Third Party Sub-Processors
Last Updated: December 24, 2024
At Cometly, we prioritize transparency regarding the third-party companies (“Sub-Processors”) we engage to process personal data on behalf of our customers. This Third-Party Sub-Processor List provides detailed information about each Sub-Processor, including their location and the purpose of their engagement. Each Sub-Processor is bound by written agreements that mandate data protection, confidentiality, and security measures no less stringent than those committed to by Cometly in our Data Processing Addendum (DPA). If you have any questions or concerns about our Sub-Processors, please contact us at privacy@cometly.com.
Table of Contents
- Infrastructure & Hosting
- Communication & Support
- Analytics & Attribution
- Payments & Financial
- Development & Internal Tooling
- Documentation & Contract Tools
- Miscellaneous
- Sub-Processor Updates
- Additional Notes
- Data Processing Addendum (DPA)
- Contact Us
1. Infrastructure & Hosting
| Sub-Processor | Location | Purpose / Description |
|---|---|---|
| Amazon Web Services (AWS) | USA | We use AWS for secure hosting of our platform, databases, and backups. Customer data (including personal data) may be stored in AWS data centers. AWS Privacy |
| SingleStore | USA | SingleStore is a cloud-based database solution used for fast data processing and analytics within the Cometly platform. Ensures data integrity and performance. SingleStore Privacy |
2. Communication & Support
| Sub-Processor | Location | Purpose / Description |
|---|---|---|
| Intercom | USA | Provides customer support messaging, in-app chat, and user engagement services. Processes names, emails, and chat content. Intercom Privacy |
| HubSpot | USA | Utilized for marketing and lead management. Stores prospect and customer contact details (e.g., names, emails, phone numbers) for communication and marketing automation. HubSpot Privacy |
| Twilio (SendGrid) | USA | Facilitates email and call tracking services, including system notifications, password resets, and other communications. Processes names, emails, and phone numbers. Twilio Privacy |
| Slack | USA | Internal communication tool for Cometly’s team. Minimal personal data (e.g., user ID or email) may be referenced during support escalations. Slack Privacy |
| Zoom | USA | Used for video conferencing and support calls with customers. Handles names, email addresses, and any personal data shared during calls. Zoom Privacy |
| Klaviyo | USA | Sends marketing emails and/or text messages. Stores names, email addresses, and phone numbers for campaign management. Klaviyo Privacy |
3. Analytics & Attribution
| Sub-Processor | Location | Purpose / Description |
|---|---|---|
| Google Ads | USA | Integration allows Cometly to send or retrieve ad performance data for attribution and optimization. Processes hashed identifiers, ad campaign data, etc. Google Ads Privacy |
| Meta Ads (Facebook) | USA | Integration with Facebook/Meta Ads platform for attribution data. Potentially includes hashed emails, IP addresses, click IDs, and location data. Meta Privacy |
| TikTok Ads | USA | Used to attribute TikTok ad interactions and share limited event data. TikTok Privacy |
| LinkedIn Ads | USA | LinkedIn Ads integration for conversion tracking and attribution. LinkedIn Privacy |
| Zapier | USA | Automation platform that can pass data (like form submissions, leads) between Cometly and other apps based on user configuration. Zapier Privacy |
| June | USA | Product usage analytics tool that helps analyze user interactions with Cometly’s dashboard. Typically involves anonymized or pseudonymized usage data. June Privacy |
| Survicate | USA | Collects feedback and survey responses from users or customers. May contain names/emails if users opt in. Survicate Privacy |
| OpenAI | USA | Occasionally engaged for AI-assisted source detection. Minimal technical data (e.g., truncated IP, device info) may be shared; no direct personal identifiers. OpenAI Privacy |
| xAI | USA | If a user engages with the AI Chat feature, anonymized ad and conversion data may be submitted to xAI to generate marketing insights and recommendations. This includes campaign performance data, event types, and conversion metrics—never personal information such as names, emails, or any user-identifying details. Data is used solely to power AI-driven responses. xAI Privacy |
