Supabase
- PURPOSE
- Database, authentication, file storage, Edge Functions
- DATA RECEIVED
- Email, anonymized handle, protocol data (weight, dose, labs, body comp, sleep), avatar image
- REGION
- US (East)
PRIVACY · SUB-PROCESSORS
Who else touches your data.
GDPR Article 28 (and good hygiene) says we list every third-party service that processes your data on our behalf. Updated as services change.
Stripe
- PURPOSE
- Payment processing, subscription billing
- DATA RECEIVED
- Email, payment-method details (handled by Stripe directly — Cohort never sees card numbers), billing address if entered
- REGION
- US
Resend
- PURPOSE
- Transactional email delivery (magic-link, receipts, reset, re-engagement)
- DATA RECEIVED
- Email address, message content
- REGION
- US
Beehiiv
- PURPOSE
- Editorial newsletter (Letters)
- DATA RECEIVED
- Email address, UTM source
- REGION
- US
PostHog
- PURPOSE
- Product analytics (consent-gated — off by default; opt-in via cookie banner)
- DATA RECEIVED
- Anonymized handle (never email), page events, feature usage
- REGION
- US
Sentry
- PURPOSE
- Error monitoring + alerting
- DATA RECEIVED
- Stack traces; PII scrubbed via beforeSend filter (no email, IP, request body, query string)
- REGION
- US
Vercel
- PURPOSE
- Hosting and edge network
- DATA RECEIVED
- IP (request-time only — not retained by Cohort), user agent, request path
- REGION
- Global edge
Twilio
- PURPOSE
- SMS install-link delivery (one-tap "text it to my phone")
- DATA RECEIVED
- Phone number (single message; not stored)
- REGION
- US
Anthropic (Claude API)
- PURPOSE
- Lab PDF extraction (Cohort+ feature)
- DATA RECEIVED
- PDF content of lab report. Anthropic enterprise API does NOT train on data by default.
- REGION
- US
Questions about a specific sub-processor or a data transfer concern? Email privacy@cohort.fit. See also the full privacy policy.