Sub-processors
We engage a small set of vetted third parties to deliver the service. GDPR Art. 28 obliges us to (a) name each one, (b) limit their access to what they actually need, and (c) impose contractual data-protection terms. Here is the full list.
Effective 2026-05-11. We give 30 days' notice on this page before adding a new sub-processor.
| Sub-processor | Purpose | Data accessed | Region | Transfer basis |
|---|---|---|---|---|
| Hetzner Online GmbH | Application hosting (compute, EU bare-metal) | All processed data, encrypted at rest | Falkenstein, Germany (EU) | EU-internal — no transfer |
| Anthropic PBC | Buronia drafting (Claude API, ZDR enabled, no training) | Wizard answers with sensitive fields redacted | Ireland (EU endpoint where available); US fallback | SCC + Anthropic Zero-Data-Retention addendum |
| Stripe Payments Europe Ltd | Payment processing for the €19 unlock | Email, billing data, payment-method token | Ireland (EU) | EU-internal — no transfer |
| Google LLC (Maps Platform) | Address autocomplete on inline forms | Keystroke text + IP, while the field is focused | Global (Google network) | SCC; processing limited to Address-Autocomplete API per Maps Platform terms |
| Google LLC (Google Analytics 4) | Aggregate site analytics — loads only after you tick Analytics cookies in the consent banner and click Accept. If you decline, GA never loads and no GA cookies are set. | Truncated IP (anonymize_ip), pseudonymous Client ID, page URL, referrer, screen size, language. No form answers, no personal-info fields. | Global (Google network); EU regional servers where available | SCC (Module 2); explicit opt-in consent under ePrivacy Art. 5(3) / TTDSG §25 |
| Mailgun (Sinch Email Inc.) | Transactional email (magic links, receipts, DPO replies) | Email address, message body | EU region (Frankfurt) | EU-internal — no transfer |
| Cloudflare, Inc. | DNS, edge caching of static assets, DDoS protection | Request metadata + IP (no application data) | Global edge; EU-only routing where available | SCC + EU Data Boundary commitment |
| Twilio Ireland Ltd (WhatsApp Business API) | WhatsApp customer-support channel | Phone number, message content (only when you message us) | Ireland (EU) | EU-internal — no transfer |
What we don't use
We do not use Meta Pixel, Hotjar, FullStory,
Mixpanel, Segment, Amplitude, TikTok Pixel, LinkedIn Insight,
or any ad-network conversion pixel. We do not embed
third-party tag managers (no Google Tag Manager, no Tealium,
no Segment). The only third-party analytics call is Google
Analytics 4, and it fires only after explicit consent —
see the row above and our
cookies page
for the exact gate. Web fonts are self-hosted from our own
domain (buronia.com/static/fonts/); we do not
hot-link Google Fonts or any other third-party font CDN, so
no font request ever transfers your IP to a third party.
Adding or removing a sub-processor
Before we engage a new sub-processor we (a) execute an Art. 28 DPA with them, (b) verify their security posture and EU transfer basis, and (c) update this page at least 30 days before they touch any production data. If you object to a new sub-processor, you may exercise your erasure right and end the contractual relationship — your draft remains free under the consumer guarantee.
Audits
We audit each sub-processor's compliance certificates yearly: ISO 27001, SOC 2 Type II, EU Cloud Code of Conduct. Reports are available to enterprise customers under NDA via the DPO.