Back

Sub-Processors & Data Processing

Last Updated: March 9, 2026

Version: 1.0

Service: Burnish Pro PWA

This document lists all third-party services that process your personal data and designs on our behalf.

Core Infrastructure

Supabase (PostgreSQL Database)

  • Location: United States (AWS US-East-1)
  • Purpose: Store account data, designs, runs, 3D queue status
  • Data Shared: Email, name, all design parameters, generated images, usage logs
  • DPA: Supabase Data Processing Agreement
  • Encryption: AES-256 at rest, TLS 1.2+ in transit
  • Retention: Until account deletion + 30-day recovery window; backups retained 30 days

Stripe (Payment Processing)

  • Location: United States
  • Purpose: Process payments and manage billing
  • Data Shared: Email, name, payment method (tokenized)
  • DPA: Stripe Data Processing Agreement
  • Retention: Per Stripe's 7-year transaction retention policy
  • PCI Compliance: Stripe is PCI-DSS Level 1 certified
  • Note: Credit card details never stored by Burnish Pro

AI & Image Generation

Google Gemini 2.5 Flash & 3 Pro Image

  • Location: United States (Google Cloud)
  • Purpose: Generate jewelry designs from prompts and images
  • Data Shared: Jewelry design prompts, parameters, design images (for variants)
  • DPA: Google Cloud DPA
  • Retention: Prompts/images deleted after generation completes (not stored by Google)
  • Model Training: Your designs are NOT used to train models
  • Safety: Implements SafetyAttributes filtering for inappropriate content

OpenAI GPT-Image-1 & Moderation API

  • Location: United States
  • Purpose: Generate premium quality designs; check designs for policy violations
  • Data Shared: Design prompts (moderation) and generation parameters
  • DPA: OpenAI Data Processing Agreement
  • Retention: Prompts deleted after 30 days per OpenAI policy (not retained by default)
  • Model Training: Your designs are NOT used for model improvement (unless you explicitly opt-in)
  • Moderation: Prompts checked for policy violations before generation

3D Model Generation

Meshy API

  • Location: United States
  • Purpose: Convert jewelry images into 3D mesh models (GLB, OBJ, FBX, USDZ)
  • Data Shared: Design images, model format preferences, generation parameters
  • Terms: Meshy Terms of Service
  • DPA Status: No separate DPA available from Meshy. Data shared is limited to design images for 3D conversion. We rely on their Terms of Service and standard security practices as contractual safeguards.
  • Retention: Models stored for 30 days; available for download indefinitely
  • Quality Levels: Standard (single image) and Premium (multi-angle)
  • Formats Supported: GLB (recommended), OBJ, FBX, USDZ

Infrastructure Services

Upstash (Redis)

  • Location: United States
  • Purpose: API rate limiting and CSRF token storage
  • Data Shared: Request metadata, IP addresses, rate limit counters
  • DPA: Upstash Data Processing Agreement
  • Retention: Rate limit data expires automatically (short-lived TTLs)
  • Note: No design data or personal content is stored in Redis

Inngest (Background Processing)

  • Location: United States
  • Purpose: Orchestrate background jobs (batch generation, queue processing)
  • Data Shared: Job IDs, generation parameters, status callbacks
  • DPA: Inngest Privacy Policy
  • Retention: Job metadata retained for 7 days for debugging
  • Note: Inngest does not store generated images or design content

Analytics & Monitoring (Optional)

Sentry (Error Tracking)

  • Location: United States
  • Purpose: Track errors and crashes (OPTIONAL - disabled by default)
  • Data Shared: Error messages, stack traces, device info (NO sensitive data)
  • DPA: Sentry Data Processing Agreement
  • Opt-out: Disabled by default; enable only in Settings if desired
  • Retention: 30-90 days (configurable)

PostHog (Usage Analytics)

  • Location: United States
  • Purpose: Understand user behavior and improve Service (OPTIONAL - disabled by default)
  • Data Shared: Feature usage, session duration, design generation stats
  • DPA: PostHog Privacy Policy
  • Opt-out: Disabled by default; enable only in Settings if desired
  • Retention: 12 months

Communications (Optional)

Email Service Provider (TBD)

  • Purpose: Send transactional emails (generation status, account alerts)
  • Status: To be determined; will use provider with GDPR/CCPA compliance
  • Data Shared: Email address only
  • Will Update: When selected

Summary Table

Service Type Location Encryption DPA Optional
Supabase Database US Yes (AES-256) Yes No
Stripe Payments US Yes (TLS) Yes No
Google Gemini AI Generation US Yes (TLS) Yes No
OpenAI AI Generation US Yes (TLS) Yes No
Meshy API 3D Generation US Yes (TLS) TOS only No
Upstash Rate Limiting US Yes (TLS) Yes No
Inngest Job Processing US Yes (TLS) Yes No
Sentry Monitoring US Yes Yes Yes
PostHog Analytics US Yes Yes Yes

Your Rights

You have the right to:

  • Access: Know which processors handle your data
  • Withdrawal: Stop using the Service and request data deletion
  • Objection: Opt-out of optional processors (Sentry, PostHog)
  • Portability: Request your data in a standard format

For questions about sub-processors, contact:

Email: Ryan@RyanB.NYC

Changes to Sub-processors

If we add a new processor, we will:

1. Notify you 30 days in advance

2. Provide details about the processor and data shared

3. Allow you to object or request data deletion

How to object:

Email Ryan@RyanB.NYC with your objection within 30 days.