Introduction
This page is the operational layer of the layered notice required under article 13 of Regulation (EU) 2016/679 (GDPR) and guidelines 03/2019 of the European Data Protection Board (EDPB). On the main privacy policy page we describe the functional categories of sub-processors (cloud infrastructure, AI generation, payment processing, analytics, transactional email, captcha and anti-abuse). Here we list the actual names of the providers reclamepenet uses to operate the service, the jurisdiction of each, and the applicable Data Processing Addendum (DPA).
For each provider outside the European Economic Area we rely on the Standard Contractual Clauses (SCCs) adopted by Commission Implementing Decision 2021/914, complemented where appropriate by Transfer Impact Assessments. A redacted copy can be requested at privacy@reclamepenet.ro.
Sub-processor list
| Sub-processor | Jurisdiction | Functional category | DPA |
|---|---|---|---|
| Supabase | EU (Frankfurt — eu-central-1) | PostgreSQL database and authentication | supabase.com/legal/dpa |
| Cloudflare (R2, Workers AI, Turnstile) | Global, with EU routing for R2 | Object storage (R2), server-side AI inference (Workers AI), anti-abuse captcha (Turnstile) | cloudflare.com/cloudflare-customer-dpa |
| OpenAI | USA (with SCCs) | Text script generation and structured prompts | openai.com/policies/data-processing-addendum |
| ElevenLabs | USA (with SCCs) | Server-side voice synthesis (TTS) | elevenlabs.io/dpa |
| Creatify | USA (with SCCs) | AI avatar video rendering | creatify.ai/dpa |
| Paddle | United Kingdom / USA (with SCCs) | Merchant of Record — payment processing, EU VAT invoicing, tax compliance | paddle.com/legal/dpa |
| Sentry | USA (with SCCs) | Server-side error monitoring | sentry.io/legal/dpa |
| PostHog | EU (Frankfurt) | Server-side product analytics (event ingestion via API; no browser SDK) | posthog.com/dpa |
| Resend | USA (with SCCs) | Transactional email (magic-link, abandoned-cart recovery) | resend.com/legal/dpa |
| BetterStack | EU | Uptime monitoring and log aggregation (when connected) | betterstack.com/legal/dpa |
| Google (OAuth + Places) | USA (with SCCs) | OAuth authentication; Places API for local businesses (when connected) | cloud.google.com/terms/data-processing-addendum |
Pre-launch note: some providers above marked “when connected” (BetterStack, Google Places) are included in the declared list for completeness, even though their technical integration is not yet live as of the date of this policy. They will become effective at the moment that integration is activated, and they receive no personal data until then.
Updates to this list
This list is updated whenever we onboard a new sub-processor or remove an existing one. Changes are announced in the version log of the main privacy policy page and, when they have direct impact on you (for example, a new processing jurisdiction or a new category of data being shared), by a notification email at least 30 days before the change comes into effect.
For questions about any of the providers listed above, about the legal basis for transfers outside the EU, or to request a copy of the relevant standard contractual clauses, write to privacy@reclamepenet.ro.