Sub-Processors
Last Updated: 2026-06-07
This page lists the third-party service providers ("Sub-processors") that Human Beyond LLC ("MainBook", "we", "us", "our") engages to process Customer Personal Data on our behalf in connection with the MainBook service ("Service").
This page is incorporated by reference into our Privacy Policy, Data Processing Agreement, and AI Disclosure. It is the single source of truth for our Sub-processor list; where the Privacy Policy, DPA, or AI Disclosure name specific Sub-processors, those references are illustrative of the list as of the date the relevant document was published and are superseded by this page in the event of any conflict.
We update this page whenever our Sub-processor mix changes. The "Last Updated" date at the top reflects the most recent change.
1. Notice of Changes
1.1 Advance notice. We provide at least thirty (30) days' advance notice before engaging a new Sub-processor that will process Customer Personal Data, by (a) updating this page, (b) sending an email to the address associated with your Account if you have subscribed to Sub-processor email updates (see Section 4), and/or (c) displaying an in-product notification.
1.2 Objection window. If you reasonably object to a new Sub-processor on grounds related to data protection, you may notify us in writing at hello@human-beyond.ai within thirty (30) days of receipt of the notice. The objection and resolution mechanism is set out in Section 5.3 of our Data Processing Agreement.
1.3 Emergency changes. In limited circumstances we may engage a new Sub-processor on shorter notice (for example, if an existing Sub-processor becomes unavailable due to outage, sanction, or other emergency, and a replacement is needed to maintain Service availability). In any such case we will provide notice as soon as reasonably practicable, and the objection mechanism continues to apply.
2. Current Sub-Processors
The following table lists the Sub-processors engaged as of the Last Updated date above. The "Category" column indicates whether the Sub-processor is engaged primarily for (i) Infra (infrastructure, hosting, storage, DNS), (ii) AI (AI / machine-learning processing of your Content), (iii) Comms (transactional communications and internal operator alerts), (iv) Payments (payment processing), (v) Anti-fraud / Security (anti-abuse, error tracking), (vi) Auth (authentication identity providers), (vii) Analytics (web audience measurement), or (viii) Advertising (advertising conversion measurement and pixels).
| # | Sub-processor | Category | Legal entity | Processing location | Function — what they do | Data they may process |
|---|---|---|---|---|---|---|
| 1 | Mistral AI | AI | Mistral AI SAS (France) | European Union (primarily France) | OCR — optical character recognition of uploaded documents, converting the visual content of the PDF into text and layout-aware structured representation | Customer documents (uploaded PDFs) and OCR Output |
| 2 | Google (Gemini API) | AI | Google LLC (United States) | United States | Large-language-model structured extraction — receives the OCR Output and identifies transaction rows, dates, descriptions, amounts, and balances, returning structured data. We access the Gemini API on a paid (billed) basis | OCR Output from Mistral AI; structured Output from the model. We do not transmit your raw uploaded document file directly to Google |
| 3 | Stripe | Payments | Stripe Payments Company (United States) or a Stripe affiliate as set out in the Stripe DPA | United States; data may be processed by Stripe affiliates worldwide | Payment processing for Credit purchases (Stripe-hosted Checkout) | Your email address, IP address, payment-method information (collected directly by Stripe — we do not see your full card number), Credit-package code, payment amount, transaction identifier |
| 4 | Resend | Comms | Plus Five Five, Inc. d/b/a Resend (United States) | United States | Transactional email delivery (account verification, password reset, billing receipts, security notifications, opt-in product updates) | Your email address, content of transactional messages we send to you |
| 5 | DigitalOcean | Infra | DigitalOcean, LLC (United States) | United States (region selected per service) | Application hosting (DigitalOcean App Platform), managed PostgreSQL database, and object storage (DigitalOcean Spaces) for uploaded documents and Output | All Customer Personal Data that we store (encrypted at rest), Account data, payment metadata, audit logs |
| 6 | Vercel | Infra | Vercel, Inc. (United States) | United States; globally distributed edge network | Front-end application hosting and content delivery for our web application (mainbook.ai). Serves the application to your browser; authenticated requests transit Vercel's edge en route to our backend | IP address, user-agent, request metadata, and authentication cookies in transit. We do not route uploaded documents or Output through Vercel — those are sent directly between your browser and our backend / object storage |
| 7 | Sentry | Anti-fraud / Security | Functional Software, Inc. d/b/a Sentry (United States) | United States | Application error and exception tracking (configured to exclude personally identifiable information by default; no session replay; no performance tracing) | Error and exception metadata (stack traces, request paths, error context); minimal user identifiers (typically internal user ID only) |
