List of Data Processors (Sub-processors)
Last updated: June 23, 2026
This list supplements the Privacy Policy (point 5) and is kept up to date. Data is entrusted on the basis of data processing agreements (DPA). Only pseudonymized and minimized data is passed to OCR/AI providers.
| Entity | Service / role | Scope of data | Location | Transfer basis |
|---|---|---|---|---|
| Google Cloud / AWS | hosting, infrastructure | all categories (encrypted) | EU (region) / USA (group entity) | DPF / SCC |
| OneSignal | push notifications | push tokens, device/subscription identifiers, engagement data (delivery/opens); IP addresses not collected for EU/EEA and UK (default setting); no location data; no test results or health data | USA | DPA + SCC (paid plan) / DPF |
| Stripe | payment operator (subscriptions, settlements) | billing and subscription data (card data processed by Stripe) | USA / EU | DPF / SCC |
| Google Analytics | analytics (after consent) | cookie identifiers, IP address (truncated) | USA | DPF |
| Meta (Pixel) | marketing measurement (after consent) | cookie identifiers | USA | DPF |
| [• OCR / AI provider] | OCR and AI/LLM analysis | pseudonymized numerical values (without identifying data: first name, last name, PESEL) | [•] | [• DPA + SCC / DPF — no training on data] |
| [• transactional email provider] | email and transactional communication | email address, content of transactional messages | [•] | [•] |
Legend: DPA — data processing agreement; SCC — Standard Contractual Clauses; DPF — EU-US Data Privacy Framework; "[•]" — value to be completed.