| Anthropic | USA | Ad and conversion data may be shared with Anthropic only when a user interacts with the AI Chat feature. The data is strictly limited to anonymized campaign and conversion performance details, and does not include any personal identifiers. This allows the AI to provide relevant insights while maintaining full user privacy. Anthropic Privacy |
4. Payments & Financial
| Sub-Processor | Location | Purpose / Description |
|---|---|---|
| Stripe | USA | Payment processing services for subscription billing. Stripe may store billing information (credit card numbers, billing addresses), while Cometly only sees minimal info (e.g., last four digits, status). Stripe Privacy |
| FirstPromoter | USA | Tracks affiliate and referral commissions. Stores affiliate account data (name, email, payout information). FirstPromoter Privacy |
5. Development & Internal Tooling
| Sub-Processor | Location | Purpose / Description |
|---|---|---|
| GitHub | USA | Code repository for our software development. Occasionally minimal user info (e.g., reference IDs) may appear in logs or commit messages, but we aim to exclude personal data. GitHub Privacy |
| Webflow | USA | Website development platform used for hosting front-end marketing pages. May process minimal contact form data if used for certain pages. Webflow Privacy |
| CloudFlare | USA | DNS and content delivery network (CDN) that helps secure and accelerate our website. May process IP addresses and basic logs. CloudFlare Privacy |
| ClickFunnels | USA | Used for certain landing pages or funnels. May process lead data (names, emails, etc.) on sign-up pages. ClickFunnels Privacy |
| Linear | USA | Project management tool for internal issue/task tracking. Occasionally may see user IDs or emails in bug reports, but not intended for storing personal data. Linear Privacy |
6. Documentation & Contract Tools
| Sub-Processor | Location | Purpose / Description |
|---|---|---|
| PandaDoc | USA | For sending and signing contracts electronically (e.g., NDAs, custom deals). Processes names, emails, and contract details. PandaDoc Privacy |
| ChurnKey | USA | Churn prevention software used to manage and analyze cancellations or retention. May process user email, subscription ID, or reason for cancellation. ChurnKey Privacy |
7. Miscellaneous
| Sub-Processor | Location | Purpose / Description |
|---|---|---|
| Google Workspace | USA | Cometly’s corporate email and productivity suite. Internal emails and document collaboration may include user details if relevant to support or account management. Google Workspace Privacy |
8. Sub-Processor Updates
We may engage new Sub-Processors or replace existing ones as we grow. When doing so, we will provide at least 30 days advance notice to customers via email or through your account dashboard before any new Sub-Processor begins processing data. This notification period aligns with our Privacy Policy and End User License Agreement (EULA).
Customer Rights:
- Objection: Customers may object to the use of a new Sub-Processor by terminating their subscription in accordance with Section 9.3 Termination by Customer of our EULA.
- No Service Disruption: Termination due to objection will not affect your ability to use other services provided by Cometly.
9. Additional Notes
- Data Minimization: We strive to minimize the amount of personal data shared with each Sub-Processor, ensuring only necessary data is processed to fulfill the intended purpose.
- Security & Compliance: Each Sub-Processor is thoroughly vetted for security and privacy compliance, and must adhere to contractual commitments regarding data protection, including GDPR, CCPA, and other relevant regulations.
- Data Processing Agreements (DPAs): All Sub-Processors are required to sign a DPA, which outlines their obligations to protect personal data and comply with applicable data protection laws.
- International Data Transfers: Where Sub-Processors are located outside the European Economic Area (EEA), United Kingdom, or Switzerland, we ensure that data transfers are conducted in accordance with GDPR requirements, utilizing mechanisms such as Standard Contractual Clauses (SCCs).
10. Data Processing Addendum (DPA)
For business customers subject to GDPR, UK GDPR, or similar laws, we offer a Data Processing Addendum (DPA) that outlines our obligations as a processor, including sub-processor disclosures, data breach notifications, and more. If you need a DPA, please contact us at privacy@cometly.com.
11. Contact Us
If you have any questions or concerns about our Sub-Processors, please contact us at:
Comet LLC (d/b/a Cometly)41 University Drive, Suite 400
Newtown, Pennsylvania 18940
United States