Every vendor. Every byte.
Below is the complete list of third-party services we use, what data each one sees, and a separate list of categories we deliberately refuse to use. If your security or compliance team needs more detail, write to privacy@globalcyberinstitute.org.
Sub-processors we use
| Vendor | What it does | What it sees | Where |
|---|---|---|---|
| Vercel, Inc. | Static hosting and content delivery for the Site. | Standard CDN edge logs (IP address, requested path, referrer, user-agent), retained per Vercel's defaults. We do not query, export, or join these logs to anything. | USA (multi-region edge) |
| Supabase, Inc. | Database (Postgres), authentication (magic-link), and edge functions for the Stripe webhook and checkout. | Email addresses of signed-in users. Claim and correction text. Subscription state. All data is stored in our project; no other Supabase customer can access it. Row-Level Security policies are documented in the migration files. | USA · AWS us-east-1 |
| Stripe, Inc. | Payment processing for paid subscription tiers ("Verified", "Featured") only. Loaded only on the Pricing page and the Stripe-hosted checkout flow. | Payment-card details, billing address, and tax-ID information of subscribers. We never receive or store card data — only a Stripe customer ID, plan, status, and renewal date. | USA |
| Google LLC (Fonts + cookieless GA4) | (1) Serves three webfonts (Newsreader, Geist, JetBrains Mono) from fonts.googleapis.com / fonts.gstatic.com. (2) Google Analytics 4 in strict cookieless mode (client_storage: 'none', anonymize_ip: true, Google Signals and ad personalization disabled) — measures aggregate page views only. Loaded on every page via /js/analytics.js; measurement ID G-PH5VNTSZB6. |
For fonts: IP address during font fetch only. For GA4: an anonymized per-request beacon (anonymized IP, page URL, device class). No cookies set on your device. No cross-site identifiers. We do not use Google Ads, conversion tags, Google Signals, reCAPTCHA, or any Google service for behavioral profiling. | Global CDN |
| jsDelivr (Cloudflare-fronted) | Open-source JavaScript CDN. Serves the Supabase JS client and Stripe.js (the latter only on Pricing and Checkout). | IP address (during script fetch only). No tracking, no analytics. | Global CDN |
Things we refuse to use
This list is the heart of our anti-tracking commitment. The directory will not adopt any of the following without first updating this page, the Privacy Policy, and the Terms of Service, and giving 30 days' advance notice in the page footer:
- ✕ Meta Pixel (Facebook / Instagram conversion tracking)
- ✕ Standard (cookie-based) Google Analytics, Google Tag Manager for marketing, Google Ads conversion tags, or Google Signals. (We do load GA4 in a strict cookieless configuration; see the sub-processors table above.)
- ✕ TikTok Pixel, LinkedIn Insight Tag, Pinterest Tag, X (Twitter) Pixel, Snap Pixel
- ✕ Hotjar, FullStory, Mouseflow, Microsoft Clarity, LogRocket, or any other session-replay tool
- ✕ Any cross-site behavioral advertising network or "data broker" relationship
- ✕ Any third-party live-chat tool (Intercom, Drift, Zendesk Messenger, Crisp) — we will use email instead
- ✕ Any healthcare-targeted ad-tech (Amazon DSP healthcare audiences, Symphony, etc.)
- ✕ Sale, rental, or sharing of personal data with any party for advertising purposes — ever
What this means for you
You can browse this directory without a cookie ever being written to your device. No Meta, TikTok, or third-party advertising network is told you visited. Google receives only a cookieless, anonymized beacon used to count aggregate page views — it cannot tie that beacon to your advertising profile, because Google Signals and ad personalization are disabled. You can sign in to claim a listing or submit a correction without being added to a profile. You can pay for a subscription without us seeing your card. We hold ourselves to this standard not because the law requires it (in many places it does not), but because the Site exists to help nursing students — and nursing students deserve the same privacy posture that the most-litigated healthcare websites are now being forced into. We start there.
Last verified by manual audit: 2026-05-12. To independently verify the trackers list, open your browser's network panel and load any page on this Site — the only third-party requests you will see are to fonts.googleapis.com, fonts.gstatic.com, www.googletagmanager.com (cookieless GA4 loader), region1.google-analytics.com (cookieless GA4 beacon), and (on Pricing/Claim/Admin/Detail pages only) cdn.jsdelivr.net or *.supabase.co or js.stripe.com. To independently confirm no cookies are set: open DevTools → Application → Cookies before and after page load.