Subprocessors

GDPR Art. 30 - Subprocessor list

We share specific data with vetted third-party subprocessors to deliver the Glowniq service. Each subprocessor is bound by a Data Processing Agreement (DPA) and operates under documented safeguards.

Last updated: 15 June 2026

Infrastructure

Subprocessor	Data	Location	Safeguard
Hetzner (fenix-ai)	Backend API, PostgreSQL, Redis, MinIO	EU (Germany/Finland)	EU residency, self-hosted, encrypted at rest
Cloudflare	DNS, CDN, DDoS protection	Global anycast (EU edges)	SOC 2 Type II, GDPR DPA

AI vision

Subprocessor	Data	Location	Safeguard
OpenAI	Face image (temporary, not retained)	United States	API mode (no training), DPA, SCCs, TIA
Anthropic	Face image (temporary, not retained)	United States	API mode (no training default), DPA, SCCs, TIA
Groq	Face image (temporary, not retained)	United States	DPA in progress, SCCs planned
OpenRouter	Face image + prompt (aggregator)	United States	Aggregator - model-level DPA varies; trust whitelist only
EachLabsDisabled in production	Face image	United States	EachLabs DPA not yet executed

Payments

Subprocessor	Data	Location	Safeguard
Stripe	Card metadata, billing records	United States (EU subsidiary)	PCI-DSS Level 1, DPA, SCCs
RevenueCat	In-app purchase receipts, App Store/Play billing	United States	PCI-DSS, App Store DPA, RevenueCat DPA

Email & push

Subprocessor	Data	Location	Safeguard
SMTP (self-hosted)	Transactional email (SMTP)	EU (fenix-ai)	Self-hosted, no third-party delivery
Expo (Push)	Push notification tokens	United States (APNs/FCM relay)	Apple APNs DPA, Google FCM DPA

Analytics

Subprocessor	Data	Location	Safeguard
CookieYes	Cookie consent preferences	EU	GDPR-compliant consent management

Cookie policy

We use CookieYes to manage consent for non-essential cookies. Marketing and analytics cookies are off by default until you opt in.