Updated
December 2025
This page lists all third-party service providers (Subprocessors) that Claribi OÜ ("Claribi") uses to process personal data on behalf of our customers. This list is updated regularly and maintained in compliance with GDPR Article 28.
For questions about this list, contact: privacy@claribi.com
Microsoft Entra ID
· Provider: Microsoft Corporation
· Location: Global (various regions)
· Purpose: User authentication, Single Sign-On (SSO), and identity management
· Data Processed: User credentials (processed directly by Microsoft), authentication tokens, email address, name, Microsoft Tenant ID, User Object ID
· Privacy Policy: https://privacy.microsoft.com/
· Legal Basis: Data is processed under Microsoft's Cloud Agreement and GDPR-compliant terms
Railway
· Provider: Railway Corp
· Location: EU (Amsterdam, Netherlands) - Primary region
· Purpose: Application hosting, data storage and compute resources
· Data Processed: Uploaded Content, application logs, metadata, backups
· Privacy Policy: https://railway.app/privacy
Amazon Web Services (AWS)
· Provider: Amazon Web Services EMEA SARL (via Railway)
· Location: EU (Frankfurt, Germany) and EU (Amsterdam, Netherlands)
· Purpose: Underlying infrastructure for Railway platform
· Data Processed: Encrypted application data and metadata
· Privacy Policy: https://aws.amazon.com/privacy/
Paddle.com Market Limited
· Provider: Paddle.com Market Limited
· Location: United Kingdom (Merchant of Record)
· Purpose: Billing, subscription management, payment processing, tax calculation
· Data Processed: Email address, billing address, tax information, payment method information (credit card details NOT stored by Claribi)
· Privacy Policy: https://paddle.com/legal/privacy
· GDPR Status: Paddle acts as Data Controller for payment data
OpenAI, L.L.C.
· Provider: OpenAI, L.L.C.
· Location: United States
· Purpose: Large Language Model processing and code generation (ChatGPT API)
· Data Processed: User prompts, queries, and schema metadata (NOT underlying business data)
· Data Retention: 30 days for abuse prevention, then deleted
· Training: Your data is NOT used to train OpenAI models (excluded per API terms)
· Legal Safeguards: Standard Contractual Clauses (SCCs)
· Privacy Policy: https://openai.com/privacy
Google LLC (Google Gemini API)
· Provider: Google LLC
· Location: United States / European Union (depending on configuration)
· Purpose: Large Language Model processing and analysis
· Data Processed: User prompts, queries, and schema metadata (NOT underlying business data)
· Data Retention: NOT retained after processing
· Training: Your data is NOT used for model training
· Legal Safeguards: Standard Contractual Clauses (SCCs)
· Privacy Policy: https://cloud.google.com/terms/cloud-privacy-notice
· Limited Use: Adheres to Google API Services User Data Policy
Neon, Inc.
· Provider: Neon, Inc.
· Location: AWS EU (Frankfurt, Germany)
· Purpose: Managed serverless PostgreSQL database for persistent data storage
· Data Processed: User account details, user uploaded data, usage statistics, generated content
· Privacy Policy: https://neon.tech/privacy
Neon Managed Backups
· Provider: Neon, Inc.
· Location: AWS EU (Frankfurt, Germany)
· Purpose: Data backup, disaster recovery, and business continuity for database workloads
· Data Processed: Database content and related metadata stored as backups
· Retention: Up to 90 days for disaster recovery purposes
Status: Not currently utilized
Future Providers: If we implement analytics services (e.g., Mixpanel, Amplitude), they will be added here with at least 30 days notice.
Status: Not currently utilized
Current Support: Support requests are handled via email (support@claribi.com) and stored in standard email infrastructure.
You have the right to object to the use of a new Subprocessor. If you object:
1. Objection Period: You have 15 days from the date of notification to object
2. How to Object: Email privacy@claribi.com with subject "[Subprocessor Objection]"
3. Content: Include your name, company, account ID, and specific concerns about the Subprocessor
4. Response: We will work with you in good faith to address your concerns
5. If Unresolved: If we cannot resolve your objection, you may terminate the affected Services without penalty
We will notify you of changes to this Subprocessor list at least 30 days in advance via:
1. Email to your registered account address
2. Posting an update on this page
3. Dashboard notification (if applicable)
Effective Date: Changes become effective 30 days after notification unless you object.
Data Transfers to Third Countries
When we transfer data to Subprocessors outside the EEA/UK (e.g., OpenAI in US), we ensure compliance with GDPR Chapter V through:
· Standard Contractual Clauses (SCCs): EU Commission approved clauses
· Transfer Impact Assessments (TIAs): Conducted per EDPB guidance
· Adequacy Decisions: Where applicable (e.g., UK adequacy)
Full documentation available upon request to privacy@claribi.com.
For Subprocessor Questions:
· Email: privacy@claribi.com
· Response time: 5 business days
For Data Subject Rights:
· Email: privacy@claribi.com
· Subject: [GDPR Request] or [CCPA Request]
Legal Inquiries:
· Email: legal@claribi.com
Effective Date: December 8, 2025
Last Updated: December 8, 2025
Version: 1.2
End of Subprocessor List