Every company that may process data on SetFlow's behalf.

Vercel Inc. (US). Application hosting, edge network, serverless functions, deploy logs, file storage via Vercel Blob. Receives all HTTP request/response data and uploaded files. <a href="https://vercel.com/legal/privacy-policy">vercel.com/legal/privacy-policy</a>.

Neon (US). Managed PostgreSQL hosting the SetFlow central database (authentication, billing, tenant configuration). Does not host BYODB tenant databases. <a href="https://neon.tech/privacy-policy">neon.tech/privacy-policy</a>.

Cloudflare, Inc. (US). DDoS protection, CDN, bot mitigation at the edge. Receives request metadata. <a href="https://www.cloudflare.com/privacypolicy">cloudflare.com/privacypolicy</a>.

Anthropic PBC (US). Primary AI provider for Tori and study tools. Receives user messages, recent conversation turns, lesson body (truncated), the student's first name, and any memory facts Tori has stored. Per Anthropic's API terms, customer data is not used to train models. <a href="https://www.anthropic.com/legal/privacy">anthropic.com/legal/privacy</a>.

OpenAI, L.L.C. (US). Fallback Tori provider, audio transcription (Whisper), and text-to-speech. Same data types as Anthropic. Per OpenAI API terms, customer data is not used to train models. <a href="https://openai.com/policies/privacy-policy">openai.com/policies/privacy-policy</a>.

Google LLC — Gemini API (US). Optional fallback AI provider. Same data types as Anthropic. Per Google's paid Gemini API terms, customer data is not used to train models. <a href="https://policies.google.com/privacy">policies.google.com/privacy</a>.

ElevenLabs Inc. (US). Optional higher-quality text-to-speech for course audio and Tori voice replies. Receives only system-generated text for audio synthesis. <a href="https://elevenlabs.io/privacy">elevenlabs.io/privacy</a>.

Google LLC (US) — Sign-In with Google. Receives profile information and email address from Google when a user signs in. <a href="https://policies.google.com/privacy">policies.google.com/privacy</a>.

Microsoft Corporation (US) — Sign-In with Microsoft / Azure AD. Same posture as Sign-In with Google. <a href="https://privacy.microsoft.com/en-us/privacystatement">privacy.microsoft.com/en-us/privacystatement</a>.

Clever Inc. (US) — K-12 SSO and rostering. Receives student / educator name, email, role, district ID, school IDs from the school's Clever environment. <a href="https://clever.com/about/privacy-policy">clever.com/about/privacy-policy</a>.

ClassLink Inc. (US) — K-12 SSO and OneRoster. Receives student / educator name, email, role, tenant ID from the school's ClassLink environment. <a href="https://www.classlink.com/privacy">classlink.com/privacy</a>.

Resend (US). Transactional and marketing email delivery. Receives recipient email address, first name, course or project title, and email body content (such as sign-in magic links, parental consent requests, weekly digests, course completion notices). <a href="https://resend.com/legal/privacy-policy">resend.com/legal/privacy-policy</a>.

Support chat (operated by SetFlow). The marketing-site support chat is hosted on our own infrastructure at support.getsetflow.app — not a third-party chat vendor. Conversation messages are encrypted at rest in a SetFlow-controlled database. The AI side uses the same AI providers listed elsewhere on this page; no separate subprocessor receives chat content.

Jitsi / 8x8, Inc. (US). Embedded video calling for live sessions. Receives video and audio streams in real time; SetFlow does not record or persist call content. <a href="https://www.8x8.com/terms-and-conditions/privacy-policy">8x8.com/terms-and-conditions/privacy-policy</a>.

PostHog, Inc. (US). Product analytics on authenticated surfaces. Receives pageview URLs and (after sign-in) the user's ID for product-improvement analytics. Gated by your cookie consent — until you accept, PostHog stores no persistent identifier. <a href="https://posthog.com/privacy">posthog.com/privacy</a>.

Google Analytics 4 (Google LLC, US). Aggregate visitor analytics on our public marketing pages only — not active on authenticated student or educator surfaces. IP addresses are anonymized. Disabled entirely when your browser sends a Do Not Track signal. <a href="https://policies.google.com/privacy">policies.google.com/privacy</a>.

Sentry / Functional Software, Inc. (US). Application error reporting. Receives error messages, stack traces, and the signed-in user's ID (when present) for debugging. <a href="https://sentry.io/privacy">sentry.io/privacy</a>.

Stripe, Inc. (US). Payment processing and subscription billing. Receives the billing email address, customer ID, plan, and payment-method metadata. Full payment-card numbers are never sent to SetFlow servers — they go directly from your browser to Stripe. <a href="https://stripe.com/privacy">stripe.com/privacy</a>.

YouTube Data API (Google LLC, US). Used by Tori's video-finder feature to locate educational videos. Sends the search-query text only; no student name or identifying information is included in the API request. <a href="https://policies.google.com/privacy">policies.google.com/privacy</a>.

Giphy, Inc. (US). GIF search in chat. Sends the search query for GIF results; queries are not linked to user identity. <a href="https://support.giphy.com/hc/en-us/articles/360032872931-Giphy-Privacy-Policy">giphy.com/privacy</a>.

GitHub, Inc. (US). Optional integration. Receives the repository identifiers you choose to connect; SetFlow uses commit metadata for context. <a href="https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement">github.com privacy statement</a>.

OpenStax (Rice University, US). Outbound fetch for freely available textbook chapters when an educator imports them. No SetFlow user data is sent. <a href="https://openstax.org/privacy-policy">openstax.org/privacy-policy</a>.

Open-Meteo (open-meteo.com). Weather context for Tori morning briefings. SetFlow sends an approximate city-level location derived from the user's IP address; no user identifier is sent. <a href="https://open-meteo.com/en/terms">open-meteo.com/en/terms</a>.