Every vendor. Every byte.
Below is the complete list of third-party services we use, what data each one sees, and a separate list of categories we deliberately refuse to use. If your security or compliance team needs more detail, write to privacy@nursedoctorateprograms.com.
Sub-processors we use
| Vendor | What it does | What it sees | Where |
|---|---|---|---|
| Vercel, Inc. | Static hosting and content delivery for the Site. | Standard CDN edge logs (IP address, requested path, referrer, user-agent), retained per Vercel's defaults. We do not query, export, or join these logs to anything. | USA (multi-region edge) |
| Supabase, Inc. | Database (Postgres), authentication (magic-link), and edge functions for the Stripe webhook and checkout. | Email addresses of signed-in users. Claim and correction text. Subscription state. All data is stored in our project; no other Supabase customer can access it. Row-Level Security policies are documented in the migration files. | USA · AWS us-east-1 |
| Stripe, Inc. | Payment processing for paid subscription tiers ("Verified", "Featured") only. Loaded only on the Pricing page and the Stripe-hosted checkout flow. | Payment-card details, billing address, and tax-ID information of subscribers. We never receive or store card data — only a Stripe customer ID, plan, status, and renewal date. | USA |
| jsDelivr (Cloudflare-fronted) | Open-source JavaScript CDN. Serves the Supabase JS client and Stripe.js (the latter only on Pricing and Checkout). | IP address (during script fetch only). No tracking, no analytics. | Global CDN |
Things we refuse to use
This list is the heart of our anti-tracking commitment. The directory will not adopt any of the following without first updating this page, the Privacy Policy, and the Terms of Service, and giving 30 days' advance notice in the page footer:
- ✕ Meta Pixel (Facebook / Instagram conversion tracking)
- ✕ Google Analytics (in any configuration, cookieless included), Google Tag Manager, Google Ads conversion tags, or Google Signals. We run no analytics product of any kind.
- ✕ TikTok Pixel, LinkedIn Insight Tag, Pinterest Tag, X (Twitter) Pixel, Snap Pixel
- ✕ Hotjar, FullStory, Mouseflow, Microsoft Clarity, LogRocket, or any other session-replay tool
- ✕ Any cross-site behavioral advertising network or "data broker" relationship
- ✕ Any third-party live-chat tool (Intercom, Drift, Zendesk Messenger, Crisp) — we will use email instead
- ✕ Any healthcare-targeted ad-tech (Amazon DSP healthcare audiences, Symphony, etc.)
- ✕ Sale, rental, or sharing of personal data with any party for advertising purposes — ever
What this means for you
You can browse this directory without a cookie ever being written to your device. No Meta, TikTok, Google, or third-party advertising network is told you visited. We run no analytics product at all — not even a cookieless one — so no aggregate page-view beacon leaves your browser. You can sign in to claim a listing or submit a correction without being added to a profile. You can pay for a subscription without us seeing your card. We hold ourselves to this standard not because the law requires it (in many places it does not), but because the Site exists to help prospective doctoral student — and prospective doctoral student deserve the same privacy posture that the most-litigated healthcare websites are now being forced into. We start there.
Last verified by manual audit: 2026-06-08. To independently verify the trackers list, open your browser's network panel and load any page on this Site — webfonts are self-hosted (served from this domain), and the only third-party requests you will see are (on Pricing/Claim/Admin/Detail pages only) cdn.jsdelivr.net, *.supabase.co, or js.stripe.com. To independently confirm no cookies are set: open DevTools → Application → Cookies before and after page load.