TagAlong
LEGAL

Subprocessor List

Effective Date: [DATE]

1What is a subprocessor

A "subprocessor" is any third-party service that processes personal information on TagAlong's behalf in order to provide the Services. We publish this list so users, regulators, and business counterparties can see exactly who has access to what and why.

2Material changes

We will post material additions to this list at least 30 days before they take effect. If you object to a new subprocessor and we cannot offer a reasonable alternative, you may terminate your account and request data deletion.

3Active subprocessors

3.1 Supabase, Inc.

Postgres, Auth, Storage, and Edge Functions. Stores account data, listings, bookings, messages, reviews, identity verification status, and content moderation logs. Data location: United States (AWS us-east-1). Contract: Supabase Data Processing Agreement.

3.2 Stripe, Inc.

Payments, Connect, and Identity. Cardholder data (PCI scope: SAQ A); curator bank details; government ID images; selfie images; tax form data. Data location: United States, with some replication globally per Stripe DPA. Contract: Stripe DPA plus Standard Contractual Clauses for any non-US use.

3.3 Twilio Inc.

SMS one-time codes for phone verification and transactional SMS (booking confirmations if user opts in). Data: phone number and message contents. Data location: United States. Contract: Twilio DPA.

3.4Expo Application Services

Builds the mobile app and routes push notifications to APNs and FCM. Data: Expo push token and device metadata. Data location: United States. Contract: Expo DPA.

3.5Apple Push Notification service (APNs)

Delivers iOS push notifications. Data: APNs device token and notification payload. Data location: United States. Contract: Apple Developer Program License Agreement.

3.6Firebase Cloud Messaging (FCM), Google

Delivers Android push notifications. Data: FCM device token and notification payload. Data location: United States. Contract: Google Cloud Terms and DPA.

3.7Mapbox or OpenStreetMap Nominatim

Geocoding addresses for listings and map tiles for browse-by-region. Data: listing address strings and user-provided coordinates (not personal location unless user opts into GPS check-in). Data location: Mapbox is US; Nominatim is EU. Contract: Mapbox commercial terms if used, or OSM ODbL.

3.8Sentry (Functional Software, Inc.)

Error reporting and stack traces. Data: crash payloads, hashed user ID, device and OS metadata, and sampled session replay on web only at under one percent, scrubbed of personal information via Sentry configuration. Data location: United States. Contract: Sentry DPA.

3.9Checkr, Inc. (if enabled)

Background checks for higher-risk curators. Data: government ID, SSN (Checkr-side only), and criminal history results. Data location: United States. Contract: Checkr Service Agreement plus FCRA-compliant disclosures provided to users.

3.10OFAC / sanctions screening vendor (to be selected)

Screen new accounts against US and international sanctions lists. Data: name, date of birth, ID number from identity verification. Data location: United States. Contract: pending.

3.11Sex offender registry screening vendor (to be selected)

Screen verified identities against US registries. Data: name, date of birth, identity verification result. Data location: United States. Contract: pending.

4Subprocessors used for our own operations

These do not access user data but are listed for transparency:

  • GitHub for source code hosting.
  • Linear, Notion, or similar for internal project management.
  • Slack for internal communication.
  • Google Workspace for internal email and documents.

User-support emails sent to support@tagalongnow.com may be processed by Google Workspace; if that creates concerns under your local law, use the in-app support flow instead which stays inside Supabase.

5Data retention

Each vendor retains data per their own contracts and our configuration. In summary:

  • Supabase: retained for the life of the account, plus a soft-delete window of 30 days after account deletion. Backups are retained per Supabase's standard retention (currently 7-day point-in-time recovery).
  • Stripe: retained per Stripe's policies and US financial recordkeeping requirements (generally 7 years for tax and AML records).
  • Twilio: message contents retained per Twilio's standard retention, typically not persisted beyond delivery. Delivery metadata is retained for about 30 days.
  • Sentry: event data retained 90 days; session replays 30 days.

6International transfers

TagAlong is currently US-only. See Geographic Availability. If you access the Services from outside the United States, your data will be transferred to and processed in the United States.

7Contact

Questions or objections: privacy@tagalongnow.com.

Questions? Contact legal@tagalongnow.com.