Legal · Data Practices

Subprocessor List

Third-party service providers that process personal data on behalf of MyDealRecap and its dealership clients.
Last updated: June 17, 2026

MyDealRecap LLC uses a small number of carefully selected third-party service providers ("subprocessors") to operate our platform. Each subprocessor is bound by a Data Processing Agreement or equivalent contractual terms requiring them to protect personal data and use it only as directed by MyDealRecap. We will provide dealership clients with 30 days' notice before adding any new subprocessor.
Infrastructure & Data
Supabase
supabase.com/privacy ↗
United States
Purpose
Database, authentication, and real-time APIs. Stores all deal records, user accounts, and customer data with row-level security isolation between dealerships.
Data Processed
All Nonpublic Personal Information (NPI): names, VINs, deal terms, F&I products
SOC 2 Type II
Netlify
netlify.com/privacy ↗
United States
Purpose
Site hosting and demo-request form handling. Serves the MyDealRecap web application and customer deal summary pages. (Hosting is transitioning to Cloudflare Pages; both are listed during the transition.)
Data Processed
Request logs, IP addresses, and HTTP metadata. No NPI stored.
SOC 2 Type II
Cloudflare
cloudflare.com/privacypolicy ↗
United States
Purpose
Content delivery network, DDoS protection, TLS termination, and DNS. All traffic between users and the platform passes through Cloudflare's edge network.
Data Processed
IP addresses, request metadata, and encrypted traffic (not decrypted for inspection). No NPI content accessed.
SOC 2 Type II
Communications
Resend
resend.com/legal/privacy-policy ↗
United States
Purpose
Transactional email delivery. Sends deal summary links and service reminders to vehicle purchasers at the direction of dealership clients.
Data Processed
Customer email address, customer name, deal summary link
SOC 2 Type II
Twilio
twilio.com/legal/privacy ↗
United States
Purpose
SMS delivery. Sends the deal summary link by text message to vehicle purchasers who have given consent, at the direction of dealership clients.
Data Processed
Customer mobile number, message content containing the deal summary link
SOC 2 Type II
Billing
Stripe
stripe.com/privacy ↗
United States
Purpose
Payment processing and subscription billing for dealership clients. MyDealRecap does not store full card numbers or bank account details — these are held exclusively by Stripe.
Data Processed
Dealership billing information only. No consumer NPI is shared with Stripe.
PCI-DSS Level 1

Adding New Subprocessors

MyDealRecap will provide dealership clients with at least 30 days' written notice before engaging a new subprocessor that will process personal data. This notice will be sent by email to the primary contact on the dealership's account. Dealership clients who have executed a Data Processing Agreement may object to a new subprocessor within 15 days of receiving notice.

Data Transfers

All subprocessors listed above are headquartered in the United States. MyDealRecap does not intentionally transfer personal data outside the United States. To the extent any subprocessor processes data outside the US, they are required to maintain equivalent protections under applicable data transfer mechanisms.

Questions about our subprocessors?

Contact our data protection team at privacy@mydealrecap.com. Dealership clients may also request a copy of our Data Processing Agreement or Written Information Security Program.