Subprocessors
Last updated: April 22, 2026
Command Center uses a small number of trusted third-party providers to run the Service. This page lists them, explains what they do, which data they handle, where they process it, and what safeguards apply. Each provider is bound by a written data processing agreement with us and may act only on our documented instructions.
The providers below are subprocessorsunder GDPR (Art. 28), UK GDPR, and Québec Law 25 (s. 18.3), and “service providers” under CCPA/CPRA.
Infrastructure
| Provider | Purpose | Data categories | Processing region | Safeguards |
|---|---|---|---|---|
| Supabase (Supabase, Inc.) | Managed PostgreSQL database, authentication, and file storage | Account data, portfolio, watchlists, session tokens | United States (selected region) / EU optional | DPA + EU SCCs + UK IDTA Addendum; encryption in transit & at rest |
| Vercel (Vercel, Inc.) | Application hosting, edge functions, CDN | Technical data (IP, user-agent), request logs | Global edge (primarily United States) | DPA + EU SCCs; EU–U.S. Data Privacy Framework certification |
| Resend (Resend, Inc.) | Transactional email delivery (receipts, security alerts, password resets) | Email address, message content, delivery metadata | United States | DPA + EU SCCs; delivery logs retained ≤ 30 days |
Payments
| Provider | Purpose | Data categories | Processing region | Safeguards |
|---|---|---|---|---|
| Stripe (Stripe, Inc.) | Subscription billing, payment processing, fraud prevention | Billing email, country, card brand & last four (we never receive full PAN), invoice history | United States / Ireland (EU) | DPA + EU SCCs; PCI-DSS Level 1; EU–U.S. Data Privacy Framework certification |
AI processing
We disclose what we send to our AI provider, and what we do not, in our Privacy Policy §5.
| Provider | Purpose | Data categories | Processing region | Safeguards |
|---|---|---|---|---|
| Anthropic (Anthropic, PBC) | AI-generated market briefings, trade-idea analysis, and commentary (Pro tier) | Tickers, public market data, user prompt. No PII, no account identifiers, no IP address | United States | Commercial DPA; zero-retention option where available; inputs/outputs not used to train models |
Market-data & news providers
These providers supply the public market data and news you see on the Service. They do not receive your personal information — we query them server-side on your behalf.
| Provider | Purpose | Data categories | Processing region | Safeguards |
|---|---|---|---|---|
| Finnhub (Finnhub.io) | Real-time and historical market quotes, fundamentals | No user personal data transmitted; API key + request metadata only | United States | Attribution required; API key authentication |
| EODHD (Financial APIs) | End-of-day historical prices, fundamentals | No user personal data transmitted; API key + request metadata only | European Union | Attribution required; API key authentication |
| Benzinga (Benzinga.com) | Financial news feed and headline sentiment | No user personal data transmitted; API key + request metadata only | United States | Attribution required; licensed content |
| Yahoo Finance (Yahoo / Apollo) | Backup market data source | No user personal data transmitted; public endpoints only | United States | Used as failover when primary providers are unavailable |
| Collectr TCG Price Lookup | Trading card and collectibles index data | No user personal data transmitted | United States | Licensed SDK; request metadata only |
Changes to this list
- We will update this page at least 15 days before adding a new subprocessor that materially changes the processing of your personal information.
- Authenticated users can subscribe to change notifications by emailing privacy@cmdctr.cc.
- If you object to a new subprocessor on reasonable privacy grounds, you may cancel your subscription before the change takes effect.
Questions
Contact our Privacy Officer at privacy@cmdctr.cc for the full DPA list, the specific safeguards in place for any transfer, or a copy of the relevant Standard Contractual Clauses.