Sub-processor List
VCI Marketplace, operated by Vibe Coding Incubator LLC (Stripe d/b/a "Marketplace VC Inc.")
Effective date: June 1, 2026 Last updated: June 1, 2026
This list identifies the third-party providers that Vibe Coding Incubator LLC engages to deliver VCI Marketplace. It is incorporated by reference into our Privacy Policy and the Seller Agreement. The authoritative, live version is maintained at marketplace.vcinc.ai/legal/subprocessors. We update this page when we add, replace, or remove a sub-processor.
1. How we use sub-processors
Each sub-processor is engaged under a written agreement that requires confidentiality, appropriate security, and the use of personal information only for the purposes we direct. We choose providers that meet baseline security standards (SOC 2 or ISO 27001, or equivalent), publish a Data Processing Agreement, and offer Standard Contractual Clauses or other lawful cross-border transfer mechanisms.
2. Subscribe to updates
To receive an email notification when we add or change a sub-processor, write to privacy@vcinc.ai with the subject "Subprocessor updates" and the email address you would like us to notify. Where contractually required, we will notify subscribers at least 30 days before a new sub-processor begins processing personal information about you, except where law or security require us to move faster.
3. Infrastructure and data storage
- Cloud database, authentication, and file storage provider. Handles user authentication (email and password, and single sign-on), the primary database, and file storage. It processes your email, name, hashed password (held by the authentication service), session tokens, and all application data described in our Privacy Policy. Processing takes place in the United States, under the EU Standard Contractual Clauses and the UK IDTA set out in the provider's Data Processing Agreement, and the EU-US Data Privacy Framework where applicable.
- Cloud hosting, compute, and content-delivery provider. Provides compute for the backend service, image storage and delivery, and secrets management. It processes all service traffic (on a transient basis), seller-uploaded images, and visitor IP addresses at the content-delivery edge. Processing takes place in the United States, under the EU Standard Contractual Clauses and the EU-US Data Privacy Framework.
- Frontend hosting and edge-network provider. Provides the front-end hosting, edge routing, and related serverless functions. It processes inbound web requests, IP addresses, and request metadata. Processing takes place in the United States, under the EU Standard Contractual Clauses and the EU-US Data Privacy Framework.
4. Payments and identity verification
- Payment processor (Stripe). Processes payments on Stripe-hosted checkout pages and records and reconciles refunds and chargebacks. Our legal entity is registered with Stripe as "Marketplace VC Inc." It processes the buyer email and payment information you enter on Stripe Checkout, the transaction amount, and the Stripe identifiers we receive back. Processing takes place in the United States, under the EU Standard Contractual Clauses, the EU-US Data Privacy Framework, and the provider's Binding Corporate Rules.
- Seller payouts and identity verification (Stripe Connect). Handles seller onboarding, identity verification, anti-money-laundering and sanctions screening, and payout processing. Stripe collects and holds seller identity, business name, tax identification number, and bank account information; the Platform does not. Processing takes place in the United States, under the EU Standard Contractual Clauses, the EU-US Data Privacy Framework, and the provider's Binding Corporate Rules.
5. Email delivery
Email delivery provider. Sends transactional email only: purchase confirmations and redemption codes, payout and sale notifications, deal approval and rejection notices, payment-failure and refund notices, email verification, and password resets. The Platform does not send marketing email. It processes the recipient's email address, the deal title, the amount, the redemption code, and verification and reset links; buyer email is masked in seller-facing notifications. Processing takes place in the United States, under the EU Standard Contractual Clauses and the EU-US Data Privacy Framework.
6. Embedded third-party content
Embedded video provider. Serves the demo videos embedded on some seller listings. When you load a page that contains an embedded video (or play it, depending on the embed mode), the video provider receives your IP address and viewing data and may set its own cookies under its own policies; the Platform does not receive this data. The provider processes this information under its own privacy policy and, where applicable, relies on the EU Standard Contractual Clauses and the EU-US Data Privacy Framework.
7. What we deliberately do NOT use
To make this list as truthful as possible, here is what is explicitly absent from our stack as of the effective date of this list:
- No analytics, telemetry, or product-usage tracking tools.
- No session-replay or behavior-analytics tools.
- No advertising or attribution pixels.
- No third-party helpdesk SaaS in production (support is by email at contact@vcinc.ai).
- No third-party error-monitoring tools that ship browser data.
- No third-party CAPTCHA.
- No marketing-automation, CRM, or list-management tools.
- No third-party font network at runtime (fonts are self-hosted at build time).
If any of these change before the published list is updated, that is a process gap and we will correct it. Treat the live list at marketplace.vcinc.ai/legal/subprocessors as authoritative.
8. Internal tools that may incidentally process personal data
Our staff use a small set of standard business SaaS tools to run the company. These tools may incidentally process limited personal data when our team includes it in support tickets, sales notes, contracts, or internal communications. We maintain agreements with these vendors and use them only for internal operations; they are not "sub-processors" in the strict sense because they do not act on personal data of buyers/sellers as part of the Service, but we list them for transparency:
- Source control and CI/CD provider.
- Productivity and email suite.
- Internal communication tools.
- Project-management and issue-tracking tools.
- Password and secrets management.
9. Change log
A change log of additions, replacements, and removals will be maintained at marketplace.vcinc.ai/legal/subprocessors-changelog. The current list as published here is the initial baseline.