Sub-processors
Last updated: May 10, 2026
GenZHook uses the following sub-processors to deliver the Service. Each sub-processor is bound by a written agreement incorporating the data-protection obligations of our Data Processing Addendum, including GDPR Art. 28 requirements and (where relevant) Standard Contractual Clauses 2021/914 and the UK IDTA.
| Sub-processor | Purpose | Hosting region | Transfer mechanism |
|---|---|---|---|
| Supabase, Inc. | Postgres database, auth, encrypted token storage | United States (AWS us-east-1) / Singapore (AWS ap-southeast-1) for India-region data | SCCs (Module Two) |
| Upstash, Inc. | Redis rate-limiting, QStash job queue, output cache | United States (AWS us-east-1) / Frankfurt (AWS eu-central-1) | SCCs (Module Two) |
| Razorpay Software Pvt. Ltd. | Primary payment processor — global cards, UPI, NetBanking, recurring subscriptions, invoicing, GST tax-add | India (RBI-licensed) with global card-network fallback | DPDP-Act-2023 compliant + SCCs for cross-border; PCI-DSS Level 1 |
| Stripe, Inc. | Secondary payment processor (currently disabled / fallback only) | United States / EU / UK | SCCs + UK IDTA; PCI-DSS Level 1 |
| Resend, Inc. | Transactional email delivery (sign-up, password-reset, approval-link, receipts) | United States / EU | SCCs (Module Two) |
| Google LLC (Gemini API) | LLM + image generation under no-training enterprise terms — see /ai-training | United States / EU | SCCs (Module Two) |
| Hugging Face, Inc. | Inference API for auxiliary models (image, embedding) under no-training terms | United States / EU | SCCs (Module Two) |
| fal.ai, Inc. | Inference API for video / advanced image generation (when configured) | United States / EU | SCCs (Module Two) |
| Sentry (Functional Software, Inc.) | Error monitoring (scrubbed, no PII) | United States / EU | SCCs (Module Two) |
| Cloudflare, Inc. | DNS, DDoS mitigation, WAF, CDN | Global edge network | SCCs (Module Two) |
| Hostinger International Ltd. | Application hosting (Coolify on KVM 2) | European Union (Lithuania) | EU/EEA data — no transfer mechanism required for EU residents; SCCs for non-EU residents |
Change notifications
We will update this page before engaging any new sub-processor with access to personal data. Enterprise customers subscribed to sub-processor notifications at privacy@cvjinny.com receive at least 30 days advance notice and may object on reasonable data-protection grounds.
Owner's Reservation of Rights
The Owner reserves the absolute, exclusive, and unfettered discretion, with or without prior notice and without liability, to: (a) add, change, replace, or remove any sub-processor, AI provider, payment processor, hosting region, or vendor; (b) introduce, restructure, withdraw, suspend, or discontinue any feature, plan, integration, price, fee, FX rate, credit weight, quota, discount, coupon, reward, or facility — partially or fully; (c) pass through any sub-processor, AI-provider, infrastructure, payment, or third-party cost increase to invoices or credit weights, immediately or with delay, with no obligation to pass through cost decreases; and (d) modify or replace this Sub-processors page, the DPA, or any related policy at any time with effect upon posting (subject only to legally-required minimum notice). The Owner's Universal Reservation of Rights — Terms of Service section 1.1, the Authorized-Use License in section 1.2, the Benefits Reservation in section 1.3, the Dynamic Pricing & FX clause in section 1.4, and the Comprehensive Owner Protections in section 18 — are incorporated into this page in full. No sub-processor change, AI-provider change, region change, or vendor change gives rise to any refund, credit-back, pro-rated reimbursement, alternative compensation, SLA payout, or service credit of any kind; the No-Refund Policy applies in full and is incorporated by reference. The right to object to a sub-processor change is limited to enterprise customers under written DPA and on reasonable data-protection grounds; commercial objections (e.g., preference for a different vendor) are not a basis for refund, set-off, or termination outside the standard cancellation mechanics (which themselves do not entitle the user to any refund).
