Koydo SubProcessors
Version: 2026-05-09 Effective Date: 2026-05-09 Authoritative Privacy Policy: /legal/privacy-policy §7 This page lists Koydo's direct processors and their material sub-processors. The Privacy Policy table at §7 is the authoritative description of what each processor does and what data it touches; this page adds the additional layer of who they use to do it.
Subscribe to changes. To receive email notice of additions or replacements at least 30 calendar days before they take effect, send a subscription request to privacy@koydo.app with subject "Subprocessor Subscribe." You may object to a new sub-processor within the 30-day notice window; Koydo will work in good faith to address reasonable objections, including by offering an alternative arrangement where feasible.
Plain-language summary
Koydo uses service providers only to operate the service, under contractual limits, and not for third-party advertising.
1. Direct Processors and SubProcessors
| Direct Processor | Function | Material Sub-Processors | Processing Location | Child Data? |
|---|---|---|---|---|
| Supabase, Inc. | Database, authentication, file storage, row-level security | Amazon Web Services (US-East infrastructure) | United States (us-east region) | Yes — under DPA + ZDR for AI flows |
| OpenAI, L.L.C. | AI tutoring, content generation, moderation, voice transcription | Microsoft Azure (compute and inference); OpenAI Ireland Limited (EEA-facing data flows) | United States (primary); Ireland for EEA data | Yes — DPA executed 2026-03-19 (v.010126), ZDR enabled |
| Anthropic, PBC | Alternate AI tutoring model (Claude family) | Amazon Web Services; Google Cloud Platform | United States | Yes — DPA pending; ZDR enabled in interim |
| Google LLC (Gemini API / Vertex AI) | Alternate AI tutoring model | Google Cloud Platform infrastructure | United States | Yes — DPA pending; ZDR enabled in interim |
| ElevenLabs, Inc. | Audio asset pre-generation only — server-side text-to-speech rendering of Koydo-authored scripts; static audio files baked into product. No live AI traffic; no User personal data sent. | Amazon Web Services | United States | No — content tooling, not a User-data processor |
| fal.ai | AI image generation for adult-facing creative surfaces | AWS-based inference infrastructure | United States | Limited — text prompts only; under-13 access requires AI disclosure consent |
| Stripe, Inc. | Payment processing for adult subscriptions | AWS; payment-network providers (Visa, Mastercard, etc.) per Stripe's published list | United States, with global card-network routing | No — adult accounts only |
| RevenueCat, Inc. | Mobile subscription management (iOS, Android) | AWS; Apple StoreKit; Google Play Billing | United States | No — adult accounts only |
| Vercel, Inc. | Web hosting, edge runtime, web performance analytics | Amazon Web Services; Cloudflare (edge cache and DDoS protection) | United States; global edge | No — Vercel Analytics blocked by code for all users under 18 |
| Mixpanel, Inc. | Product analytics (consented or settings-toggled) | Google Cloud Platform | United States | No — Mixpanel blocked by code for all users under 18 |
| Sentry (Functional Software, Inc.) | Error monitoring and crash reporting | Google Cloud Platform | United States | Limited — error logs only; PII auto-scrubbed for child accounts |
| Google Workspace | Business email infrastructure (admin@, privacy@, legal@, etc.); Gmail API for vendor correspondence | Google LLC global infrastructure | Multi-region | Limited — admin correspondence only; no User content |
| Cloudflare, Inc. | DNS, CDN, DDoS protection, bot management | Cloudflare global edge | Global edge (no User personal data persisted) | Yes — incidental network metadata only |
| Daily.co | Real-time video for Study Rooms (peer-to-peer Focus Cam) | AWS infrastructure | United States | Limited — under-13 blocked from Focus Cam; no recordings stored |
Plain-language summary
Koydo uses service providers only to operate the service, under contractual limits, and not for third-party advertising.
2. Excluded / Not Used
The following providers have been evaluated and excluded for child-serving Koydo products: | Provider | Reason for exclusion |
|---|---| | xAI / Grok | Regulatory and content-safety risk for a child-serving platform; not used; do not re-enable | | Meta Platforms (Facebook SDK, Pixel, etc.) | Advertising and behavioral-tracking infrastructure inconsistent with Koydo's no-advertising posture | | TikTok Pixel / TikTok APIs | Same as above | | Google Ads / DoubleClick | Same as above |
Plain-language summary
This section covers 2. excluded / not used.
3. DPA Status Snapshot
| Processor | DPA Status | Last Verified |
|---|---|---|
| Supabase | Signed | 2026-04-15 |
| OpenAI | Signed (v.010126, 2026-03-19, by Robert Waltos as CEO of Koydo LLC) | 2026-04-15 |
| Anthropic | Pending — letter drafted at docs/compliance/vendor-letters/01-anthropic.md | 2026-04-15 |
| Google (Gemini) | Pending — letter drafted at docs/compliance/vendor-letters/02-google-ai.md | 2026-04-15 |
| ElevenLabs | Pending — best-practice only (no User data flows; pre-gen content tooling) | 2026-04-15 |
| Stripe | Signed | 2026-04-15 |
| RevenueCat | Signed | 2026-04-15 |
| Vercel | Signed | 2026-04-15 |
| Mixpanel | Signed | 2026-04-15 |
| Sentry | Signed | 2026-04-15 |
The full vendor-correspondence audit trail is maintained internally on Supabase project osnxbuusohdzzcrakavn, table vendor_privacy_requests, with WORM event log and SHA-256 body snapshot for every outbound letter (see wiki/compliance/vendor-privacy-correspondence-tracker.md for the system architecture).
Sub-processor list v2026-05-09 — Effective May 9, 2026 — koydo.app/legal/subprocessors
Plain-language summary
This section covers 3. dpa status snapshot.