Subprocessors

Effective: May 11, 2026 · Version 1.0

This page lists the third-party service providers ("Subprocessors") that PrepIEP uses to deliver the Service. It is incorporated by reference into our Privacy Policy and is the authoritative version of the list. We update this page whenever we add, remove, or materially change a subprocessor.

Binding "no AI training" commitment. Neither PrepIEP nor any of the subprocessors listed below is permitted by contract or by configuration to use the personal information you upload — including your child's IEP, your prompts, your AI chat history, or your generated outputs — to train, fine-tune, evaluate, distill, or otherwise improve any artificial-intelligence model. This commitment applies to PrepIEP's own development (we do not train models) and flows through to each subprocessor by way of either (a) the subprocessor's standing data-use terms for our service tier, (b) a configuration we have set on our account that disables such use, or (c) a separately negotiated provision — whichever is the strongest mechanism available with that subprocessor. The current mechanism is recorded in the table below.

1. Current subprocessors

1.1 Google Firebase

• Provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
• Purpose: User authentication (Firebase Auth, Google Sign-In, Sign in with Apple), document storage (Cloud Storage for Firebase), database (Cloud Firestore), serverless backend (Cloud Functions for Firebase), web and mobile hosting (Firebase Hosting), client integrity (Firebase App Check).
• Data processed: Account credentials, uploaded education records (IEPs, evaluations, related correspondence), extracted structured data, chat history, AI inputs and outputs, billing identifiers, device-and-connection metadata, security and audit logs.
• Region: United States (multi-region in nam5 for Firestore; us-central1 for Cloud Functions; us for Cloud Storage). No data is intentionally routed outside the United States.
• Encryption: AES-256 at rest; TLS 1.2+ in transit.
• Retention: Per Privacy Policy §7. Documents and extracted data: subscription term + 60 days. Chat history: 90 days. Account metadata: account lifetime + 30 days.
• No-AI-training mechanism: Standing terms — Google Cloud Platform's data-processing terms forbid use of customer data for training Google's models.
• Security certifications: SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, ISO 27701. See Firebase Privacy and Security.

1.2 Google Gemini API

• Provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. (Service: Gemini API on the paid tier.)
• Purpose: Large-language-model inference for document extraction, advisor chat, suggested goals, suggested requests, suggested rights questions, and meeting agenda generation.
• Data processed: Document content, prompts, prompt-template wrapping, model responses. Sent over TLS 1.2+ directly to Google's Gemini API endpoints. Persisted on PrepIEP-controlled infrastructure (see §1.1) after the response is returned.
• Region: United States (Gemini API endpoint).
• Retention by Google (the inference provider): Google retains paid-tier API submissions only as needed to provide the service and to comply with abuse, safety, and legal-process obligations (typically up to 24 hours for abuse logging), per the published Gemini API terms.
• No-AI-training mechanism: Standing terms — Google's paid Gemini API tier contractually prohibits use of customer-submitted content to train Google's foundation models. See Gemini API Terms of Service.

1.3 Stripe

• Provider: Stripe, Inc., 354 Oyster Point Boulevard, South San Francisco, CA 94080, USA.
• Purpose: Subscription billing for the paid plans, payment-card processing, invoicing, refund issuance, dispute management, customer-portal cancellation flow.
• Data processed: Cardholder name, card number (held by Stripe; never seen by PrepIEP), card brand, last-four card digits, billing postal code, billing email, charge IDs, invoice metadata, subscription state, refund records, dispute records.
• Region: United States.
• Retention: Stripe retains billing records on its own systems independently. PrepIEP retains the non-card billing metadata it receives back from Stripe for 7 years (U.S. tax recordkeeping).
• No-AI-training mechanism: Stripe does not provide an AI service to PrepIEP, so no AI-training risk is in scope. Stripe's own use of payment data is governed by its Privacy Policy and its Data Processing Agreement.
• Security certifications: PCI DSS Level 1, SOC 2 Type II, ISO 27001.

1.4 Resend

• Provider: Resend Inc., 2261 Market Street #4818, San Francisco, CA 94114, USA.
• Purpose: Sending transactional email only — account confirmation, sign-in security alerts, billing receipts, renewal reminders, password-reset, account-deletion confirmation, breach notifications.
• Data processed: Recipient email address, sender display name, message subject and body, delivery and engagement event logs (sent, delivered, bounced, complained).
• Region: United States.
• Retention: Resend retains delivery event logs for up to 30 days for deliverability diagnostics. Message bodies are retained only as long as needed to deliver and to handle bounces.
• No-AI-training mechanism: Resend does not provide an AI service to PrepIEP. Resend's own data use is governed by its Privacy Policy and DPA.
• Use restriction: Marketing email is out of scope; we do not use Resend for newsletters or marketing campaigns.

