Sub-processors
The Privacy Policy lists the categories of recipients we share personal data with. This page names every sub-processor we currently use, the data they receive, and where they process it. We keep it up to date as the stack changes.
| Sub-processor | Purpose | Data shared | Location |
|---|---|---|---|
| Printify | Print-on-demand production and shipping. | Recipient name, shipping address, order items. | USA (SCCs) |
| Stripe | Card payment processing and Connect payouts to creators. | Payment amount, currency, transaction id, buyer email; card data goes directly from the browser to Stripe — we never see it. | Ireland / USA (SCCs) |
| PayPal | Alternative payment processing. | Payment amount, currency, transaction id, buyer email. | Luxembourg / USA (SCCs) |
| Postmark | Transactional email (order confirmations, shipping notifications, password resets). | Recipient email, message content, delivery metadata. | USA (SCCs) |
| Hetzner | Application hosting, database, object storage. | All personal data processed by the service, at rest and in transit. | Germany (EU) |
| Sentry | Server-side error monitoring; scrubbed of PII before transmission. | Stack traces, request path, user id (no email or address). | Germany (EU) |
Adding a new sub-processor
We sign a Data Processing Agreement (DPA) with every sub-processor before sending production data. When we add or replace a sub-processor we update this page and bump the “Last updated” date above.
Questions
For DPA copies or audit-readiness requests, reach us through the Contact page.