used to train the providers' models. If you have a specific compliance requirement, email privacy@heypharos.com.
International transfers
Several of our sub-processors are in the United States. We rely on:
- EU Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA.
- UK International Data Transfer Addendum for transfers from the UK.
- Swiss data protection framework for transfers from Switzerland.
Change notifications
Enterprise customers with a signed DPA: we'll email your designated privacy contact at least 30 days before any new sub-processor is added, unless the addition is required to respond to a security incident.
Everyone else: this page is the authoritative list. Watch the "Last updated" date.
Contact
Questions: privacy@heypharos.com.
Adapted from Basecamp's open-source policies (CC BY 4.0).