Sub-processors
Last updated: 7 July 2026.
TL;DR — These are all the companies that touch personal data on our behalf, what each one receives, and why. Nothing else sees your data. Changes to this list are announced in the changelog before they take effect.
| Sub-processor | Purpose | Personal data they receive |
|---|---|---|
| Have I Been Pwned (Superlative Enterprises Pty Ltd, AU) | Breach lookups | The email addresses you asked us to monitor — as lookup queries, after you verify them |
| Anthropic (US) | Plain-language summaries of policy changes and quarterly-report narratives | Excerpts of public legal documents and aggregated posture facts — never direct identifiers |
| Stripe (Stripe Payments Europe Ltd, IE) | Billing for paid plans | Name, email, payment details — card data lives only at Stripe, never on our servers |
| Email delivery provider | Transactional and notification email | Your email address and the message content (named here before we go live) |
| Hosting provider | Running the platform | All platform data, encrypted at rest (named here before we go live) |
| Slack / Telegram (optional) | Notification channels you connect yourself | The notification messages you opted into |
What "receives" means
Each sub-processor receives only what its function requires, under a data-processing agreement. None of them may use your data for their own purposes. The full internal record — every table we hold, retention clocks, and what survives account deletion (spoiler: almost nothing) — is summarised in our privacy policy and what we store.
Questions
privacy@secbird.io — a human reads it.