Subprocessor List
Last updated: April 16, 2026
This page lists the third-party "subprocessors" HitScanTCG LLC uses to provide the Service. Each subprocessor is bound by a written data processing agreement and processes personal data only on our instructions. We publish changes here before new subprocessors begin processing personal data, where practicable. The authoritative list is this page; any list in the Privacy Policy may lag briefly.
1. Current Subprocessors
| Subprocessor | Function | Data categories processed | Location |
|---|---|---|---|
| Stripe, Inc. | Payment processing for Pro subscriptions; Stripe Connect payouts to Streamers; 1099-K reporting; fraud detection (Radar) | Name, email, payment card details, billing address (Viewers); legal name, tax ID, bank account, payout preferences (Streamers); transaction metadata | United States (primary) |
| Google LLC (Gemini API) | AI card identification via Gemini 2.5 Flash-Lite vision model | Camera frames (ephemeral; not retained by Google per their API terms for paid tier usage) | United States (primary region) |
| Resend, Inc. | Transactional email delivery — account verification, password reset, order confirmations, marketing emails (opt-in) | Email address, message content, delivery metadata | United States |
| Fly Software, Inc. (Fly.io) | Cloud hosting for the HitScanTCG proxy API and SQLite database volume | All data processed by our application (at rest and in memory during processing) | United States (region: iad — Ashburn, VA) |
| Vercel, Inc. | Website and API-route hosting; static asset CDN; Web Analytics (cookieless page-view counts) and Speed Insights (Core Web Vitals) | Request logs, session cookies, IP addresses, anonymized hashed visitor identifier (Web Analytics — no client-side cookie set), aggregated performance metrics | United States (multi-region edge) |
| PostHog Inc. | Product analytics — conversion funnel measurement (signup, checkout, onboarding) and aggregated feature usage | First-party distinct_id cookie + localStorage, page URL, referrer, UTM parameters, event names with non-PII properties; email is associated only after the user voluntarily signs in | United States (US Cloud) |
| Cloudflare, Inc. | DDoS protection, DNS, WAF, bot management, TLS termination at the edge | IP address, request metadata, WAF event logs, bot-scoring signals | Global (edge-distributed; originating region: United States) |
| Functional Software, Inc. d/b/a Sentry | Error monitoring and crash reporting for proxy, scanner, and website | PII-scrubbed stack traces, release identifiers, request IDs, user-agent | United States |
| Backblaze, Inc. | Encrypted off-site database backups via Litestream (continuous replication of the proxy database WAL) | Encrypted snapshots of the proxy database (all customer data, encrypted at rest) | United States |
| Neon, Inc. | Managed PostgreSQL database (planned; replaces SQLite after migration) | All data processed by our application | United States (region: us-east-1) |
| tcgcsv.com | Public TCG pricing data source | No personal data shared; requests are unauthenticated | Public API |
2. Upcoming / Planned Subprocessors
The following subprocessors are planned but not yet in active use. This page will be updated when any is activated.
- TaxJar (Stripe / TaxJar) — sales tax calculation and remittance once activated at economic nexus thresholds.
- UptimeRobot — uptime monitoring. Receives only health-check URLs; no personal data.
3. Notification of Changes
We will update this page when we add or remove a subprocessor. For material changes that affect how your personal data is processed, we will provide at least 14 days’ advance notice through a banner on the Website or by email to registered users, except where a change is urgent for security or legal reasons.
To receive email notifications of subprocessor changes, opt in through your account settings or email privacy@hitscantcg.com.
4. Data Processing Agreements
Each subprocessor operates under a Data Processing Agreement (DPA) or equivalent contractual terms that require it to:
- Process personal data only on our documented instructions.
- Ensure personnel are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures.
- Assist us in responding to data subject rights requests and breach notifications.
- Delete or return personal data after the end of services, where feasible.
- Use approved mechanisms for international data transfers (Standard Contractual Clauses, UK Addendum) where applicable.
5. International Transfers
All subprocessors currently process data in the United States. Personal data transferred from the EEA, UK, or Switzerland to the U.S. is transferred under Standard Contractual Clauses and, where applicable, the UK International Data Transfer Addendum, with supplementary measures including encryption in transit, encryption at rest, and strict access controls.
6. Contact
- Subprocessor questions or concerns: privacy@hitscantcg.com
- Request a copy of a specific DPA: legal@hitscantcg.com