Subprocessors
Last updated: 06/05/2026
To deliver the Service, Diglot OÜ uses a small number of carefully selected third-party providers (“subprocessors”) that may process personal data on our behalf. This page lists those subprocessors, what they do, where they are based, and what mechanism we rely on for any cross-border data transfer. It complements our Privacy Policy and our Data Processing Addendum (available to B2B / education customers on request at legal@diglot.ai).
We use, and continue to add, only the subprocessors strictly necessary to run the product. We require each one to provide appropriate technical and organisational safeguards, to act on documented instructions, to maintain confidentiality, and to allow audits as required by GDPR Art. 28.
Current subprocessors
Infrastructure and hosting
| Provider | Role | Region | Transfer mechanism (outside EEA) |
|---|---|---|---|
| Supabase | Managed Postgres database, authentication, object storage | EU (Frankfurt) | n/a — data stays in the EU |
| Hetzner Online GmbH | Underlying compute and storage for some Supabase / Diglot workloads | Germany / Finland | n/a — within the EEA |
| Cloudflare, Inc. | CDN, DDoS protection, WAF, bot management | Global edge | EU SCCs + DPF (where applicable) |
Generative AI providers
We send the relevant portion of your User Content (drafts, prompts, tool inputs) to these providers solely to produce the output you asked for. Our contracts prohibit them from using your User Content to train their general-purpose foundation models.
| Provider | Role | Region | Transfer mechanism |
|---|---|---|---|
| OpenAI, L.L.C. | LLMs used for translation, paraphrasing, Cowriter, certain grammar tasks | United States (with EU-region inference where available) | EU SCCs + EU-U.S. Data Privacy Framework |
| Anthropic, PBC | LLMs used for translation, Cowriter, AI-Check, paraphrasing | United States | EU SCCs |
| Google LLC (Gemini API) | LLMs and multimodal models used in selected features | United States / EU regions | EU SCCs + EU-U.S. Data Privacy Framework |
(We may add a provider to this list on 30 days’ prior notice — see Changes below. The exact provider for a given feature may rotate based on health, latency, and quality, in accordance with our routing matrix.)
Billing and payments
| Provider | Role | Region | Transfer mechanism |
|---|---|---|---|
| Polar Software, Inc. (Polar.sh) | Merchant of Record — handles checkout, taxes (VAT, U.S. sales tax, GST), refunds, chargebacks, billing emails | United States, with EU sub-processing where applicable | EU SCCs + DPF (Polar’s downstream payment processors are listed in their own subprocessor page) |
We do not see or store your full payment-card number. We see only billing metadata such as transaction ID, plan, country, last 4 digits of the card, and the email used for billing.
Operational tools
| Provider | Role | Region | Transfer mechanism |
|---|---|---|---|
| PostHog Inc. | Product analytics (event-level, with IP anonymisation; analytics cookies are off until you consent) | United States / EU Cloud (we use the EU Cloud where available) | EU SCCs |
| Sentry (Functional Software, Inc.) | Error and performance monitoring | United States | EU SCCs |
| Resend, Inc. | Transactional email (sign-in, password reset, billing notifications) | United States | EU SCCs + DPF |
Authentication and identity (where you choose to use them)
| Provider | Role | Region |
|---|---|---|
| Google Identity (Sign in with Google) | OAuth-based sign-in if you choose this method | United States / global |
| Apple ID (Sign in with Apple) | OAuth-based sign-in if you choose this method | United States / global |
These providers receive only the minimum information needed to authenticate you (an opaque user ID and, depending on the method, your email).
Internal affiliates
If we engage internal Diglot affiliates (e.g., a future U.S. subsidiary for B2B sales), we will list them here too and bind them to the same data-protection terms.
Changes to this list
When we add a new subprocessor or replace an existing one, we will:
- update this page (and bump the Last updated date at the top);
- for B2B / education customers, give at least 30 days’ prior notice by email (using the contacts on file) so they have time to object;
- for individual users, surface a notice in the product and / or in the cookie banner where the change affects analytics or cookies.
If you believe a subprocessor change creates a material privacy risk for you, you can terminate your subscription and delete your account before the change takes effect.
Contact
For questions about subprocessors, to receive a copy of the standard contractual clauses we rely on, or to request a copy of our Data Processing Addendum:
Diglot OÜ — Republic of Estonia legal@diglot.ai
