Sub-Processors & data transfers

Published in accordance with GDPR Article 28 and good-faith transparency · Last updated 20 April 2026 · Version 2026-04-20

This page lists every third-party processor ("sub-processor") that VoxSoma engages to deliver its services. Each has been reviewed for GDPR compliance and each operates under a signed or publicly published Data Processing Agreement (DPA).

Complete sub-processor list

Sub-processor	Purpose	Data categories	Location	Transfer safeguard	DPA / Privacy
Anthropic, PBC	AI text generation — affirmation generator and chat assistant (claude-haiku-4-5)	User-entered intention text; chat messages	United States	EU-US Data Privacy Framework + Standard Contractual Clauses	DPA · Privacy
Stripe, Inc.	Payment processing, tax calculation (Stripe Tax), fraud screening (Radar)	Payment card data, email, billing address, IP, purchase events	United States (with EU data residency for EU customers where applicable)	EU-US Data Privacy Framework + Standard Contractual Clauses	DPA · Privacy
Cloudflare, Inc.	Web hosting (Pages), serverless compute (Workers), CDN, DNS, email routing, KV & R2 storage, bot protection (Turnstile), DDoS mitigation	IP addresses, request logs, transient API payloads, email metadata	Global edge network; EU customer data prioritized to EU regions where possible	EU-US Data Privacy Framework + Standard Contractual Clauses	DPA · Privacy · GDPR center
Loops & Co., Inc.	Transactional post-purchase email delivery — onboarding sequence (Day 0, Day 3, Day 14)	Email address, first name, purchase event metadata	United States	EU-US Data Privacy Framework + Standard Contractual Clauses	DPA · Privacy
Microsoft Corporation	Anonymous heatmap and interaction analytics (Microsoft Clarity) — activated only after cookie consent	Anonymous interaction events (clicks, scrolls). No form input recording, no user identifiers	United States	EU-US Data Privacy Framework + Standard Contractual Clauses	Privacy
Rewardful Inc.	Affiliate link tracking and commission calculation — activated only after affiliate-tracking cookie consent	Affiliate referral identifier, sale event, purchase amount, country	Canada	GDPR Adequacy Decision (Canada — PIPEDA)	Privacy

What we do NOT share

Voice recordings are processed entirely client-side and never transmitted to any server or processor. They remain on your device in browser IndexedDB.
Generated audio files are created client-side in your browser and stored locally. They never pass through any processor's servers.
No advertising networks. We do not use Google Analytics, Facebook Pixel, TikTok Pixel, or any cross-site tracking in a way that shares personal identifiers with advertisers.

Your right to object (GDPR Art. 21)

You have the right to object to the engagement of any sub-processor. If you object, we will work in good faith to provide an alternative where technically possible; if no alternative can be provided, we may be required to terminate the service with you, at which point any unused prepaid fees will be refunded pro-rata.

To object, email [email protected] with the subject "Sub-processor objection" and we will respond within 30 days.

Changes to this list

Notification policy: We will notify you by email of any material change to the sub-processor list at least 30 days before the new sub-processor begins processing your data, giving you an opportunity to exercise your right to object. The exception is where urgent security or operational changes require faster engagement — in such cases, notification will be provided as soon as reasonably practicable.

Controller contact

Ramūnas Deniušis (sole trader / individualią veiklą vykdantis asmuo)
Individual Business Certificate No. 1293607
Kalnėnų g. 5-3, LT-89145 Mažeikiai, Lithuania
Privacy questions: [email protected]

← Back to Privacy Policy ← Home