Working draft — not yet legally reviewed
This page is HostPal's engineering-drafted statement of intent and is published in good faith. It has not been reviewed by licensed counsel and may not reflect every legal nuance of your jurisdiction. For a binding answer to a specific question, please contact [email protected].
Version: 2026-05-21 · Last changed: 2026-05-21
To subscribe to email notifications about future changes, email [email protected]. Material changes are announced at least 30 days in advance per GDPR Art. 28(2). You may object to a change by emailing [email protected] within the notice window.
| Sub-processor | Purpose | Data | Location | Safeguards |
|---|---|---|---|---|
| MongoDB Atlas | Primary database | All Host and Guest data | EU (Frankfurt) | At-rest encryption (AES-256), SOC 2 Type II, signed DPA + SCCs |
| Cloudflare | CDN, R2 file storage, WAF, DDoS protection | Host-uploaded files, public assets, edge cache | Global edge | DPA + SCCs |
| Twilio | WhatsApp + SMS routing | Guest phone numbers, message contents | US | DPA + SCCs |
| Telegram (Bot API) | Telegram messaging channel | Guest Telegram IDs, message contents | Global (Telegram FZ-LLC, Dubai) | Telegram does not publish a GDPR DPA. Treated as independent controller of transport metadata. Hosts can choose WhatsApp-only at property setup for EU-sensitive deployments. |
| OpenRouter | LLM routing gateway | Prompt contents (Guest messages + Host context) | US | DPA; routes to OpenAI / Anthropic / Google AI per model selection |
| OpenAI | LLM inference + Whisper voice transcription | Prompt contents, voice audio | US | Zero data retention agreement for API; DPA + SCCs |
| Anthropic | LLM inference | Prompt contents | US | No training on API traffic by default; DPA + SCCs |
| Google AI / Gemini | LLM inference (fallback) | Prompt contents | US / EU | DPA + SCCs |
| Stripe | Billing + payments | Host name, email, billing address, card token | US / IE | PCI-DSS Level 1, DPA + SCCs |
| Resend | Transactional email | Host email, account event content | US | DPA + SCCs |
| Sentry | Error monitoring | Stack traces, server logs (PII scrubbed at SDK) | EU | DPA + SCCs |
| PostHog | Product analytics (consent-gated) | Anonymised event data, truncated IP | EU | DPA |
| Google Analytics 4 | Web analytics (consent-gated) | Truncated IP, page events | US | DPA + SCCs |
| Microsoft Clarity | Session replay sampled for UX research (consent-gated) | UI interaction data, IP | US | DPA + SCCs |
2026-05-21 — Initial public sub-processor register published.