This document lists every third-party service provider that Toutmark shares customer data with. These are our "subprocessors" under GDPR/UK-GDPR terminology and "service providers" under CCPA.
Last Updated: May 31, 2026. Toutmark will notify customers at least 30 days in advance before adding a new subprocessor, and will provide an opportunity to object.
LLM & AI Services
Purpose: Content generation, rewriting, analysis
Data Shared: Website content, brand guidelines, rewrite prompts, chat inputs
Legal Entity: Anthropic PBC
Privacy Policy: anthropic.com/privacy
Purpose: Fallback LLM, brand-model routing
Data Shared: Website content, prompts as needed for fallback routing
Legal Entity: Google LLC
Privacy Policy: policies.google.com/privacy
Purpose: Supplementary LLM option
Data Shared: As required for LLM generation
Legal Entity: OpenAI, Inc.
Privacy Policy: openai.com/privacy
Purpose: Citation tracking, search result measurement
Data Shared: Search queries, citation data
Legal Entity: Perplexity AI Inc.
Privacy Policy: perplexity.ai/privacy
Purpose: AI-text detection — used to verify that customer-facing content does not read as machine-generated before publishing
Data Shared: Generated text snippets for classification (no PII, no account data)
Legal Entity: Pangram Labs Inc.
Privacy Policy: pangram.com/privacy
Data Enrichment & Research
Purpose: Lead enrichment (email addresses, company data)
Data Shared: Email addresses, domain names
Legal Entity: Apollo Inc.
Privacy Policy: apollo.io/privacy
Purpose: Web content scraping and analysis
Data Shared: Website URLs, crawled page content
Legal Entity: Jina AI
Privacy Policy: jina.ai/privacy
Purpose: Web scraping, content extraction
Data Shared: Website URLs, content for extraction
Legal Entity: Firecrawl Inc.
Privacy Policy: firecrawl.dev/privacy
Purpose: Search result analysis, citation tracking
Data Shared: Search queries
Legal Entity: Tavily Inc.
Privacy Policy: tavily.com/privacy
Purpose: Search result analysis
Data Shared: Search queries
Legal Entity: Brave Software Inc.
Privacy Policy: search.brave.com/help/privacy-policy
Communications & Email
Purpose: Email campaign delivery
Data Shared: Recipient email addresses, message content, subject lines
Legal Entity: Mailrelay (part of Agile CRM)
Privacy Policy: mailrelay.com/privacy
Purpose: Email-address verification — used to confirm prospect/outreach recipient mailboxes are deliverable before sending, and to filter role/disposable addresses on prospect intake
Data Shared: Email addresses (no message content, no other PII)
Legal Entity: NeverBounce LLC (a ZoomInfo company)
Privacy Policy: neverbounce.com/privacy-policy
Infrastructure, Hosting & Hosting Integrations
Purpose: DNS, hosting, email routing, edge compute, KV storage, bot management
Data Shared: All infrastructure data, edge logs, DNS queries, email routing, KV key-value data
Legal Entity: Cloudflare Inc.
Privacy Policy: cloudflare.com/privacy
Purpose: Billing, payment processing (Live Phase)
Data Shared: Billing name, email, payment method information
Legal Entity: Stripe Inc.
Privacy Policy: stripe.com/privacy
Purpose: OAuth brokerage for platform integrations
Data Shared: OAuth tokens (encrypted), OAuth states, integration authorization
Legal Entity: Composio Inc.
Privacy Policy: composio.dev/privacy
Platform OAuth / API Install Providers
When you authorize Toutmark to publish to your CMS or hosting platform, OAuth tokens or API tokens are exchanged with these platforms. Toutmark publishes universally-visible page updates through your platform's standard publishing API — we do not deploy per-customer edge workers or user-agent-conditional content.
Purpose: Publish theme content via Shopify Admin API
Data Shared: OAuth token
Purpose: Publish posts and pages via the Toutmark WordPress plugin and REST API
Data Shared: OAuth token or application password
Purpose: Publish CMS items via Webflow Data API
Data Shared: OAuth token
Purpose: Deploy via Admin API
Data Shared: API key (encrypted)
Purpose: Deploy via CMS API
Data Shared: OAuth token
Purpose: Deploy via CMS API
Data Shared: OAuth token
Knowledge Bases & Review Sites
Purpose: Entity management (brand mentions, company information)
Data Shared: Brand names, descriptions, URLs, business information
Legal Entity: Wikimedia Foundation
Privacy Policy: foundation.wikimedia.org/wiki/Privacy_policy
Purpose: Prospect and directory data storage
Data Shared: Prospect names, emails, company information, engagement history
Legal Entity: Google LLC
Privacy Policy: policies.google.com/privacy
Forms & Intake
Purpose: Intake form submissions, survey collection
Data Shared: Form responses, email addresses, company information
Legal Entity: Tally Forms Inc.
Privacy Policy: tally.so/privacy
Press & PR
Purpose: Journalist query matching and pitch distribution
Data Shared: Journalist queries, spokesperson information, pitch responses
Legal Entity: Connectively Inc. (d/b/a HARO)
Privacy Policy: helpareporter.com/privacy
Purpose: Press release distribution
Data Shared: Press release text, company information, contact information
Legal Entity: EIN Presswire / Newsmatics Inc.
Privacy Policy: einpresswire.com/privacy
Social Media Platforms
When posting to social media, content and metadata are shared directly with the platform per your authorization:
- LinkedIn — linkedin.com/legal/privacy-policy
- Reddit — reddit.com/user_agreement
- X — x.com/privacy
- Slack — slack.com/privacy
- Canva — canva.com/privacy
Development & Version Control
Purpose: Code repository, version control
Data Shared: Codebase, deployment logs, documentation
Legal Entity: GitHub Inc. (Microsoft subsidiary)
Privacy Policy: github.com/privacy
Policy & Notification
Changes to Subprocessors: If we add, remove, or significantly change a subprocessor's role, we will notify all customers at least 30 days in advance and provide an opportunity to object before the change takes effect.
Data Protection Agreements: All subprocessors are contractually bound to protect customer data according to applicable laws (GDPR, CCPA, etc.) and Toutmark's privacy standards.
- v1.0 — April 23, 2026: Initial Subprocessor List (Live Phase, US-only)
- v1.1 — May 31, 2026: Added NeverBounce (email verification) and Pangram Labs (AI-text detection); removed Instagram from the social-media platforms list (Toutmark no longer publishes to Instagram); refreshed Perplexity status (no longer pending).