Subprocessors

Current subprocessors

We list every third party that processes personal information on our behalf. We do not add new subprocessors without updating this page. If you have a paid plan, material additions will also be communicated by email at least 30 days before they take effect, where reasonably possible.

1. Stripe, Inc.

• Purpose: Payment processing for plan purchases. Stripe is also our system of record for customer billing.
• Data shared: Email address, payment card details (collected and stored by Stripe directly; Layoff HQ does not store card data), billing address, transaction amount, IP address at time of purchase.
• Data location: United States (primary), with replication in additional regions per Stripe's infrastructure.
• Privacy policy: stripe.com/privacy
• Security certifications: PCI DSS Level 1, SOC 1 Type II, SOC 2 Type II, ISO 27001.

2. Resend (Drift Labs, Inc.)

• Purpose: Transactional email delivery (Decision Calendar PDFs, reminders, two-pager workflows, welcome messages, account communications).
• Data shared: Email address, name (where provided), email content including PDF attachments, delivery and engagement metadata.
• Data location: United States.
• Privacy policy: resend.com/legal/privacy-policy
• Security certifications: SOC 2 Type II.

3. Twilio Inc.

• Purpose: SMS reminder delivery (7 days before each deadline and the day of). Only used for customers on paid plans who have provided a mobile number.
• Data shared: Mobile phone number, SMS message content, delivery metadata.
• Data location: United States (primary).
• Privacy policy: twilio.com/legal/privacy
• Security certifications: SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, HIPAA-eligible (with BAA).

4. Airtable, Inc.

• Purpose: Operational database for Decision Calendar submissions, customer records, and the queue that processes calendar generation.
• Data shared: Email address, last day worked, state of residence, age-40-plus boolean, equity-compensation boolean, generated calendar status, plan tier, plan dates.
• Data location: United States.
• Privacy policy: airtable.com/company/privacy-notice
• Security certifications: SOC 2 Type II, ISO 27001, HIPAA-eligible (with BAA on enterprise).

5. Netlify, Inc.

• Purpose: Web hosting, serverless functions (form intake, PDF generation, Stripe webhook handling, scheduled queue processing).
• Data shared: Any data submitted through the website is processed through Netlify's edge and function infrastructure before being stored in our other subprocessors. Netlify itself does not retain submission content beyond operational logs.
• Data location: United States and global CDN edges.
• Privacy policy: netlify.com/privacy
• Security certifications: SOC 2 Type II, ISO 27001.

6. GoDaddy.com, LLC

• Purpose: Domain name registration (layoffhq.com) and DNS hosting.
• Data shared: No customer personal data is shared with GoDaddy. GoDaddy is listed here for transparency about our infrastructure.
• Data location: United States.
• Privacy policy: godaddy.com/legal/agreements/privacy-policy

7. Anthropic, PBC

• Purpose: Claude is used by Layoff HQ operators for internal workflow tasks (drafting templates, reviewing copy, analyzing trends in anonymized data). Customer data is not sent to Claude in any automated capacity.
• Data shared: No automated data flow. Operators may, at their discretion, paste anonymized or aggregated information into Claude for analysis. Customer-identifying information is never shared with Claude.
• Data location: United States.
• Privacy policy: anthropic.com/legal/privacy
• Security certifications: SOC 2 Type II, ISO 27001.

What we do not use

• We do not use third-party analytics platforms (no Google Analytics, no Mixpanel, no Amplitude). The site is operated without behavioral tracking.
• We do not use advertising networks. There are no third-party ad pixels, retargeting tags, or conversion trackers on the site.
• We do not use customer data platforms or data enrichment services. We do not enrich your record with information from third-party sources.
• We do not sell or share information with recruiters, employers, marketing agencies, or data brokers.

Notification of changes

If we add a new subprocessor or replace an existing one, we will update this page. For customers on paid plans, material changes will be communicated by email at least 30 days before the new subprocessor begins processing personal information, where reasonably possible. Time-sensitive operational changes (such as replacing a provider due to a security incident) may take effect more quickly, and will be communicated as soon as practical.

Questions

If you have questions about our subprocessors or want to request additional information about the safeguards we have in place, email legal@layoffhq.com.