Sub-processors
Every third party that touches your data, and what they do with it
Under GDPR Article 28, we list every sub-processor we use to deliver the service. This page is the data processing agreement (DPA) addendum. It is updated whenever we add or remove a sub-processor; the change is timestamped in the git history at github.com/ranganc007/mayaastro.
For the broader privacy story (what we collect, retention, your rights), see the Privacy Policy. For GDPR data export and erasure, hit /api/data/export and /api/data/delete-me.
Vercel, Inc.
Their DPA →- Purpose
- Web hosting + CDN + serverless function execution
- Data processed
- HTTP request metadata (IP, headers, geolocation), response payloads in transit, runtime logs (~30d retention).
- Region
- Global edge network with primary US + EU regions
Upstash, Inc.
Their DPA →- Purpose
- Redis cache for rate-limit counters, AI cost tracking, horoscope cache, geocode cache
- Data processed
- Short-lived per-IP rate counters, daily aggregate cost totals, daily horoscope JSON, geocoded place names.
- Region
- EU (Ireland) primary; US replica
Anthropic PBC
Their DPA →- Purpose
- AI interpretation generation (Claude Haiku 4.5) for horoscopes, tarot, dream, chart, and chatbot routes
- Data processed
- User-supplied free-text inputs (questions, dream descriptions), validated structural inputs (zodiac signs, dates). No persistent storage by Anthropic for API users — see their no-training default.
- Region
- United States
OpenStreetMap Foundation
Their DPA →- Purpose
- Reverse geocoding via the public Nominatim API
- Data processed
- Place-name search strings (e.g., 'Dublin, Ireland') and the requesting IP via standard HTTP headers. Cached on our side for 30 days to minimize upstream traffic.
- Region
- EU (UK / Germany)
Sentry, Inc. (Functional Software)
Their DPA →- Purpose
- Error tracking and exception aggregation. Optional — only active when SENTRY_DSN is configured.
- Data processed
- Stack traces, request URLs, request IDs, browser/server runtime information. We tag captures with x-request-id but do NOT include user-supplied content.
- Region
- United States; EU region available on request
Replicate, Inc.
Their DPA →- Purpose
- Image generation for nakshatra/feature artwork. BUILD-TIME ONLY — no runtime user data flows here.
- Data processed
- Prompts authored by the maintainer. No user data ever sent.
- Region
- United States
GitHub, Inc.
Their DPA →- Purpose
- Source-code hosting + CI/CD trigger source. Receives no user runtime data.
- Data processed
- Source code commits + maintainer's git identity. No user runtime data.
- Region
- United States
New sub-processor added? You'll see the change in this page's git history. We don't use a separate notification mailing list — it would defeat the no-account principle.