the documents you need to sign before the architecture enters your room. all three are drafted, formatted, and downloadable. counsel review is recommended before execution.
the third parties that process customer or participant data on our behalf. we provide thirty days written notice before adding a new sub-processor.
| role | vendor | region |
|---|---|---|
| database | Supabase | US-East |
| hosting | Vercel | US-East |
| authentication | Clerk | US-East |
| payments | Stripe | US |
| transactional email | Resend | US |
| compression engine | Anthropic | US |
| file storage | Supabase Storage | US-East |
we do not sell your data. not to advertisers. not to insurers. not to data brokers. not to governments. not to the highest bidder dressed as a partner. we do not run third-party trackers (no facebook pixel, no standard google analytics) on the consumer surface. we do not train models on private participant text without explicit consent. these are not features. these are refusals written into the architecture.
the consumer-facing privacy policy is at /privacy. it describes what we collect, what we never collect, and how to take it all back.
in the event of a confirmed security incident affecting customer or participant data, we notify the customer primary contact within seventy-two (72) hours of confirmation, in writing, with a summary of scope, affected data, mitigation, and timeline. the full incident response procedure is in the security posture document above.
commercial or security questions during evaluation: calkire@noctaracorp.com.
privacy or data-rights requests: her@noctaracorp.com.