Connected social-media platforms — independent controllers, not sub-processors
The platforms you choose to connect via OAuth (or equivalent) are independent data controllers with respect to the content you publish through their APIs. They are not sub-processors of GenZHook for that content — their own privacy terms govern what they do with content you post. GenZHook's role is to (i) authenticate you on the platform via the platform's standard auth flow, (ii) publish content you have explicitly approved, (iii) read back public engagement metrics on those posts, and (iv) revoke access on your request.
The full list of OAuth (and equivalent) providers, what we use them for, and how to revoke access, is below. For the per-platform compliance disclosures (Meta Limited Use, Google API Services User Data Policy, X Developer Agreement, etc.) see Privacy Policy section 5b–5j.
| Provider | Platforms | Role | How to revoke |
|---|---|---|---|
| Meta Platforms, Inc. | Facebook, Instagram, WhatsApp, Threads | OAuth identity provider + content-publishing API | /api/platforms/meta/data-deletion-callback |
| Google LLC | YouTube, Google Business Profile, Google Identity (Sign-in with Google) | OAuth identity provider + content-publishing API | myaccount.google.com/permissions |
| X Corp. | X / Twitter | OAuth identity provider + content-publishing API | User Settings → Apps and sessions |
| LinkedIn Corporation | LinkedIn (member + Pages) | OAuth identity provider + content-publishing API | Settings → Data privacy → Permitted services |
| TikTok Pte. Ltd. | TikTok (Login Kit + Content Posting API) | OAuth identity provider + content-publishing API | Settings → Manage app permissions |
| Snap Inc. | Snapchat (Snap Kit — Login + Creative) | OAuth identity provider + content-publishing API | Settings → Connected Apps |
| Pinterest, Inc. | OAuth identity provider + Pin-publishing API | Settings → Apps | |
| Reddit, Inc. | OAuth identity provider + submit API | User Settings → Manage third-party apps | |
| Telegram FZ-LLC | Telegram (bot tokens, channels) | Bot API publishing | Block / remove the bot |
| Discord Inc. | Discord (webhooks, channels) | Webhook publishing | Server / channel webhook delete |
| Bluesky Social, PBC | Bluesky (AT Protocol) | App-password publishing | Account → App Passwords → Revoke |
| Tumblr (Automattic Inc.) | Tumblr | OAuth identity provider + post API | Settings → Apps |
| Mastodon gGmbH (per instance) | Mastodon (federated) | OAuth identity provider + status API | Per-instance Authorized apps |
| LINE Corporation | LINE Official Account / Messaging API | OAuth + Messaging API | LINE Developer Console → revoke channel access token |
| Kakao Corp. | KakaoTalk Channel | OAuth identity provider + channel broadcast API | Account → Connected Services → Disconnect |
| VNG Corporation | Zalo OA (Vietnam) | OAuth + OA broadcast API | Disconnect via Zalo Developer Portal |
| Mohalla Tech Pvt. Ltd. | ShareChat + Moj (shared OAuth) | OAuth identity provider + content publishing API | Each platform's settings → Connected Apps |
| Kwai Inc. International | Kwai (Brazil + Latam) | OAuth identity provider + content publishing API (Open Platform) | Kwai app → Settings → Connected apps |
For platforms where the owner has not yet completed developer-account approval, GenZHook produces correctly-shaped captions and media on your behalf for manual cross-posting from the GenZHook download / copy interface. The destination platform's privacy terms apply to anything you publish there. ShareChat and Moj share a single Mohalla Tech OAuth credential pair; every other listed provider has its own.
AI providers — explicit no-training contracts
Google Gemini API and Hugging Face Inference are configured under each provider's no-training enterprise terms — your prompts, uploaded media, and generated outputs are never used by these providers (or by GenZHook) to train, fine-tune, or evaluate foundation models. The full list and per-provider guarantees live at /ai-training.