| 8 | Cloudflare | Anti-fraud / Security | Cloudflare, Inc. (United States) | Globally distributed edge network | Anti-fraud challenges (Turnstile) on signup and guest upload. We engage Cloudflare only for the Turnstile anti-abuse challenge | IP address, user-agent, anti-fraud challenge results; transient network metadata at the edge |
| 9 | GoDaddy | Infra | GoDaddy.com, LLC (United States) | United States | Domain-name registration and authoritative DNS for our domains. Resolves our domain names to network addresses; does not receive application content | DNS query metadata (resolution of our hostnames). Does not process the content of your documents, Output, or Account data |
| 10 | Telegram | Comms | Telegram Messenger Inc. / Telegram FZ-LLC | Routed via Telegram's infrastructure | Internal operator alerts only — we send short notifications to our own operations channel about key events (for example, a new signup, a completed payment, a cost or error alert). This is a one-way, internal, operator-facing channel; it is not a user-facing messaging feature | A minimal event notification that, for signup and payment events, includes your email address and the event type and amount. We do not send your uploaded documents, Output, or password to Telegram |
| 11 | Google (OAuth) | Auth | Google LLC (United States) | United States | Authentication only if you choose to sign in via Google OAuth. We do not transmit Customer documents or Output to Google | Your Google account identifier and authorized profile fields (email, name) if you sign in via Google |
| 12 | Google (Analytics) | Analytics | Google LLC (United States) | United States | Audience analytics via Google Analytics 4 — measures site traffic and product usage. Engaged only where you consent via our cookie banner (Google Consent Mode v2; before consent, measurement is cookieless) | Online identifiers (Google Analytics client ID / cookies), IP address (used by Google only momentarily to derive an approximate, region-level location, then discarded — not logged or stored as a full IP), pages and events viewed, device and browser metadata. We do not send your uploaded documents, Output, account credentials, passwords, or financial amounts as identifiers |
| 13 | Meta (Facebook Pixel) | Advertising | Meta Platforms, Inc. (United States) | United States | Advertising conversion measurement and audience building via the Meta Pixel — engaged only where you consent via our cookie banner (consent revoked until you accept; before consent, nothing fires and no cookie is set) | Online identifiers (the _fbp first-party cookie / _fbc click ID), IP address, page URL and referrer, device and browser metadata. We do not enable Advanced Matching and do not send your uploaded documents, Output, account credentials, passwords, or financial amounts |
3. Sub-Processors Used by Our Sub-Processors
Each of the Sub-processors in Section 2 may engage Sub-processors of its own (sometimes called "sub-sub-processors"). We do not maintain a complete list of these onward Sub-processors. We rely on the contractual obligations between us and our direct Sub-processors (and between them and their own Sub-processors) to ensure that personal data continues to receive protection consistent with applicable Data Protection Laws and the Standard Contractual Clauses incorporated in our DPA.
The sub-sub-processor lists of our direct Sub-processors are publicly available on the following pages (links provided for convenience; the linked pages are maintained by the third parties and may change):
- Mistral AI — sub-processors: see Mistral's legal pages at legal.mistral.ai
- Google (Gemini API, OAuth, and Analytics) — sub-processors: see Google's Cloud Sub-processors; for Google Analytics, see Google Analytics data-sharing and processing
- Meta (Facebook Pixel) — data-processing terms: see Meta's Business Tools Terms and Controller-Processor Data Protection Terms
- Stripe sub-processors / service providers: https://stripe.com/legal/service-providers
- Resend — sub-processors: see Resend's DPA
- DigitalOcean — sub-processors: see DigitalOcean's Data Processing Agreement
- Vercel — sub-processors: see Vercel's Sub-processors list
- Sentry — sub-processors: see Sentry's Sub-Processor List
- Cloudflare — sub-processors: see Cloudflare's Sub-Processor List
- GoDaddy and Telegram are engaged for discrete functions (DNS registration and internal operator alerts, respectively) and we do not maintain onward sub-processor lists for them.
4. Subscribe to Updates
To receive email notice of changes to this Sub-processor list, send a message to hello@human-beyond.ai with the subject "subscribe sub-processor updates" and the email address you would like to receive notices at. You may unsubscribe at any time by replying with "unsubscribe sub-processor updates".
5. Historical Versions
Older versions of this Sub-processor list are retained internally for audit and recordkeeping purposes. If you need the version that was in force on a specific date, please contact us at hello@human-beyond.ai.
6. Contact
For questions about our Sub-processors:
Human Beyond LLC Email: hello@human-beyond.ai