Sub-processors
We engage a small set of vetted third parties to deliver the service. GDPR Art. 28 obliges us to (a) name each one, (b) limit their access to what they actually need, and (c) impose contractual data-protection terms. Here is the full list.
Effective 2026-04-30. We give 30 days' notice on this page before adding a new sub-processor.
| Sub-processor | Purpose | Data accessed | Region | Transfer basis |
|---|---|---|---|---|
| Hetzner Online GmbH | Application hosting (compute, EU bare-metal) | All processed data, encrypted at rest | Falkenstein, Germany (EU) | EU-internal — no transfer |
| Anthropic PBC | Buronia drafting (Claude API, ZDR enabled, no training) | Wizard answers with sensitive fields redacted | Ireland (EU endpoint where available); US fallback | SCC + Anthropic Zero-Data-Retention addendum |
| Stripe Payments Europe Ltd | Payment processing for the €19 unlock | Email, billing data, payment-method token | Ireland (EU) | EU-internal — no transfer |
| Google LLC (Maps Platform) | Address autocomplete on inline forms | Keystroke text + IP, while the field is focused | Global (Google network) | SCC; processing limited to Address-Autocomplete API per Maps Platform terms |
| Mailgun (Sinch Email Inc.) | Transactional email (magic links, receipts, DPO replies) | Email address, message body | EU region (Frankfurt) | EU-internal — no transfer |
| Cloudflare, Inc. | DNS, edge caching of static assets, DDoS protection | Request metadata + IP (no application data) | Global edge; EU-only routing where available | SCC + EU Data Boundary commitment |
| Twilio Ireland Ltd (WhatsApp Business API) | WhatsApp customer-support channel | Phone number, message content (only when you message us) | Ireland (EU) | EU-internal — no transfer |
What we don't use
We do not use Google Analytics, Meta Pixel,
Hotjar, FullStory, Mixpanel, Segment, Amplitude, or any
ad-network pixel. We do not embed third-party fonts that ping
home (Google Fonts is loaded via the privacy-friendly
fonts.googleapis.com endpoint with no cookies).
Adding or removing a sub-processor
Before we engage a new sub-processor we (a) execute an Art. 28 DPA with them, (b) verify their security posture and EU transfer basis, and (c) update this page at least 30 days before they touch any production data. If you object to a new sub-processor, you may exercise your erasure right and end the contractual relationship — your draft remains free under the consumer guarantee.
Audits
We audit each sub-processor's compliance certificates yearly: ISO 27001, SOC 2 Type II, EU Cloud Code of Conduct. Reports are available to enterprise customers under NDA via the DPO.