Skip to content

Sub-processors

Last updated: 7 July 2026.

TL;DR — These are all the companies that touch personal data on our behalf, what each one receives, and why. Nothing else sees your data. Changes to this list are announced in the changelog before they take effect.

Sub-processorPurposePersonal data they receive
Have I Been Pwned (Superlative Enterprises Pty Ltd, AU)Breach lookupsThe email addresses you asked us to monitor — as lookup queries, after you verify them
Anthropic (US)Plain-language summaries of policy changes and quarterly-report narrativesExcerpts of public legal documents and aggregated posture facts — never direct identifiers
Stripe (Stripe Payments Europe Ltd, IE)Billing for paid plansName, email, payment details — card data lives only at Stripe, never on our servers
Email delivery providerTransactional and notification emailYour email address and the message content (named here before we go live)
Hosting providerRunning the platformAll platform data, encrypted at rest (named here before we go live)
Slack / Telegram (optional)Notification channels you connect yourselfThe notification messages you opted into

What "receives" means

Each sub-processor receives only what its function requires, under a data-processing agreement. None of them may use your data for their own purposes. The full internal record — every table we hold, retention clocks, and what survives account deletion (spoiler: almost nothing) — is summarised in our privacy policy and what we store.

Questions

privacy@secbird.io — a human reads it.