Sub-processors and data partners.
These are the third-party services we use to deliver Virtue Mirage. The list is required by our Data Processing Agreement (DPA, clause 8). Every change goes through a 30-day notice cycle to all brand customers — opt-out rights apply.
Last updated: 14 May 2026
Active sub-processors
| Vendor | Purpose | Data accessed | Region |
|---|---|---|---|
|
Google Cloud (Cloud Run)
Google LLC · DPA
|
Container runtime for the Virtue Mirage application backend ("brain") | All — request and response payloads transit through the runtime in memory | us-central1 (Iowa, USA) · planned migration to australia-southeast1 (Sydney, AU) at scale milestone |
|
Google Cloud (Firestore)
Google LLC · DPA
|
Document database for customer identity, biometric lock, brand profiles, pre-render records, consent records, audit logs | Customer email hashes, measurements, brand profiles, consent flags, generation history | us-central1 (Iowa, USA) · planned migration to AU |
|
Google Cloud Storage (GCS)
Google LLC · DPA
|
Object storage for the rendered avatars and pre-rendered try-on imagery | Rendered avatar JPEGs and pre-render JPEGs. Original photos are never stored — they are deleted immediately after avatar generation. | us-central1 (Iowa, USA) · planned migration to AU |
|
Google Cloud (Vertex AI · Gemini)
Google LLC · DPA
|
AI inference for character-sheet generation, try-on rendering, garment description, measurement estimation, AI Stylist Concierge | Source photos (transient, in-memory during inference), product images, garment descriptions. Data is not retained by Google for training under Vertex AI enterprise terms. | us-central1 (Iowa, USA) |
|
Google Workspace (SMTP)
Google LLC · DPA
|
Transactional email delivery (welcome, store-ready, low-balance notifications, billing receipts) | Customer email addresses, transactional message content (no marketing email mixed in) | Global Google infrastructure with EU-US Data Privacy Framework certification |
|
Google Identity (OAuth 2.0)
Google LLC · DPA
|
Admin dashboard authentication for Virtue Creative team members only — not used for shopper or brand-merchant sign-in | Google account email + display name + profile photo URL of authorised admin users | Global |
|
Shopify
Shopify Inc. · DPA
|
Storefront platform integration — receives webhooks for product/order/customer events; serves the Theme App Extension iframe | Brand merchant Shopify Admin session tokens; product metadata; webhook payloads (read-only access in most flows) | Canada / USA / EU regions as per each brand's Shopify region selection |
|
Stripe
Stripe Inc. / Stripe Payments Australia Pty Ltd · DPA
|
Subscription billing and top-up charges to brand customers (where Shopify Billing API is not used) | Brand merchant billing contact, payment method (PCI-DSS scope on Stripe side only), subscription state | Global with regional data residency |
Sub-sub-processors
The vendors listed above may use their own sub-processors (e.g. Google's internal CDN, Shopify's hosted Cloudflare). These are subject to the prime vendor's own DPA and are not enumerated here. A full list is available on request for due-diligence purposes.
Notification of changes
30-day prior notice. Virtue Mirage will provide brand customers with 30 days' advance written notice before adding any new sub-processor that processes customer personal data, or before changing the region of an existing sub-processor.
Brand customers have the right to object to a new or changed sub-processor in writing within the 30-day notice period. Where a brand objects on legitimate data-protection grounds and the parties cannot agree on a resolution, the brand may terminate the affected services without penalty (per DPA clause 8.3).
To subscribe to update notifications, email hello@virtuemirage.com.au with the subject line "Subprocessor notifications".
Removed sub-processors
None. This is the initial sub-processor list as of platform launch.
Contact
Questions about sub-processors, data residency, or our DPA: hello@virtuemirage.com.au