Subprocessors

Written By Simon from Replaiy

Last updated About 1 month ago

Replaiy B.V.
Last updated: May 7, 2026
Version 1.2

1. Introduction

This page lists the third-party service providers ("Subprocessors") that Replaiy B.V. ("Replaiy") engages to process personal data on behalf of its Customers in connection with the Services, as well as third-party tools used on our marketing website. Each Subprocessor is bound by a written agreement that includes data protection obligations no less protective than those in our Data Processing Agreement (DPA), where applicable.

This list forms Annex III to our DPA and is incorporated by reference.

2. Notification of Changes

Replaiy notifies Customers at least 30 days in advance of adding or replacing a Subprocessor that processes Customer Data. Customers may object on reasonable, documented data protection grounds within this period by writing to legal@replaiy.ai. The change notification mechanism is described in Section 7 of our DPA.

To receive notifications about Subprocessor changes, Customers may subscribe via dpa@replaiy.ai.

3. Infrastructure and Hosting

3.1 Railway

  • Purpose: Application hosting, database hosting, infrastructure

  • Data processed: All Customer Data, including account data, conversation content, and Lead data

  • Location: European Union (EU-West, Amsterdam)

  • Transfer mechanism: Not applicable (EU)

  • Privacy policy: railway.com/legal/privacy

3.2 Cloudflare

  • Purpose: Object storage for media assets (profile pictures, company logos)

  • Data processed: Profile pictures and company logos associated with Users and Leads

  • Location: European Union (Cloudflare R2, WEUR region β€” typically Amsterdam, Frankfurt, or Paris)

  • Transfer mechanism: Not applicable (EU); SCCs available where Cloudflare's global infrastructure applies

  • Privacy policy: cloudflare.com/privacypolicy

4. Communication and Integrations

4.1 Unipile

  • Purpose: LinkedIn integration layer enabling authentication, message sending, and message retrieval

  • Data processed: LinkedIn account credentials (encrypted), profile data, conversation content

  • Location: European Union (France)

  • Transfer mechanism: Not applicable (EU)

  • Privacy policy: unipile.com/privacy

4.2 LinkedIn

  • Purpose: Underlying social platform on which Customers conduct outreach and conversations

  • Data processed: Profile data, message content, connection data

  • Location: Global infrastructure operated by LinkedIn Ireland Unlimited Company (EU entity) with onward transfers

  • Transfer mechanism: LinkedIn's own SCCs and supplementary measures

  • Privacy policy: linkedin.com/legal/privacy-policy

4.3 Google Workspace (Calendar)

  • Purpose: Optional calendar integration for scheduling functionality

  • Data processed: Meeting metadata (title, time, attendees) where the User connects Google Calendar

  • Location: European Union, with possible onward processing under Google's terms

  • Transfer mechanism: Google Workspace Data Processing Amendment with SCCs

  • Privacy policy: policies.google.com/privacy

5. AI Providers

5.1 OpenRouter

  • Purpose: AI model routing and inference gateway

  • Data processed: Prompt content (which may include conversation data) and AI outputs

  • Location: United States, with EU-compatible routing where available

  • Transfer mechanism: SCCs and Zero Data Retention configuration

  • Privacy policy: openrouter.ai/privacy

5.2 Anthropic (Claude)

  • Purpose: Large language model inference (accessed via OpenRouter)

  • Data processed: Prompt content and AI outputs

  • Location: United States and other regions

  • Transfer mechanism: SCCs and Zero Data Retention configuration

  • Privacy policy: anthropic.com/privacy

5.3 xAI (Grok)

  • Purpose: Large language model inference (accessed via OpenRouter)

  • Data processed: Prompt content and AI outputs

  • Location: United States

  • Transfer mechanism: SCCs and Zero Data Retention configuration

  • Privacy policy: x.ai/legal/privacy-policy

5.4 Google (Gemini)

  • Purpose: Large language model inference (accessed via OpenRouter)

  • Data processed: Prompt content and AI outputs

  • Location: United States and other regions, with EU data residency available for selected models

  • Transfer mechanism: SCCs and Zero Data Retention configuration

  • Privacy policy: policies.google.com/privacy

6. Payments

6.1 Stripe

  • Purpose: Subscription billing and payment processing

  • Data processed: Customer billing data (company name, address, VAT number), transaction history, payment instrument data (handled directly by Stripe)

  • Location: European Union (Stripe Payments Europe Limited, Ireland), with possible onward processing

  • Transfer mechanism: Stripe DPA with SCCs

  • Privacy policy: stripe.com/privacy

7. Product Analytics

7.1 PostHog

  • Purpose: Product analytics, feature usage, and error monitoring within the product application (replaiy.app)

  • Data processed: Usage events, anonymized IP addresses, device and browser data

  • Location: European Union (PostHog EU Cloud)

  • Transfer mechanism: Not applicable (EU)

  • Privacy policy: posthog.com/privacy

8. Marketing Website Analytics (replaiy.ai only β€” consent-based)

The following tools are used exclusively on our marketing website (replaiy.ai) and only after the visitor has given consent through our cookie banner. They are not used inside the product application and do not process Customer Data.

8.1 Microsoft Clarity

  • Purpose: Visitor analytics on the marketing website (clicks, scrolls, session recordings, heatmaps)

  • Data processed: Pages visited, clicks, scroll behavior, browser and device information, IP address (anonymized by Microsoft)

  • Location: United States

  • Transfer mechanism: Standard Contractual Clauses with supplementary measures

  • Privacy policy: privacy.microsoft.com/privacystatement

8.2 Google Analytics

  • Purpose: Traffic and conversion measurement on the marketing website

  • Data processed: Pages visited, session duration, referrer, browser and device information, IP address (truncated by Google for EU traffic)

  • Location: United States

  • Transfer mechanism: Standard Contractual Clauses with supplementary measures

  • Privacy policy: policies.google.com/privacy

9. Internal Operations Subprocessors

The following Subprocessors are used by Replaiy for its own business operations (e.g., support, internal communications). They do not process Customer-submitted personal data in the course of providing the Services, but are listed for transparency.

9.1 Google Workspace

  • Purpose: Internal email, document collaboration, file storage

  • Data processed: Customer correspondence (where Customers email us), business documents

  • Location: European Union with possible onward transfers

  • Privacy policy: policies.google.com/privacy

10. Sub-processor Reliability

Replaiy assesses each Subprocessor's security posture and data protection practices before engagement and on a periodic basis thereafter. Replaiy remains responsible to Customers for the performance of each Subprocessor's obligations under the DPA, where applicable.

11. Contact

For questions about this Subprocessor list, change notifications, or to object to a Subprocessor:

Replaiy B.V.
Bovenkamp 7A
1391 LH Abcoude
The Netherlands
Email: dpa@replaiy.ai (data protection), legal@replaiy.ai (contractual matters)
Web: https://replaiy.ai