1.5 Sentry

• Provider: Functional Software, Inc. d/b/a Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA.
• Purpose: Error reporting, crash-trace capture, and unhandled-exception diagnostics across the web app, mobile apps, and serverless backend.
• Data processed: Stack traces, error messages, runtime version, OS version, browser version, anonymized device identifier, breadcrumbs (user-action sequence leading up to the error), anonymized release identifier. PII scrubbing is enabled in the SDK before transmission so that uploaded document text, IEP content, and chat content are not transmitted to Sentry.
• Region: United States.
• Retention: 30 days for full event payloads; 90 days for aggregate counts.
• No-AI-training mechanism: Standing terms — Sentry's DPA prohibits use of customer-submitted data for any purpose other than providing the service.
• Security certifications: SOC 2 Type II, ISO 27001.

1.6 Plausible Analytics

• Provider: Plausible Insights OÜ, Västriku tn 2, 50403 Tartu, Estonia.
• Purpose: Cookie-less, aggregate page-view counts on the marketing site (prepiep.com) and on the static legal pages (/privacy, /terms, /subprocessors, /contact).
• Data processed: Page URL, referrer URL, country derived from IP (then discarded), browser, OS, screen size, timestamp. No persistent identifier; no cookies set; no fingerprint computed.
• Region: European Union (Plausible is hosted in the EU on EU infrastructure).
• Retention: Aggregated counts indefinitely; no per-visitor records retained.
• No-AI-training mechanism: Plausible does not provide an AI service to PrepIEP. Per Plausible's data policy, no personal data is processed; aggregated metrics are not used to train any model.

1.7 PostHog

• Provider: PostHog Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA.
• Purpose: Feature-usage event analytics — which pages and buttons are used, in what order, by anonymous user-cohort. Used for product roadmap and onboarding-funnel improvements only.
• Data processed: Event name, page path, anonymized distinct ID, basic device metadata. Path exclusions: The PostHog SDK is configured to not capture events or session replays on screens that contain IEP content — specifically, paths under /understand, /build, /goals, and /pack. This FERPA-aware exclusion list is part of our PostHog configuration.
• Region: United States (PostHog Cloud US).
• Retention: 12 months for event data.
• No-AI-training mechanism: Standing terms — PostHog's DPA restricts use of customer data to providing the service.
• Provisioning status: PostHog provisioning is in progress under HC-G4 of the marketing-stack runbook. The script is wired in web/analytics.js with a placeholder API key; no production events are sent until the key is finalized and HC-G4 is verified. This page will be updated to remove this note once HC-G4 closes.

2. What we use, but is not a subprocessor

The Service is hosted on Firebase Hosting (§1.1) and is delivered to your browser through Cloudflare's anycast network for static assets. Cloudflare is a transit-only edge provider for our static HTML, CSS, JavaScript, and font assets; it does not store user-uploaded content or persistent personal information on our behalf, so we do not list it as a subprocessor.

The Apple Sign-In and Google Sign-In identity providers are authentication providers. They send PrepIEP a name, email, and stable user identifier when you choose to sign in through them. They are not subprocessors because PrepIEP does not direct them to process data on its behalf — you instruct them to send their identity assertion to PrepIEP. Their handling of your data is governed by their own privacy policies.

3. Notification of changes

We will give at least 30 days' advance notice on this page and via in-app notice before adding a new subprocessor that will process user-uploaded education records or AI-related content. We will give shorter or no advance notice for emergency replacements (for example, replacing a subprocessor whose service is unexpectedly discontinued), but we will document any such emergency replacement here within 7 days after it takes effect.

Removal of a subprocessor (for example, retiring an analytics provider) is announced here at the time the change takes effect.

4. Versioning

This page is versioned in the same way as our Privacy Policy and Terms of Service. Prior versions are archived at prepiep.com/subprocessors/v<previous-version>.

5. Contact

Questions about subprocessors:

• Privacy contact: contact@prepiep.com
• California second-channel contact: contact@prepiep.com

Effective: May 11, 2026 · Version 1.0.