Third-Party Services & API Compliance Register
Price4Parts Platform
This register lists third-party vendors, APIs, SDKs, and embeds that may process data in connection with Price4Parts. It supports privacy disclosures, cookie consent, and vendor reviews. Only external providers are described here — not how Price4Parts builds or operates its own systems.
1) Scope
Each entry below is a third-party service reached from the website (e.g. scripts, iframes, uploads) or called over the internet from Price4Parts infrastructure (e.g. payment, email, database hosting APIs).
2) Executive summary
| Provider | Primary purpose | How it is used |
|---|---|---|
| Stripe | Payments, subscriptions, Stripe Connect supplier payouts | Browser and server-side payment APIs |
| Cloudinary | User file uploads and media hosting | Browser uploads and Cloudinary APIs / CDN |
| Google Tag Manager (GTM) | Tag management; loads and coordinates marketing/analytics tags | Browser script (when enabled) |
| Google Analytics (GA4) | Website and product analytics, measurement | Browser (often via GTM) |
| Meta (Facebook Pixel / Meta technologies) | Advertising, attribution, conversion measurement, remarketing | Browser script / pixel (when enabled) |
| Google Translate | Optional website translation widget | Browser script + cookies |
| Google Fonts | DM Sans / Inter font delivery | Browser stylesheet request |
| YouTube | Embedded product / marketing videos | Iframe API |
| SendGrid | Transactional email delivery | HTTPS mail API (when enabled) |
| SMTP provider | Email fallback transport | SMTP (when used instead of or alongside SendGrid) |
| MongoDB Atlas / host | Hosted database | Database provider connection |
| Redis host | Caching and real-time coordination (when enabled) | Managed Redis connection |
3) Vendor register
3.1 Stripe
Purpose: Card payments, subscription billing, Checkout sessions, Payment Element, supplier payouts via Stripe Connect, webhooks and billing state synchronization.
API / integration: Stripe.js and related browser components; Stripe REST APIs and webhooks on the server side for payments, billing, and Connect payouts.
Data categories: Payment credentials (processed by Stripe), billing customer identifiers, payment intent IDs, subscription IDs, connected account IDs, payout status metadata.
Legal: stripe.com/legal · stripe.com/privacy
3.2 Cloudinary
Purpose: Direct browser uploads for listing images, supplier logos and branding, profile images, chat attachments, raw documents (where enabled).
Endpoint pattern: https://api.cloudinary.com/v1_1/{cloud_name}/…/upload
Data categories: User-selected media (images, PDFs / raw files), generated CDN URLs, transformation metadata.
Legal: cloudinary.com/privacy
3.3 Google Tag Manager (GTM)
Purpose: Central tag management — deploy and control marketing and analytics tags (e.g. GA4, Meta Pixel) without changing application code for every change.
API / integration: Google-hosted tag container snippet in the browser when enabled.
Data categories: Page URLs, events forwarded to child tags, cookie reads/writes as configured in the container; subject to tags fired by the container.
Compliance: Map GTM loading and any tags it fires to the Analytics / Marketing cookie consent category where required.
Legal: Google Privacy Policy · Tag Manager terms
3.4 Google Analytics (GA4)
Purpose: Web and product analytics — traffic, engagement, conversions, and reporting.
API / integration: Google Analytics 4 measurement in the browser, often via GTM or gtag.js, when enabled.
Data categories: Pseudonymous identifiers, device/browser metadata, page views, events, approximate location (IP-derived where used), session duration.
Compliance: Requires consent where mandated; document in cookie banner under Analytics.
Legal: Google Privacy Policy · Google Analytics terms
3.5 Meta (Facebook Pixel / Meta technologies)
Purpose: Advertising, conversion tracking, optimisation, and remarketing across Meta products (e.g. Facebook, Instagram).
API / integration: Meta Pixel in the browser and/or Meta Conversions API from the server when enabled; often loaded via GTM.
