Sub-processor List

Version: 1.0 Last updated: June 2026 Contact: sean@storycycle.ai

StoryCycle Labs ("StoryCycle") uses the following third-party sub-processors to deliver StoryCycle Genie. Each sub-processor processes customer data only to the extent necessary to provide its service, under terms that impose data-protection obligations consistent with our own commitments.

We will update this list when sub-processors are added or replaced. Customers with a signed DPA will be notified of material changes with an opportunity to object, per the DPA's terms.

Infrastructure & platform

Vercel Inc.

• Purpose: application hosting, CDN, TLS termination
• Data categories: all application traffic (account data, content in transit)
• Processing location: United States (global CDN edge)
• Security reference: vercel.com/security

Supabase Inc.

• Purpose: managed PostgreSQL database, authentication, file storage
• Data categories: account data, credentials (managed auth), customer content, usage records
• Processing location: United States (AWS)
• Security reference: supabase.com/security

AI / content generation

OpenRouter Inc.

• Purpose: LLM inference gateway
• Data categories: user prompts and supplied context, generated outputs
• Processing location: United States
• Security reference: openrouter.ai/privacy

Upstream model providers via OpenRouter — Anthropic, OpenAI, Google, Mistral, and others depending on the model selected

• Purpose: LLM inference
• Data categories: user prompts and supplied context, generated outputs
• Processing location: United States / provider-dependent
• Security reference: per provider

Note on AI processing: prompts and context are transmitted to the model provider selected for a given request solely to generate the requested output. StoryCycle does not use customer content to train models. Model routing can be constrained to a customer-approved provider list where feasible — contact us.

Payments & operations

Stripe, Inc.

• Purpose: payment processing, subscription billing
• Data categories: billing contact details; payment card data is held by Stripe only (PCI-DSS Level 1)
• Processing location: United States
• Security reference: stripe.com/docs/security

Functional Software, Inc. (Sentry)

• Purpose: application error monitoring
• Data categories: error/diagnostic data; PII capture disabled by configuration
• Processing location: United States
• Security reference: sentry.io/security

Change log

• 1.0 — June 2026: initial publication