Subprocessors
To run FixAEO we rely on the third parties listed below. Each is here because it touches some user-attributable data at runtime. We don't add new subprocessors silently — material additions are reflected here before they go live.
Last updated: 2026-05-25
| Provider | Purpose | Data shared | Region |
|---|---|---|---|
| Lemon Squeezy | Merchant of Record — payment processing, sales tax / VAT, and recurring billing for Lite subscriptions | Email, billing name + address, card data (handled by Lemon Squeezy / Stripe — we never see card numbers) | USA (Lemon Squeezy, a Stripe company) |
| Cloudflare | CDN, DNS, DDoS protection, edge caching for fixaeo.com | IP address (hashed before logging), request headers, country (for geo-routing) | Global edge network |
| Oracle Cloud Infrastructure | Application server + Postgres database hosting | All authenticated-user data at rest (encrypted disk + DB) | India (Mumbai region) |
| Anthropic | Claude API — produces some of the AI-engine responses we score in scans | Brand prompts (the scan queries) only. No user identifiers attached. | United States |
| OpenAI | ChatGPT API — same role as Anthropic for OpenAI's models | Brand prompts only. No user identifiers attached. | United States |
| Google (AI Studio + Gemini API) | Gemini API — same role as Anthropic for Google's models | Brand prompts only. No user identifiers attached. | United States / Global |
| xAI | Grok API — Grok model coverage for scans | Brand prompts only. No user identifiers attached. | United States |
| DeepSeek | DeepSeek API — DeepSeek model coverage for scans | Brand prompts only. No user identifiers attached. | China |
| SerpAPI | Google AI Overviews coverage (Google's AI Overview can't be queried directly; SerpAPI provides programmatic access) | Brand prompts only. No user identifiers attached. | United States |
| Google Workspace (Gmail SMTP) | Transactional email delivery (magic-link sign-in) | Email address + magic-link URL only | Global (Google datacenters) |
| GitHub | OAuth sign-in (only if you choose to sign in with GitHub) | Your GitHub user ID, email, display name, avatar URL — only sent to us if you authorize | United States |
| Google OAuth | OAuth sign-in (only if you choose to sign in with Google) | Your Google sub (user ID), email, display name, avatar URL — only sent to us if you authorize | Global |
How brand-prompt data flows to LLM providers
When we scan your brand we send each prompt to multiple AI engines as if a real user were asking them. The prompts themselves carry your brand context (e.g. “Best CRM for early-stage startups?”), but we strip user identifiers before the outbound call — the LLM provider sees only the prompt text and our API key. Provider terms differ in whether they retain prompts for training; we've linked each provider's privacy policy above for the authoritative detail.
Changes to this list
We publish a dated change-log line above. If we add a new subprocessor, this page goes live before the production change. If you object to a specific subprocessor and that subprocessor is essential to the service, your only recourse is to delete your account — see Privacy Policy for the right-to-erasure path.
Questions?
Email hello@fixaeo.com — we reply within 24 hours on business days.