Data categories: Event data (page view, purchase, lead, custom events), device and browser metadata, Meta cookies; if Conversions API is used, hashed identifiers may be sent according to Meta specifications.
Compliance: Map to Marketing (and where applicable Analytics) consent; respect opt-out and regional requirements.
Legal: Meta Privacy Policy · Meta Business Tools terms
3.6 Google Translate
Purpose: Optional translation widget loaded when functional cookies are accepted.
Script: https://translate.google.com/translate_a/element.js
Data categories: Visible page text for translation, language preference, translation cookies (e.g. googtrans).
Compliance: Map to Functional cookies in the consent banner.
Legal: Google Privacy Policy
3.7 Google Fonts
Purpose: External font delivery (e.g. DM Sans, Inter) via fonts.googleapis.com.
Data categories: Standard connection metadata (IP, user agent, referrer), stylesheet requests.
Compliance: For stricter EU / enterprise DPAs, consider self-hosting fonts.
Legal: Google Fonts FAQ (privacy)
3.8 YouTube
Purpose: Embedded walkthroughs, pricing videos, onboarding, marketing content.
Integration: YouTube iframe API; youtube-nocookie.com player where implemented.
Data categories: Player requests, device/browser metadata, playback interactions, possible YouTube preference cookies.
Legal: YouTube Terms · Google Privacy Policy
3.9 SendGrid
Purpose: Transactional email via SendGrid's HTTP API when that option is enabled.
Endpoint: https://api.sendgrid.com/v3/mail/send
Data categories: Recipient email, subject, HTML content, reply-to, delivery metadata.
Legal: Twilio terms
3.10 SMTP provider (fallback)
Purpose: Transactional email via standard SMTP when that transport is used (e.g. as an alternative or fallback to SendGrid).
Data categories: Same as SendGrid — recipient, subject, content, logs.
Compliance: List the actual SMTP vendor (SES, Mailgun, Postmark, hosting SMTP, etc.) as a separate subprocessor.
3.11 MongoDB / MongoDB Atlas
Purpose: Hosted operational database (e.g. MongoDB Atlas or another MongoDB host).
API / integration: Database connection to the chosen MongoDB provider over the network.
Compliance: Rely on the DPA and region documentation from your actual MongoDB vendor.
3.12 Redis (optional)
Purpose: When used: caching, pub/sub, and related infrastructure via a managed or self-hosted Redis provider.
Data categories: Real-time payloads, room subscriptions, transient keys.
Compliance: Reference DPA and hosting region from your Redis provider.
4) Cookie & consent mapping
Cookie consent is organised into these categories:
- Essential — strictly necessary cookies for operating the site (e.g. sign-in, security, checkout flow).
- Functional — e.g. Google Translate (when accepted).
- Analytics — Google Tag Manager (as loader), Google Analytics (GA4), and related measurement; enable only with consent where required.
- Marketing — Meta Pixel and similar advertising/retargeting tags; typically deployed via GTM; consent-gated where required.
If additional analytics, pixels, or SDKs are introduced, update this register and the cookie banner at the same time.
5) Legal / privacy team action items
- Privacy Policy: Reference payment processors, file storage, email subprocessors, video embeds, fonts, translation, tag management (GTM), analytics (GA), and marketing (Meta).
- Terms of Service: Stripe billing/refunds, Connect payouts, Cloudinary-hosted uploads, third-party comms and measurement tools.
- Subprocessor register: Maintain separate entries for hosting, CDN, CI/CD, logs/monitoring, error tracking, VPS/container platforms (e.g. Hetzner), etc.
6) Security review checklist
Review this register when adding:
- Analytics SDKs, maps, OAuth/social login, AI APIs
- Search SaaS, fraud tools, monitoring, error tracking
- New public scripts, pixels, or browser-loaded SDKs
Recommended cadence: each major release, before enterprise onboarding, and before SOC 2 / ISO evidence collection.