Version 5.2 · Effective date:
Main providers that may process data in connection with Hej Bóbr.
Scope
This list identifies the main providers that may process data in connection with the Service. Processing location may depend on service configuration, data type, account settings, and the provider current subprocessor list.
Main subprocessors
| Provider | Purpose | Location / transfers | Notes |
|---|---|---|---|
| Stripe Payments Europe, Limited / Stripe, Inc. | payments, billing, payment handling, payment fraud prevention | EEA / Ireland and global transfers, including the United States and other jurisdictions | Stripe may act as processor and as independent controller depending on processing purpose. |
| Cloudflare, Inc. | hosting, DNS, CDN, security, routing, caching, and abuse protection | Cloudflare global edge network; metadata mainly in the United States and Europe | Customer website content is hosted in a Europe-based data-centre configuration; transfers outside the EEA are covered by standard contractual clauses. |
| OpenAI, L.L.C. | AI/LLM processing, content generation, prompt and response processing | United States or Europe depending on configuration; transfers covered by standard contractual clauses | We use the commercial API only, in Zero Data Retention mode. Input data is not used to train OpenAI models and is not retained after the request is completed beyond what is necessary to provide the Service. |
| Cloudflare, Inc. | email routing, mail protection, and technical communication infrastructure | Cloudflare global infrastructure; metadata and logs may be processed in the United States and Europe | Applies only to the technical transactional-email layer of the Service. |
| Cloudflare, Inc. | analytics, operational telemetry, technical and security logs | Cloudflare global infrastructure; scope depends on enabled products and cookie/analytics settings | Analytics and marketing cookies run only after the user gives consent. |
Tools outside the scope of this list (own marketing)
Tools used for our own marketing and cold outreach, including Instantly.ai (Foo Monk LLC), are not subprocessors of Customer personal data under the GDPR. Running outbound campaigns is the Service Provider's own marketing purpose, in which it acts as an independent controller of business contact data, not as a processor of data entrusted by a Customer. For that reason these tools are not listed among the subprocessors above. Processing of data in the Service Provider's marketing is described in the Privacy Policy.
Changes
Changes to the Subprocessor List will be published in the Service or communicated to customers in the manner described in the Terms. For providers outside the EEA, we apply appropriate transfer mechanisms where required by data-protection law.